Overview

The National Institute of Standards and Technology (NIST) has released the “Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework,” outlining considered changes to the Cybersecurity Framework (CSF).

The CSF is meant to be a living document that is developed over time. Its purpose is to guide organizations to better understand, manage, reduce, and communicate cybersecurity risks. The evolving nature of the CSF is upheld to keep pace with changing technology and threat trends, adopt lessons learned, and shift common practices to best practices. In turn, the Framework can continue to help organizations effectively manage risk in the ever-changing cybersecurity landscape.

While the framework is a voluntary guide, it is widely used by all sectors around the globe.

The development of the CSF is based heavily on private and public sector input. As such, NIST welcomes public responses to the concept paper to improve the Framework’s effectiveness and better align it with other cybersecurity resources. The organization asks the community to provide feedback by March 3, 2023.

Public involvement has already played a significant role in the process. According to NIST, the concept paper was based on feedback received so far through:

  • Responses to the February 2022 NIST Cybersecurity Request for Information (RFI);
  • A workshop held in August of 2022 attended by nearly 4,000 participants from 100 countries;
  • Feedback received from organizations who’ve used the CSF; and
  • NIST participation at events and meetings around the world.



One notable change proposed in the paper is to expand the Framework’s scope to be more inclusive to organizations beyond critical infrastructure. This means more guidance for organizations like small businesses and educational institutions.

Throughout the process, NIST will pursue stakeholder feedback in other ways through publically held webinars and workshops.

The original CSF 2.0 timeline documented in the concept paper indicates NIST’s goal to have CSF 2.0 ready in the winter of 2024.

Sources

https://www.nist.gov/cyberframework/updating-nist-cybersecurity-framework-journey-csf-20

https://fedscoop.com/nist-working-on-potential-significant-updates-to-cybersecurity-framework/

https://www.nist.gov/system/files/documents/2023/01/19/CSF_2.0_Concept_Paper_01-18-23.pdf

https://www.federalregister.gov/documents/2022/02/22/2022-03642/evaluating-and-improving-nist-cybersecurity-resources-the-cybersecurity-framework-and-cybersecurity