The Evolution of Cybersecurity: NIST Releases Draft of Cybersecurity Framework 2.0

In a digital age where cyber threats are ever-evolving, staying ahead of the curve is more important than ever. One of the cornerstones of cybersecurity guidance, the National Institute of Standards and Technology (NIST) is driving a significant transformation unveiling of the draft version of Cybersecurity Framework (CSF) 2.0. This marks the first complete makeover of the framework since its original release nearly a decade ago in 2014.

A New Era of Cybersecurity Preparedness

Recognising the need for a comprehensive update to address the changing cybersecurity landscape, NIST has invested over a year's worth of community feedback to revamp the CSF. The draft, now open for public commentary, reflects the dynamic nature of cybersecurity and aims to make the CSF more actionable and accessible for organisations of all sizes.

Cherilyn Pascoe, the lead developer of the framework at NIST, emphasises that this update is not only about reflecting the present but also anticipating the future. "The CSF was developed for critical infrastructure industries but has proved useful across various sectors, from schools and small businesses to local and foreign governments. We want to make sure it is a tool that's useful to all sectors, not just those designated as critical," says Pascoe.

A Collaborative Approach

To ensure the new framework's effectiveness and relevance, NIST is actively seeking public input on the draft version until November 4, 2023. The transparency in this approach encourages collective wisdom and diverse perspectives, vital in crafting a framework that addresses the complexities of modern cybersecurity challenges.

In addition to public commentary, NIST plans to host a workshop in the coming months, further inviting engagement from cybersecurity professionals and stakeholders. This collaborative effort is a testament to NIST's commitment to producing a well-rounded and adaptable framework.

Key Highlights of CSF 2.0 Draft

The CSF 2.0 draft introduces several substantial changes that align with the evolving cybersecurity landscape:

1. Expanded Scope: The framework's scope has broadened from safeguarding critical infrastructure to encompass cybersecurity for all organisations, regardless of type or size. This expansion is mirrored in the framework's updated title, "The Cybersecurity Framework," reflecting its relevance beyond critical industries.

2. Governance Function: NIST introduces a sixth function, the "govern" function, which underscores an organisation's internal decision-making process to support its cybersecurity strategy. This reflects the recognition that cybersecurity is a paramount enterprise risk.

3. Enhanced Implementation Guidance: The draft emphasises improved guidance for implementing the CSF, especially through tailored profiles for specific sectors and use cases. Practical examples for each function's subcategories offer valuable assistance, particularly to smaller organisations.

4. Leveraging Technology Frameworks: CSF 2.0 encourages organisations to leverage technology frameworks, standards, and guidelines beyond the NIST ecosystem. The CSF 2.0 Reference Tool facilitates easy access to the CSF Core data and relationships with other resources, fostering more effective risk management.

A Path to Cybersecurity Excellence

As organisations across the globe grapple with increasingly sophisticated cyber threats, the evolution of the CSF stands as a beacon of cybersecurity excellence. The draft's careful consideration of current challenges and future needs showcases NIST's dedication to equipping businesses, institutions, and governments with the tools they need to navigate the ever-changing digital landscape.

With the final version of CSF 2.0 set to be published in early 2024, Tesserent and the wider cybersecurity community eagerly anticipates the framework's role in shaping a safer and more resilient cyber environment.