NIST debuts the finalized update to its Cybersecurity Framework

The revamp of a nationally recognized cybersecurity standards blueprint urges board rooms to adopt robust governance practices, arguing it will help them face down ever-evolving cyber risks targeting both public and private sectors.

The National Institute of Standards and Technology released its finalized Cybersecurity Framework 2.0 on Monday after a two-year engagement period with stakeholders.

The first version of the CSF was released in 2014 through an Obama-era executive order that focused mainly on steps that critical infrastructure operators can take to defend against cyberattacks. Over time, analysts and officials worked to evolve the framework into a cross-sector guide that aimed to use cyber management language easy for any leader to understand. The agency issued a public call in early 2022 to inform that evolution, followed by a draft of the CSF 2.0 in January 2023.

The core tenets of the guidance were updated in version 2.0 to include cybersecurity governance, which focuses on how firms navigate cybersecurity strategy in their business practices.

“[CSF 2.0] recognized now that cybersecurity is such an important enterprise risk. And so it should have to be managed at that level,” said NIST Director Laurie Locascio at an Aspen Institute event at which the new blueprint was unveiled.

Cyber governance talks have increased among C-level executives and officials in recent years as rapid turn-of-the-decade digital adoption has created new ground for hackers to target private companies and government agencies. Organizations faced a record number of ransomware attacks last year, a Check Point analysis found.

This second version of the document features new categories for incident response management and supply chain risk response. It also includes a catalog of implementation examples for businesses of different types and sizes.

The guidance aims to future-proof organizations amid new cyber threats and a growing wave of federal cybersecurity regulations, said Cherilyn Pascoe, who leads NIST’s National Cybersecurity Center of Excellence.

Industry players have responded positively to the outline, praising its comprehensiveness.

“Having that same point of language has been incredibly helpful. And I’m really grateful to NIST for creating such a flexible framework that has allowed us to explore the different dimensions of cybersecurity,” Danielle Gilliam-Moore, Salesforce’s global public policy director, said at the Aspen event. 

“NIST CSF 2.0 now applies to all audiences, industry sectors, and organization types instead of just critical infrastructure owners,” Patrick Gillespie, who leads GuidePoint Security’s operational technology practice, said in a written statement, adding that the framework also addresses emerging threats rooted in artificial intelligence and quantum computing. 

The Biden administration has been pushing for organizations to embrace more assertive cyber governance and communications procedures, as part of a sweeping effort to overhaul the U.S. cybersecurity landscape.

The Securities and Exchange Commission now requires publicly traded firms to notify the public of cyber incidents within a certain time period. And the Federal Communications Commission recently adopted similar measures for internet providers and telecommunications providers.