The National Institute for Standards and Technology (NIST) has published draft revisions to its Cybersecurity Framework (CSF). Public comments on the draft will be accepted until November 4.
First published in 2014, the CSF offers organizations a common language and a systematic methodology for managing cybersecurity risk across sectors, and supports communication between technical and nontechnical staff. It also provides activities that can be incorporated into cybersecurity programs and tailored to meet an organization’s needs.
The revisions represent significant changes to the framework, giving the widely-used document its first “complete makeover” since its release. The draft Cybersecurity Framework 2.0 was developed after more than a year’s worth of community feedback, reflecting changes in the cybersecurity landscape and making it easier for many different kinds of organizations to put the CSF into practice.
“With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well,” said NIST’s Cherilyn Pascoe, the framework’s lead developer. “The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”
One major goal of CSF 2.0 is to explain how organizations can leverage other technology frameworks, standards, and guidelines (both from NIST and elsewhere) to implement the CSF. NIST also announced its plans to launch a CSF 2.0 reference tool, which will allow users to browse, search, and export the CSF Core data in human-consumable and machine-readable formats. In the future, this tool will provide “Informative References” to show the relationships between the CSF and other resources to make it easier to use the framework together with other guidance to manage cybersecurity risk.
NIST is accepting public comment on the draft framework until November 4, 2023, at [email protected]. A fall workshop, to be announced in the coming weeks, will provide another opportunity for the public to give feedback and comments on the draft. The developers plan to publish the final version of CSF 2.0 in early 2024.
Learn more in the NIST news release and access the full draft Cybersecurity Framework 2.0.