The National Institute of Standards and Technology (NIST) released the latest version of its Cybersecurity Framework (CSF) this week, aiming to help public- and private-sector organizations stay ahead of the growing digital threat landscape.
Version 2.0 of the CSF, published Feb. 26, represents an expansion for the framework. The new document is “designed for all audiences, industry sectors and organization types, from the smallest schools and nonprofits to the largest agencies and corporations,” NIST said in a statement.
“The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats,” NIST Director Laurie Locascio said. “CSF 2.0 … is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.”
This is the first major update to the CSF since NIST first published the document in 2014 in response to Executive Order 13636. NERC is one of many organizations to use the framework, though not directly; rather, the ERO partnered with NIST in 2021 to produce a set of tools to help registered entities map the CSF to NERC’s Critical Infrastructure Protection (CIP) standards. (See NERC, NIST Update Cybersecurity Mapping.)
The CSF is meant to support the implementation of the federal government’s National Cybersecurity Strategy, released last March. The strategy has five pillars:
-
- Defend critical infrastructure.
- Disrupt and dismantle threat actors.
- Shape market forces to drive security and resilience.
- Invest in a resilient future.
- Forge international partnerships to pursue shared goals.
In keeping with these goals, the new CSF “goes beyond protecting critical infrastructure … to all organizations in any sector,” NIST’s release said, explaining that comments on a draft CSF received last year demonstrated that a broad range of organizations had an appetite for a version of the framework they could use.
The final framework shows this focus with the addition of quick-start guides allowing users with specific needs — for example, owners of small businesses or staff looking to secure their digital supply chains — to easily access information that suits them without wading through irrelevant sections. Organizations can also set up custom profiles representing both their current and desired status and access community profiles that show how similar organizations have used the CSF.
Also added to the new version is a focus on governance, with “Govern” as the first of the CSF’s core functions. The document calls governance activities “critical for incorporating cybersecurity into an organization’s broader enterprise risk management strategy.” Duties under this function include establishing a cybersecurity strategy and supply chain risk management, and mapping out staff roles, responsibilities, authorities, and areas of oversight.
Governance underlies the other core functions, which NIST defines as:
-
- Identify — Understand the organization’s assets, suppliers and related cybersecurity risks, and identify opportunities for improvement in its policies and practices.
- Protect — Ensure that safeguards are in place to manage cybersecurity risks.
- Detect — Find and analyze possible cyberattacks and compromises.
- Respond — Take action in response to detected cybersecurity incidents.
- Recover — Ensure that assets and operations affected by a cybersecurity incident are restored.
NIST said it expects the new CSF to be translated for use internationally; the original is available in 13 languages, the organization said. It also plans to continue working with the International Organization for Standardization and the International Electrotechnical Commission to align cybersecurity documents across countries and industries.