The US National Institute of Standards and Technology (NIST) has unveiled the draft of the Cybersecurity Framework 2.0 (CSF 2.0), building upon the CSF originally issued in 2014. The CSF has since become a globally adopted standard for managing cybersecurity risk in organizations. The new draft, set to be finalized in early 2024, aims to broaden its utility and relevance across various sectors, with a focus on enhancing supply chain security and introducing corporate governance components.
To ensure the framework remains applicable to a wider range of organizations, NIST is rebranding it as the “Cybersecurity Framework” without the emphasis on critical infrastructure. This shift is intended to highlight the framework’s versatility beyond critical infrastructure, making it a valuable tool for all sectors, from schools and small businesses to governments, both domestic and foreign.
A significant addition to the CSF 2.0 is the “Govern” function, which will cut across all existing functions—Identify, Protect, Detect, Respond, and Recover. This new function emphasizes the importance of decision-making in cybersecurity strategy execution within organizations. It underscores that cybersecurity is a vital enterprise risk, ranking alongside legal, financial, and other risk considerations for senior leadership.
Under the Govern function, CSF 2.0 introduces a new category dedicated to supply chain risk management, recognizing its paramount importance. This addition emphasizes the need for organizations to identify, establish, manage, and monitor processes related to cyber supply chain risk management. It outlines ten subcategories to guide supply chain risk management efforts.
To address adoption challenges, NIST intends to include concrete implementation guidance examples in the final CSF 2.0 draft. These real-world examples will assist organizations in effectively implementing the framework.
While addressing concerns about measuring cybersecurity performance, the 2.0 draft encourages organizations to innovate and customize their measurement methodologies. It introduces a category under the Identify function that explores how organizations can identify improvements in cybersecurity risk management processes, procedures, and activities to measure performance.
NIST is hosting its final workshop for CSF 2.0 on September 19 and 20, with the aim of releasing the final version in early 2024. Importantly, NIST will not issue another draft for comment. Feedback on the draft and implementation examples is due by November 4, 2023.