The National Institute of Standards and Technology (NIST) is making sweeping updates to its Cybersecurity Framework (CSF) to better integrate areas like supply chain risk management and governance.
First published in 2014, the framework is a set of standards designed to help organizations assess, understand, manage and mitigate the security risks that they face. While voluntary for the private sector, the framework serves as a backbone for many government policies around the world, and the 2017 Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure executive order made it mandatory for U.S. federal agencies. Certain insurance firms have made the framework mandatory for specific sectors as well, and organizations can also require the use of the framework within their supply chain.
In the past, the framework has been lightly touched up every three to five years, with CSF 1.1 being released in 2018. However, with significant changes happening in the cybersecurity landscape since then, NIST has looked at a more drastic overhaul for its framework that both integrates newer resources on security and privacy, and addresses recent changes in technologies and risks like supply chain security.
“When we issued a request for information last February, we heard that the time was right to make some changes but move more towards a significant 2.0 update,” said Amy Mahn, international policy specialist with NIST last week at the RSA Conference. “We want to make sure that 2.0 makes it even easier for users to leverage and reference different work documents that NIST has in order to manage their risk. And also supply chain security was a big topic in the 2018 update… but we asked our stakeholders, is there even more we could be doing to call out this important topic?"
CSF 2.0 will implement a number of changes. While the framework was originally established in response to the 2013 Improving Critical Infrastructure Cybersecurity executive order, and was thus developed for critical infrastructure, NIST wants to broaden that focus to reflect all organizations given the framework’s use across different sectors globally.
“We want to make sure that 2.0 makes it even easier for users to leverage and reference different work documents that NIST has in order to manage their risk."
In addition, the new framework aims to better emphasize the importance of governance within organizations and supply chain management. The latter topic was first addressed as a key issue in CSF 1.1 and over the years has continued to be a top concern for enterprises that rely on different components, products and technologies, all coming with their own set of potential security risks.
“We are also really focused on the topic of cybersecurity governance and the role that senior leadership plays in cybersecurity, and overseeing the cybersecurity risk management strategy of an organization, and of course the concept of supply chain risk management,” said Cherilyn Pascoe, senior technology policy advisor with NIST.
The new framework also aims to better integrate recent resources, including the Privacy Framework, which is a tool released in 2020 that helps organizations navigate privacy risk management concepts; and NIST’s National Initiative for Improving Cybersecurity in Supply Chains, which is an initiative aimed at providing guidance for developers and providers of technology. Finally, CSF 2.0 will highlight “the really difficult topic” of cybersecurity measurement and assessment, said Pascoe. Now that many organizations have implemented the framework, they want to better understand how to measure the improvement of their cybersecurity programs, she said.
After issuing a Request for Information in 2022, NIST has received over 130 responses and in April released a “core” draft of the CSF 2.0. Over the coming year, NIST will continue to finetune drafts of the new cybersecurity framework, with the final release date targeted for early 2024.
An important aspect of CSF 2.0 is that it remains a voluntary framework for the private sector, with updated and expanded guidance on how organizations can implement it, said Pascoe.
“What we saw… is folks really like the flexibility of the framework, the simplicity of the framework, but everybody really wants more guidance on cybersecurity, more guidance on specific topics, specific threats and specific technologies, more guidance on implementing the framework, and so our goal is that going forward the CSF will be an expanded gateway into more specific cybersecurity guidance that can be used to implement those higher level CSF outcomes,” said Pascoe.