top of page

A Closer Look at NIST's Upcoming Cybersecurity Framework 2.0

Updated: Oct 3, 2023



The National Institute of Standards and Technology (NIST) is updating its Cybersecurity Framework (CSF) to keep pace with the rapidly evolving cybersecurity landscape. Today, NIST released a concept paper outlining more significant potential changes in the CSF. The purpose of this concept paper is to gain additional input before issuing a draft CSF 2.0 this Summer.


The concept paper outlines more significant potential changes that NIST is considering in developing CSF 2.0. However, it should be noted that this paper does not cover all potential changes that may be made to the framework structure, format, and content, especially specific changes to categories and subcategories of the CSF core.


It is important to note that the CSF is intended to be a living document that is refined and improved over time. NIST initially produced the Framework in 2014 and updated it in 2018 with CSF 1.1. The development of CSF 2.0 is iterative and based heavily on private and public sector input, making the input of stakeholders crucial to its success.



1.1. Change the CSF’s title and text to reflect its intended use by all organizations


One of the key changes in CSF 2.0 is the adoption of the name "Cybersecurity Framework" instead of "Framework for Improving Critical Infrastructure Cybersecurity." This is intended to make the framework more easily understandable to a wider range of organizations. In addition, NIST will increase its efforts to ensure that the framework is helpful to organizations in addressing cybersecurity challenges.


1.3. Increase International Collaboration and ngagement


Another key change is the prioritization of exchanges with foreign governments and industry as part of CSF 2.0 development. This will help ensure that the CSF is recognized as an international resource. Furthermore, NIST aims to maintain the current level of detail and specificity in CSF 2.0 to ensure that it remains scalable and flexible for a wide range of organizations.


2.3. Leverage Cybersecurity and Privacy Reference Tool for online CSF 2.0 Core


To make the framework more user-friendly, related NIST Frameworks (Privacy Framework, Risk Management Framework, etc.) will be referenced in the CSF 2.0 or in companion materials, such as mappings. This will help organizations better understand how to implement the framework in their specific contexts. Additionally, CSF 2.0 will be showcased through the recently launched NIST Cybersecurity and Privacy Reference Tool (CPRT), which provides a more visual and interactive way to navigate the framework.


4. CSF 2.0 will emphasize the importance of cybersecurity governance


Another important change in CSF 2.0 is the emphasis on cybersecurity governance. There will be a new “Govern” Function included to emphasize cybersecurity risk management governance outcomes. This new crosscutting Function will highlight that cybersecurity governance is critical to managing and reducing cybersecurity risk.


4.2. Improve discussion of relationship to risk management


In addition to these changes, CSF 2.0 will also describe how an underlying risk management process is essential for identifying, analyzing, prioritizing, responding to, and monitoring risks, how CSF outcomes support risk response decisions (accept, mitigate, transfer, avoid), and various examples of risk management processes (e.g., Risk Management Framework, ISO 31000) that can be used to underpin CSF implementations.


NIST is inviting feedback and comments on the concept paper to inform further development of CSF 2.0. Feedback and comments should be directed to cyberframework@nist.gov by March 3, 2023. NIST intends to publish the draft Cybersecurity Framework 2.0 in the coming months for a 90-day public review.


If you're looking to stay ahead of the latest developments in cybersecurity and ensure your organization is protected against the latest threats, be sure to check out the NIST's Cybersecurity Framework 2.0. And if you need help implementing the framework or have any questions, don't hesitate to contact Aspire Cyber at www.aspirecyber.com. Our team of experts is dedicated to helping organizations of all sectors, types, and sizes navigate the ever-changing cybersecurity landscape and protect their critical assets. Don't wait, take the first step to secure your organization today!


Comments


bottom of page