Updated NIST cyber framework focuses on on governance

chaofann/Getty Images

The National Institute of Standards and Technology is seeking public feedback on its revamped Cybersecurity Framework, which includes guidance on operationalizing cyber best practices.

The National Institute of Standards and Technology launched the first draft of its  Cybersecurity Framework 2.0, featuring big changes in its scope and guidance that emphasize flexible recommendation implementation.

NIST added a sixth pillar to the framework’s recommended cybersecurity program. In addition to the previous five — which remain “Recover,” “Identify”, “Respond,” “Detect,” and “Protect” — the updated framework includes a “Govern” component to all organizations’ internal cybersecurity posture.

This new function aims to promote new framework integration methods and refocus the process on individuals’ roles and responsibilities in an organization’s cybersecurity risk management posture. 

“With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well,” Cherilyn Pascoe, the framework’s lead developer, said in the press release. “The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”

Other major updates to the 1.1 version of the framework aim to clarify how to assess and measure cybersecurity improvement in an organization’s digital system, a change that echoes the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Strategic Plan, unveiled last week. 

NIST’s new framework also promotes the integration of other guidance documents into an entity’s cybersecurity posture, such as the Artificial Intelligence Risk Management Framework and Secure Software Development Framework. 

The Cybersecurity Framework 2.0 is still a voluntary set of best practices that organizations of any size and industry can adopt, and not a regulatory regime. To facilitate adoption, NIST expanded guidance on implementing more bespoke Framework Profiles. NIST profiles help establish more custom roadmaps for organizations by marrying their individual business requirements and resources with NIST’s cybersecurity outcomes.

“Many commenters said that we should maintain and build on the key attributes of the CSF, including its flexible and voluntary nature,” said Pascoe. “At the same time, a lot of them requested more guidance on implementing the CSF and making sure it could address emerging cybersecurity issues, such as supply chain risks and the widespread threat of ransomware. Because these issues affect lots of organizations, including small businesses, we realized we had to up our game.”

Comments on the Cybersecurity Framework 2.0 are open to the public until November 4, 2023. Following this comment period, NIST said it does not plan to issue another draft, and a forthcoming workshop on the framework will be announced this fall. The final version is slated to be released in early 2024.