The National Institute for Standards and Technology (NIST) has released an update to its popular Cybersecurity Framework, expanding its reach beyond critical infrastructure and aiming to support organizations of all sizes. The new version, known as Cybersecurity Framework 2.0, builds on the original framework’s five functions of an effective cybersecurity program – identify, protect, detect, respond, and recover – and adds a sixth function called govern.
The updated framework highlights the importance of cybersecurity as a major source of enterprise risk, ranking alongside legal, financial, and other risks for senior leadership. NIST’s new guidelines, currently in the draft phase, emphasize the need for organizations of all sizes to address cybersecurity concerns and incorporate them into their overall risk management strategies.
Cherilyn Pascoe, NIST’s lead developer of the framework, explained that the update was driven by the desire to reflect current and future usage of the framework. While the Cybersecurity Framework was initially developed for critical infrastructure industries like banking and energy, it has proven to be useful across various sectors, including schools, small businesses, and governments.
The expanded scope of the framework to include organizations of all types is seen as a positive step towards better cybersecurity practices. Bud Broomhead, CEO at Viakoo, noted that the update acknowledges that every organization faces cyber threats and needs to have a plan in place for managing cyber hygiene and incident response. He further stated that this update will enable organizations to reduce their threat landscape, comply with regulations and audits, and meet cybersecurity insurance requirements.
Joseph Carson, chief security scientist and advisory CISO with Delinea, praised the update as an “excellent refresh.” He highlighted the framework’s evolution from a focus on critical infrastructure organizations to providing guidance to all sectors. Carson also praised the addition of the govern function, which acknowledges the changing landscape of cybersecurity threats and the need for organizations to develop a comprehensive cybersecurity strategy.
The draft CSF 2.0 is currently open for public comments until November 4th. NIST encourages organizations and cybersecurity professionals to provide their input to further improve the framework and ensure its relevance across various industries.
Overall, the release of Cybersecurity Framework 2.0 marks a significant milestone in NIST’s ongoing efforts to provide comprehensive guidance for organizations of all sizes to manage cybersecurity risks effectively. As cyber threats continue to evolve and affect organizations across sectors, having a robust framework that addresses these challenges is crucial. By incorporating the govern function and expanding its scope, the updated framework ensures that organizations can better protect their critical assets, comply with regulations, and strengthen their overall cybersecurity posture.