The U.S. National Institute of Standards and Technology (NIST) is cooking up a refresh of its Cybersecurity Framework (CSF).
NIST Framework Explained
The CSF provides a set of guidelines and best practices for managing cybersecurity risks. In January, NIST released a CSF 2.0 Concept Paper that detailed its proposals for how the CSF should be updated in its structure and content. NIST is accepting comments on the document until March 17, 2023. A subsequent draft document is due out this summer.
The framework is widely used by organizations and government agencies, both within and outside the U.S., to create cybersecurity programs and measure their maturity. The CSF is being updated with input from government, academia, industry, public review/comment, and other forms of engagement.
According to NIST, the CSF 2.0 version reflects the evolving cybersecurity landscape. The original scope of the CSF was for critical infrastructure, but version 2.0 includes standards that can be applied to small business.
Although the NIST cybersecurity framework was created by the federal government, it has become the industry standard for cybersecurity best practices. The CSF is used broadly within the federal government and is mandatory for U.S. federal government agencies but is voluntary for the private sector.
As the federal government increasingly leverages the CSF to protect against the growing sophistication and frequency of cyberattacks, federal agencies increasingly are holding government contractors, such as managed security service providers (MSSPs) and managed service providers (MSPs), accountable to NIST standards.
Cherilyn Pascoe, senior technology policy advisor at NIST and Cybersecurity Framework Program lead, told The Daily Swig, a newsletter of U.K.-based web application security provider PortSwigger:
“We think that there's been enough changes in the cybersecurity landscape to warrant a significant update this time around. There have been changes in cybersecurity standards, including those published by NIST, but... there's been significant changes in the risk landscape and in technologies. And so even though the vast majority of our respondents still like the framework, there were a number of changes that folks are looking for, and so we thought it was time for us to do a refresh.
"We don't want organizations to have to make that determination about whether or not they're critical infrastructure, which is sometimes a legal issue that comes with additional burdens, and so we’re proposing to broaden it to all organizations."
CSF Changes Detailed
Here are some of the primary changes in CSF 2.0:
- Change the CSF’s title and text to reflect its intended use by all organizations.
- Scope the CSF to ensure it benefits organizations regardless of sector, type, or size.
- Increase international collaboration and engagement.
- Relate the CSF clearly to other NIST frameworks.
- Use Informative References to provide more guidance to implement the CSF.
- Remain technology- and vendor-neutral, but reflect changes in cybersecurity practices.
- CSF 2.0 (and companion resources) will include updated and expanded guidance on Framework implementation.
- Develop a CSF Profile template.
- Improve the CSF website to highlight implementation resources.
- CSF 2.0 will emphasize the importance of cybersecurity governance.
- Expand coverage of supply chain.
The NIST is asking for feedback on the following questions:
- Do the proposed changes reflect the current cybersecurity landscape (standards, risks, and technologies)?
- Are the proposed changes sufficient and appropriate? Are there other elements that should be considered under each area?
- Do the proposed changes support different use cases in various sectors, types and sizes of organizations (and with varied capabilities, resources, and technologies)?
- Are there additional changes not covered here that should be considered?
- For those using CSF 1.1, would the proposed changes affect continued adoption of the Framework, and how so?
- For those not using the Framework, would the proposed changes affect the potential use of the Framework?