By, Kathryn Daily, CISSP, CGRC, RDRP
Over a decade ago NIST published the Cybersecurity Framework as a base set of standards, guidelines, and best practices to manage cybersecurity risks for critical infrastructure. While it is currently voluntary for critical infrastructure, Executive Order 13800, May 11, 2017, required federal agencies to, “Use the Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agencies cybersecurity risk.”
Since its inception, the NIST CSF has become an integral resource to help organizations develop security programs even outside of the federal government and critical infrastructure and as such, the publication of CSF 2.0 Initial Public Draft (IPD) in August 2023 has generated a lot of conversation on online forums within the cybersecurity community. NIST has sought considerable amounts of feedback from the commercial sector, government sector and academia for the development of CSF 2.0.
The biggest change that we see happening is that the scope has been expanded from focusing on critical infrastructure to all organizations, regardless of type or size. In fact, the title of the document has changed from, “Framework for Improving Critical Infrastructure Cybersecurity” to simply, “The Cybersecurity Framework.”
NIST also saw fit to introduce the “Govern” pillar to cover organizational context. In terms of governance, risk, and compliance (GRC), govern(ance) is the set of policies, rules, or frameworks that an organization uses to achieve its goals. In CSF, governance will include determination of priorities and risk tolerances of the organization, assessment of cybersecurity risks and impacts, establishment of cybersecurity policies and procedures, and an understanding of the roles and responsibilities. The new Govern function in CSF 2.0 will inform and support the other previously existing functions.
NIST has placed an emphasis on protecting the supply chain as supply chain attacks become more prominent. Under the new pillar, Govern, NIST has created a subcategory focused on cybersecurity supply chain and updated content to reflect the latest NIST guidance and Framework practices related to cybersecurity supply chain risk management and secure software development.
Based on a mountain of feedback, NIST provided further guidance on the implementation of CSF. NIST has provided implementation examples to provide hypothetical examples of action-oriented processes to achieve CSF subcategories. Additionally, NIST has increased the informative references to standards, guidelines, regulations, and other resources to help inform how an organization achieves the functions, categories and subcategories.
NIST continues to receive feedback on the CSF 2.0 IPD through November 4, 2023. Early 2024 is the anticipated publication of the Final CSF 2.0 document.