The National Institute of Standards and Technology (NIST) continues the process of refreshing the consensus-based “Framework for Improving Critical Infrastructure Cybersecurity,” often referred to as simply the “Cybersecurity Framework” or “CSF.” Initially published in 2014, the CSF has become a uniquely authoritative standard for measuring cyber maturity. Though originally aimed at addressing cybersecurity risks facing critical infrastructure, increasingly regulators, courts, and insurers have either expressly adopted the CSF or implicitly done so to demonstrate what is “reasonable” security maturity for an organization. For example, organizations that adopt the CSF’s incident response lifecycle will be better prepared to meet the newly published SEC public company material incident reporting requirements.
NIST has recognized the need to modernize, expand, and refresh the living framework of the CSF. Now, for the first time in a decade, NIST is finalizing a new version of the Framework—”CSF 2.0.” As a government agency, NIST relies upon stakeholder feedback throughout the process and offers a variety of forums to share comments.
Principally, NIST seeks feedback on the scope of coverage, practices, guidance, and specific examples of sound practices. First, NIST wants to know whether the 2.0 draft revision adequately addresses organizations’ cybersecurity challenges. Technical, administrative, and physical safeguards must address the nature, scope, and complexity of the threat landscape, both internal and external, indexed against the organization’s size. Similarly, the revised CSF will reflect leading practices and guidance resources as these practices move from “best practice” to routine practice. Lastly, NIST has provided various examples of sound practices and seeks comments regarding modifications or additions to these examples.
To aid in exploring the draft, NIST concurrently released the NIST Cybersecurity Framework 2.0 Reference Tool. The tool allows individuals to explore the Draft CSF 2.0 Core and will aid in providing effective feedback on the draft CSF.
NIST released the public CSF 2.0 draft on August 8, 2023, and included the following changes:
- The scope has expanded from critical infrastructure to all organizations.
- Expansion from five to six main functions: adding “govern” to “identify,” “protect,” “detect,” “respond,” and “recover.” The new “govern” function includes standards for how an organization makes and executes internal decisions to support cybersecurity risk management. The CSF 2.0 aims to better align cybersecurity within an organization’s overall enterprise risk management, alongside other legal, financial, and operational risks.
- Expanded guidance on creating profiles to tailor the CSF to the company’s nature, size, and complexity, along with implementation examples.
- A new emphasis on risk management for the cybersecurity supply chain.
Comments are due on November 4, 2023, and organizations can benefit from helping to shape the next version of the CSF. NIST often listens to the community and has issued several revisions to the draft CSF over the last year. With the draft nearing finality, organizations that want to participate should do so now. You can consider participating by:
- Joining the fall NIST workshop (September 19 and 20, 2023), or
- Providing comments on the CSF 2.0 draft, especially in the areas of:
- What can NIST do to help with portability and cross-referencing with other frameworks?
- Modifications or novel examples based on your business.
- Based on your experience implementing the prior CSF, potential implementation challenges and opportunities NIST.
ZwillGen’s experienced team of cybersecurity attorneys can assist clients with drafting comments to NIST, monitoring the progress of CSF 2.0 as it progresses toward finalization, and implementing compliance strategies in preparation for CSF 2.0 adoption.