NIST Releases Potential Updates to Its Cybersecurity Framework

The National Institute of Standards and Technology announced its intent to make new revisions to its Cybersecurity Framework document, with an emphasis on cyberdefense inclusivity across all economic sectors. 

Announced by the agency on Thursday, the updates to the voluntary guidance are informed by responses received from a previous workshop on the forthcoming CSF 2.0 and a corresponding Request for Information published in early 2022. 

“The CSF is intended to be a living document that is refined and improved over time,” the updated concept document reads. 

Some of the responses officials at NIST look to include in their development of the updated framework are changes to the recommended cybersecurity best practices, sector-specific needs and new uses based on modifications to the framework.

Other significant updates the new CSF could see are protocols surrounding increasing international collaboration in cybersecurity efforts. But the agency does intend to retain the level of detail within the existing standards and guidelines––particularly among checklists and goals—so the framework remains scalable and useful to as many organizations as possible. 

Current recommendations also request that the new CSF relate to other NIST frameworks more clearly, such as the existing Risk Management and Privacy Frameworks. Improvements to the CSF’s website, governance outcomes and expanded coverage to supply chains are also likely to be new features in the forthcoming draft. 

“With this update, NIST is open to making more substantial changes than in the previous update,” the introduction to the concept paper notes. “The ‘CSF 2.0’ version reflects the evolving cybersecurity landscape—but community needs will drive the extent and content of the changes.”

Initially published in 2014, the CSF was last updated to version 1.1 in 2018. The agency announced plans to develop this second update in 2021 amid the more advanced tactics and aggressive nature of cyber threats to important digital networks. Many of the additional features are the same, including more supply chain guidance and CSF alignment to other federal risk management blueprints. 

While the CSF was initially established as a non-mandatory resource for critical infrastructure, the planned update aims to be more broadly tailored for organizations within government, academia and industry. 

Comments for the concept paper are due by March 3, 2023 and will be made publicly available on the document’s webpage. NIST will be hosting a virtual workshop on Feb. 15 to further support participation in the CSF’s development. 

Editor's note: This article has been updated to clarify the NIST response deadline.