The US National Institute of Standards and Technology (NIST) has released a new draft version of its popular best practice security framework, designed to expand its scope and provide more guidance on implementation.
The NIST Cybersecurity Framework (CSF) 2.0 is the first refresh since it was launched in 2014. It is designed to help organizations “understand, reduce and communicate about cybersecurity risk,” the standards body said.
“With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well,” said the framework’s lead developer, Cherilyn Pascoe.
“The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”
To that end, version 2.0 officially expands the framework’s scope from critical infrastructure to all organizations regardless of type or size. Its official name is now the CSF, rather than the Framework for Improving Critical Infrastructure Cybersecurity.
NIST has also added an extra pillar to the CSF. Alongside identify, protect, detect, respond and recover now comes “govern.” This is designed to emphasize that cybersecurity is a major source of enterprise risk and help organizations to better devise and execute decisions to support security strategy.
Finally, the new draft is designed to feature improved and expanded guidance on how to implement the CSF, via profiles covering specific sectors and use cases. It is hoped this will help particularly smaller organizations to use the framework effectively.
Although no further draft will be released, NIST is encouraging anyone with recommendations to respond with comments by November 4 2023.
Joseph Carson, chief security scientist at Delinea, welcomed the refresh.
“It is great to see the framework moving on from just a focus of critical infrastructure organizations and adapting to the cybersecurity threat by providing guidance to all sectors,” he argued. “The new ‘govern’ pillar acknowledges the changes in the way organizations now respond to threats to support their cybersecurity strategy.”
Read more: NIST's Cybersecurity Framework 2.0: Building Cyber Resilience