NIST Releases Cybersecurity Framework 2.0 Draft for Public Comment

Wednesday - August 9 2023, 23:03 UTC - 1 year ago

After considering more than a year's worth of community feedback, the National Institute of Standards and Technology (NIST) has released a draft version of the Cybersecurity Framework (CSF) 2.0 which reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice for all organizations. The framework provides high-level guidance, and has been downloaded more than two million times across more than 185 countries. The CSF 2.0 draft reflects a number of major changes, such as leveraging other technology frameworks to implement the CSF, and providing more guidance for organizations on emerging cybersecurity issues like ransomware and supply chain risks.

The world's leading cybersecurity guidance is getting its first complete makeover since its release nearly a decade ago. After considering more than a year's worth of community feedback, the National Institute of Standards and Technology (NIST) has released a draft version of the Cybersecurity Framework (CSF) 2.0, a new version of a tool it first released in 2014 to help organizations understand, reduce and communicate about cybersecurity risk. The draft update, which NIST has released for public comment, reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice—for all organizations.

"With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well," said NIST's Cherilyn Pascoe, the framework's lead developer. "The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that's useful to all sectors, not just those designated as critical." .

NIST is accepting public comment on the draft framework until Nov. 4, 2023. NIST does not plan to release another draft. A workshop planned for the fall will be announced shortly and will serve as another opportunity for the public to provide feedback and comments on the draft. The developers plan to publish the final version of CSF 2.0 in early 2024.

The CSF provides high-level guidance, including a common language and a systematic methodology for managing cybersecurity risk across sectors and aiding communication between technical and nontechnical staff. It includes activities that can be incorporated into cybersecurity programs and tailored to meet an organization's particular needs. In the decade since it was first published, the CSF has been downloaded more than two million times by users across more than 185 countries and has been translated into at least nine languages.

While responses to NIST's February 2022 request for information about the CSF indicated that the framework remains an effective tool for reducing cybersecurity risk, many respondents also suggested that an update could help users adjust to technological innovation as well as a rapidly evolving threat landscape.

"Many commenters said that we should maintain and build on the key attributes of the CSF, including its flexible and voluntary nature," Pascoe said. "At the same time, a lot of them requested more guidance on implementing the CSF and making sure it could address emerging cybersecurity issues, such as supply chain risks and the widespread threat of ransomware. Because these issues affect lots of organizations, including small businesses, we realized we had to up our game." .

The CSF 2.0 draft reflects a number of major changes, including: .

A major goal of CSF 2.0 is to explain how organizations can leverage other technology frameworks, standards and guidelines, from NIST and elsewhere, to implement the CSF. Bolstering this last effort will be the launch of a CSF 2.0 reference tool, which NIST plans to release in a few weeeks.