The National Institute of Standards and Technology (NIST) has released an update to its Cybersecurity Framework (CSF), marking the first major revision in a decade since its introduction in 2014. This comprehensive update showcases a change in focus, expanding the CSF’s applicability beyond key infrastructure, to include a diverse range of organizations regardless of their cybersecurity maturity levels.
The CSF 2.0’s primary objective is to assist all organizations in effectively managing and mitigating cybersecurity risks. The evolution of this framework stems from extensive discussions and public feedback over several years, aiming to improve its overall effectiveness. The CSF now places increased emphasis on governance and addresses the complexities of supply chain cybersecurity. The framework’s core guidance has been strengthened, accompanied by a variety of resources customized for diverse audiences. The revamped CSF includes quick-start guides targeting specific user groups, success stories showcasing real-world implementations, and a searchable catalog cross-referencing guidance with over 50 other cybersecurity documents. Under the leadership of the Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio, the CSF 2.0 is developed with a holistic approach, “The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats… CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.”
The framework’s expanded reach covers organizations of all sizes and sectors, aligning with the National Cybersecurity Strategy’s objectives. The CSF 2.0 introduces a new function, “Govern,” complementing the existing Identify, Protect, Detect, Respond, and Recover functions. These collectively offer a comprehensive lifecycle approach to managing cybersecurity risks. To facilitate ease of use, NIST has introduced a Reference Tool simplifying CSF implementation. Users can manage, search, and export data in both human-readable and machine-readable formats. A searchable catalog of references allows organizations to map their actions onto the CSF, promoting cross-referencing with other cybersecurity documents. The CSF 2.0 also accommodates varying user needs by providing implementation examples and quick-start guides customized for specific user types, such as small businesses, enterprise risk managers, and those securing supply chains. NIST aims to gather feedback from the community to further improve the CSF, making it an invaluable resource for an even broader user base.
“Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad,” according to Kevin Stine, chief of NIST’s Applied Cybersecurity Division. The CSF has been translated into 13 languages, and with CSF 2.0’s release, NIST anticipates additional translations by volunteers worldwide. NIST plans to collaborate with the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in the future to ensure continued alignment with international cybersecurity standards.