The National Institute of Standards and Technology (NIST) recently published a concept paper. In it, they cover some potential revisions to its Cybersecurity Framework (CSF). The organization is seeking feedback before they finalize a draft of CSF 2.0. NIST did not provide a timeline for the updates, but they will most likely occur in the summer.
The NIST CSF is a pivotal piece of most cybersecurity policies and practices. It serves as guidance for managing IT infrastructure risk and reducing it. Its development was a collaboration between stakeholders in the private and public sectors. What makes it unique is that its contents are not compliance-driven. Its most significant objective is to encourage all companies to prioritize cybersecurity and drive awareness of cyber risk throughout an organization. After all, cybersecurity, to some degree, is everyone’s responsibility.
Since its establishment in 2014 and update in 2018, much has changed in the cybersecurity ecosystem. Unfortunately, risk has risen, and cyberattacks have soared. While big companies in regulated industries like healthcare, financial services, and retail have large targets on their back, most cyberattacks impact small and medium-sized businesses. And that’s truly the audience for the NIST CSF. So it makes sense that it’s time for an update.
Let’s go through what those may be by analyzing the concept paper and what impact they could have on how you use the NIST CSF.
Revisions Are the Result of Feedback
NIST, again demonstrating its collaborative efforts, started the process of updating with a request for information (RFI) in February of 2022. They followed up with a workshop on CSF 2.0 in August of last year. The paper explains that the CSF is a living document that should deliver updates over time.
The proposed changes will be more substantial than the 2018 update and should reflect the evolution of the cybersecurity landscape. The CSF, in its current state, focuses on cybersecurity risks in critical infrastructure. The 2.0 version will expand upon this and cover all organizations with an emphasis on the cyber needs of small businesses and higher education. Ideally, the framework should apply to any company, regardless of size or industry. There is also a desire for more international collaboration and engagement.
NIST also plans to align CSF 2.0 with other frameworks, highlighting the new recommendations through its newly created NIST Cybersecurity and Privacy Reference Tool (CPRT).
Now let’s look further at the concept paper and clues about what CSF 2.0 could include.
NIST CSF 2.0 Potential Updates
First, the concept paper makes it abundantly clear that NIST sought feedback from cybersecurity stakeholders. They accepted responses through March 3, 2023. Even after publishing, there will also be a 90-day public review.
Let’s look at some of the critical areas that will receive updates.
Remaining Technology- and Vendor-Neutral While Reflecting the Changes in Cybersecurity Practices
The CSF wants to stay broad and neutral but is working with its community on technology-specific mappings. One example is the relationship between the CSF and Zero Trust Architecture. Other mappings it expects to include are IoT (Internet of Things), 5G, and Migration to Post-Quantum Cryptography.
The new guidance will also expand on incident response and recovery, which should be a priority, considering the number of successful attacks. Many of these incidents involved ransomware and temporary or permanent losses of data. Any support the framework can provide on this should be helpful to all companies.
Implementing the Framework: Simplifying and Examples
The current CSF may be a little light on instruction. More than 500 responses from the RFI asked for this. In fact, many said they need straightforward descriptions, not overly technical ones. This is a bit of an “Aha!” moment for someone like me who’s been crusading against geek speak and the overcomplication of cybersecurity. So, yes, everyone could benefit from a little more plain speak.
In addition to improving how to implement it, the new guidance will add examples and profile templates. With these resources, organizations should have more context and information on how to move forward.
Governance Becomes a Priority and New Function
Another topic of the updates is cybersecurity governance. It plans to add a new Function called “Govern,” which will bring the count to six. Under the Function, there will be information about:
- What governance is.
- Why governance is important.
- Governance and cybersecurity priorities.
- How governance impacts risk, policies, procedures, roles, and responsibilities.
- Clarification of the relationship between governance and cybersecurity risk.
Currently, governance sits under “Identify,” so by becoming its own pillar, there will be a new section demonstrating its importance in cybersecurity.
Cybersecurity Supply Chain Expanded Coverage
The NIST CSF 2.0 will highlight this hot topic. It was another frequently requested addition in the RFI feedback. Supply chain security has been at the center of some of the biggest failures in the past two years, and NIST previously issued a guide on defending against them in 2021.
Since technology is more interconnected than ever, organizations must thoroughly assess and manage third-party risks. The new guidance should help you update or develop your own supply chain security plan.
More on Measurement and Assessment
The next subject for CSF 2.0 will be regarding measurement and assessment. You always want to be measuring how effective your cybersecurity strategies are and assessing where there are gaps. The concept paper mentions that there will be more support for this, including examples.
Within this subject will also be additional content on Framework Implementation Tiers. The CSF Tiers offer a method to understand your approach to risk and what you have in place to manage that risk. Those using these are doing so in a flexible manner, and they are seeking more guidance on how to apply them to many scenarios.
The new CSF will clarify the scope and application of Tiers in addressing how robust risk management processes, programs, and communication are. There was also the probability of changing the focus of Tiers to goals relating to governance. In doing so, this may deliver more value to users.
More Thoughts on the Themes
This is a quick summary of the paper with additional context from my own experiences and opinions. The reaction thus far from the paper has been positive. Federal cybersecurity leaders have lauded its inclusion of governance, supply chain risk, and making the guidance more accessible.
This would be the biggest reform ever for cybersecurity guidance, and it comes at a prime time. The current framework is often too narrow or vague, so it’s good that clarity is a big theme. Cyber leaders and teams also need more practical advice in applying the framework to make a real difference in risk management.
The concentration on measurement is also a good step forward. Measuring cyber efforts is a critical way to drive improvement. Yet, it seems hard for many companies to do this consistently. This should shed some light on how to do this effectively. NIST openly admits that cybersecurity measurement is complex, and many can’t definitively say if their cybersecurity posture is better. I look forward to seeing their counsel on what to measure and how to do it.
What the NIST CSF 2.0 Project Reveals About the Future of Cybersecurity
These possible changes are the meat of the discussion, but I think the entire project has another important story—collaboration, communication, and transparency. Those are the components that are essential to cybersecurity and don’t relate to the technical aspect. It’s a unique example of how a group of all types of different people can channel their energy into something for the greater good.
In discussing the topic with your cyber team, you should bring this up as a scenario of what to do. Having a robust cybersecurity program and mitigating risk isn’t possible without cooperation among your technical folks internally and with your external clients. Maybe that concept is sometimes difficult for them to grasp because they just want to be right all the time. Unfortunately, nobody is, and technical people long for certainty, which is also elusive in cybersecurity or almost any other business area.
What sharing this process could do for your people is broaden their awareness of how integral collaboration, communication, and transparency are. Awareness is the first step in the Secure Methodology™, a seven-step guide to transforming technical people into effective communicators and collaborators.
With awareness, people must understand their behaviors and expand their perspectives. That often involves reframing, being specific and relatable, and understanding motivation. The project of an updated CSF could have many implications for your future policies and procedures. Still, it’s an excellent illustration of the modern culture of cybersecurity—one that welcomes perspective, open mindsets, honest communication, and working together more harmoniously.
Once NIST publishes the new CSF, I’ll revisit this topic to see where we’ve ended up. In the meantime, if you want to know more about the Secure Methodology, read Christian Espinosa’s book, The Smartest Person in the Room. You can also check out the Secure Methodology program, now available.