The US National Institute of Standards and Technology (NIST) has released the final version of version 2.0 of its popular Cybersecurity Framework (CSF).
The new framework is now available to be used by all organizations to help them manage and reduce cyber risks.
A draft of the updated version was published in August 2023, inviting feedback from the cybersecurity community.
This version contains significant changes to the previous iteration, most notably expanding the CSF’s scope beyond critical infrastructure to all organizations and industries.
In addition, a new ‘Govern’ pillar has been added to cover organizational context – in particular, roles, responsibilities and authorities across areas like risk management and the supply chain.
This pillar adds to the six key functions already in place - Identify, Protect, Detect, Respond and Recover.
Version 2.0 also cross links the framework to other relevant NIST special publications, making them easier for organizations to find.
Read here: NIST's Cybersecurity Framework 2.0: Shaping the Future of Cyber Resilience
NIST Makes Changes Following Public Comments
NIST said it received “numerous comments” on the draft. In response, the agency has expanded the CSF’s core guidance and developed related resources to help different organizations put the framework into action in the finalized version.
This includes allowing users to browse, search and export data and details from the CSF’s core guidance in human-consumable and machine-readable formats.
These formats are available through the NIST CSF website.
Additionally, there will be a searchable catalog of informative references to demonstrate how organizations’ current actions map onto the CSF.
Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio, noted: “The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats.
“CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.”
Version 2.0 represents the first major update to the framework since its creation in 2014. The framework has been utilized internationally, with Versions 1.1 and 1.0 translated into 13 languages.