NIST Releases Draft of Expanded Cybersecurity Framework

August 11, 2023 - The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is no longer just for critical infrastructure – its latest iteration, CSF 2.0, reflects the framework’s usability across all sectors and accounts for changes in the cybersecurity landscape. NIST is now seeking public comment on the draft version of CSF 2.0 and aims to publish a final version in early 2024.

“With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well,” said the framework’s lead developer, Cherilyn Pascoe, in a NIST press release.

“The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”

NIST took public feedback into account to create the CSF 2.0, responding to suggestions that the framework could use an update to help users adapt to technological innovation and bolster implementation efforts.

“Many commenters said that we should maintain and build on the key attributes of the CSF, including its flexible and voluntary nature,” Pascoe continued.

“At the same time, a lot of them requested more guidance on implementing the CSF and making sure it could address emerging cybersecurity issues, such as supply chain risks and the widespread threat of ransomware. Because these issues affect lots of organizations, including small businesses, we realized we had to up our game.”

In addition to acknowledging the framework’s applicability to other sectors, the updated CSF expands upon the five key pillars: identify, protect, detect, respond, and recover. NIST has added a sixth pillar, known as “govern,” to guide organizations through executing internal cybersecurity decisions.

“It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership,” NIST stated.

In addition, the CSF draft supplies organizations with additional guidance for implementation by walking organizations through the creation of risk profiles and function subcategories.

As previously reported, the NIST CSF can be an asset to healthcare organizations looking to bolster their cybersecurity programs. Alongside other voluntary frameworks and HIPAA compliance actions, healthcare organizations can leverage the NIST framework to enhance privacy and security protections.

NIST encouraged entities to submit comments and recommendations about the updated CSF to the institute by November 4.

“This is an opportunity for users to weigh in on the draft of CSF 2.0,” Pascoe added. “Now is the time to get involved if you’re not already.”