The National Institute of Standards and Technology (NIST) has released Cybersecurity Framework (CSF) 2.0, a new version of a tool it first released in 2014 to help organizations understand, reduce and communicate about cybersecurity risk.
What's Different About the NIST Framework?
Notable changes to the framework include:
- An expanded scope, with a focus on protecting critical infrastructure and providing cyber protection for organizations of all sizes and across all industries; this difference is reflected in the framework's title, which has been changed from "Framework for Improving Critical Infrastructure Cybersecurity" to "The Cybersecurity Framework."
- The addition of a "govern" function to CSF's pillars of a successful and holistic cybersecurity program; govern represents the sixth function, along with identify, protect, detect, respond and recover.
- Guidance on implementing CSF, how to create profiles based on the framework and how to utilize it across various sectors and use cases; the draft also offers implementation examples for each function’s subcategories to help organizations utilize the framework effectively.
NIST does not plan to release another draft of the framework and is accepting public comments on it until November 4, 2023.
In addition, NIST is planning a workshop in fall 2023 for the public to provide feedback and comments on the draft.
NIST said it expects the final version of CSF 2.0 to be published in early 2024.
Biden-Harris Administration Announces National Cyber Workforce and Education Strategy (NCWES)
NIST's CSF 2.0 draft news comes after the Biden-Harris Administration in July 2023 unveiled NCWES to address immediate and long-term cyber workforce needs.
NCWES includes the following objectives:
- Using adaptable ecosystems to promote local and national cyber education and workforce development.
- Helping Americans build lifelong skills that they can use to guard against cyberattacks.
- Growing and enhancing the cyber workforce by improving diversity and inclusion.
To accomplish these objectives, NCWES emphasizes the following pillars:
- Providing Americans with foundational cyber skills.
- Transforming cyber education.
- Expanding and enhancing the national cyber workforce.
- Strengthening the federal cyber workforce.
Meanwhile, MSSPs can provide cybersecurity awareness training and security services to organizations. In doing so, organizations can teach their employees how to protect against cyberattacks and get the support they need to keep pace with current and emerging cyber threats.