The News: The National Institute of Standards and Technology (NIST) releases the first draft of its Cybersecurity Framework (CSF) 2.0. Comments on the document are open to the public until November 4, 2023 and the final version is slated to be released in early 2024. Additional information is available on NIST’s website.
NIST Cybersecurity Framework 2.0 Addresses Growing Cyberattack Threats
Analyst Take: The NIST CSF was first released in 2014 as a set of voluntary best practices designed to guide industries with critical infrastructure, such as banking, energy, and healthcare, on understanding, communicating about, and, ultimately, mitigating cybersecurity risk. Effectively, it provides guidelines for developing, integrating, and measuring the success of cybersecurity programs for organizations through facilitating not only systematic methodologies, but also common language to aid communication between technical and nontechnical staff. The document has since become widely regarded as the de facto industry standard, having been downloaded more than 2 million times across more than 185 countries, according to NIST.
Naturally, much has developed since the NIST CSF’s inception. Cyber-crime has risen to an immediate, board-level priority that must be addressed ubiquitously, across industries – vastly broadening the NIST CSF’s applicability and its importance, from small businesses and local schools to large government organizations. Against this backdrop, more guidance is required on how to implement framework recommendations and best practices.
At the same time, the threat landscape is constantly evolving and more difficult than ever for organizations to keep pace with. To name just a few factors, supply chain risks have emerged, and new variants and tactics for ransomware and other malware attacks are continuing to increase.
Version 2.0 of the NIST CSF includes a number of key updates and additions that respond to these new requirements:
- Arguably most notably, it adds a sixth pillar, “Govern,” to the previously existing five (“Recover,” “Identify”, “Respond,” “Detect,” and “Protect”). This new pillar reflects the criticality of cybersecurity from the standpoint of risk to the business or organization. It adds additional context regarding individual roles and responsibilities for managing cyber-threats, while providing additional context on formulating and executing cybersecurity frameworks from an organizational perspective. Specifically, the Governance pillar covers:
- Organizational context
- Risk management strategy
- Roles and responsibilities
- Policies and procedures
- To help streamline adoption of the framework, Version 2.0 adds “Framework Profiles” that provide guidance on implementing CSF best practices, within the context of organizations’ specific resources. While preserving the framework’s flexibility, which allows it to be tailored to organizations’ unique requirements, these profiles add examples specific to industries and use cases that help organizations from the standpoint of implementation.
- Finally, another important update with Version 2.0 is additional clarity around how the organization’s cybersecurity posture is assessed and measured.
Along with these updates, NIST will be launching a reference tool that will allow CSF 2.0 data to be browsed, searched and exported. The objective is to help organizations utilize the framework in conjunction with other industry guidelines and standards.
For IT Operations teams, the takeaway is that, if they are not yet being held to NIST recommendations from the standpoint of technology implementations and day-to-day policies and procedures, they should be prepared to be. Collaboration with security and line of business (LOB) leaders will continue to increase, and while these conversations may not always be easy, the NIST CSF Version 2.0 represents a tool that can help to facilitate discussions, conceptual development of cybersecurity policies, and their implementation.
Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.
Other Insights from The Futurum Group:
Tech Giants and White House Join Forces on Safe AI Usage
NIST Launches the Trustworthy & Responsible Artificial Intelligence Resource Center
Network Resilience Coalition Debuts to Boost Data and Network Security
Author Information
Krista Case is Research Director, Cybersecurity & Resilience at The Futurum Group. She brings approximately 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.
Prior to joining The Futurum Group, Krista led the data protection practice for Evaluator Group and the data center practice of analyst firm Technology Business Research. She also created articles, product analyses, and blogs on all things storage and data protection and management for analyst firm Storage Switzerland and led market intelligence initiatives for media company TechTarget.
