In the first major update since it was created in 2014, the National Institute of Standards and Technology (NIST) reported Feb. 26 that it’s updated the widely used Cybersecurity Framework (CSF) document. The 2.0 edition of this landmark guide for reducing cybersecurity risk is designed for all audiences, industry sectors and organization types, from the smallest schools and nonprofits to the largest agencies and corporations—regardless of their degree of cybersecurity sophistication.
In response to the numerous comments received on the draft version, NIST expanded CSF 2.0’s core guidance, and developed related resources to help users get the most out of the framework. These resources are designed to provide different audiences with tailored pathways into the CSF, and make the framework easier to put into action.
“The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats,” says Laurie Locascio, undersecretary of commerce for standards and technology and NIST’s director. “CSF 2.0 is a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.”
CSF 2.0 supports implementation of the National Cybersecurity Strategy, and has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy. CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider along with others such as finance and reputation.
“Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the U.S. and abroad,” adds Kevin Stine, chief of NIST’s applied cybersecurity division.
CSF 2.0 is organized around six key functions—its original five: “identify, protect, detect, respond and recover”—along with the guide’s newly added “govern” function. Considered together, these functions provide a comprehensive view of the lifecycle for managing cybersecurity risk.
This updated framework anticipates that organizations will come to CSF with varying needs and degrees of experience at implementing cybersecurity tools. New adopters can learn from other users’ successes, and select their topic of interest from a new set of implementation examples and quick-start guides designed for specific types of users, such as small businesses, enterprise risk managers, and organizations seeking to secure their supply chains.
In addition, CSF 2.0 offers a searchable catalog of informative references, which shows how their current actions map onto the CSF. This catalog allows an organization to cross-reference the CSF’s guidance to more than 50 other cybersecurity documents, including others from NIST, such as SP 800-53 Rev. 5, a catalog of tools (called controls) for achieving specific cybersecurity outcomes.
Organizations can also consult the Cybersecurity and Privacy Reference Tool (CPRT), which contains an interrelated, browsable and downloadable set of NIST guidance documents that contextualizes these NIST resources, including the CSF, with other popular resources. And the CPRT offers ways to communicate these ideas to technical experts and the C-suite, so that all levels of an organization can stay coordinated.
NIST plans to continue enhancing its resources and making the CSF an even more helpful resource to a broader set of users, Stine said, and feedback from the community will be crucial.
“As users customize the CSF, we hope they’ll share their examples and successes, which will allow us to amplify their experiences and help others,” says Stine. “That will help organizations, sectors and even entire nations better understand and manage their cybersecurity risk.”
The CSF is used widely internationally. Versions 1.1 and 1.0 have been translated into 13 languages, and NIST expects that CSF 2.0 also will be translated by volunteers around the world. Those translations will be added to NIST’s expanding portfolio of CSF resources.
Over the last 11 years, NIST’s work with the International Organization for Standardization, in conjunction with the International Electrotechnical Commission, has helped align multiple cybersecurity documents. ISO/IEC resources now allow organizations to build cybersecurity frameworks and organize controls using the CSF functions. NIST plans to continue working with ISO/IEC to continue this international alignment.
