Cyber

NIST publishes expanded draft of key cybersecurity framework

The latest draft widens the document’s scope to provide guidance for organizations of all sizes as well as for critical infrastructure.

By John Hewitt Jones

August 9, 2023

(NIST photo)

The National Institute of Standards and Technology has issued an expanded draft of its core cybersecurity framework document, which provides guidance for public and private sector organizations working to quantify and manage cybersecurity risk.

An updated version of NIST’s Cybersecurity Framework 2.0 incorporates recently submitted industry feedback and expands the document’s scope to provide guidance for organizations of all sizes, instead of focusing primarily on guidance for critical infrastructure.

The cybersecurity framework — along with NIST’s Risk Management Framework — is used by federal agencies to plan for and mitigate cybersecurity risks. The latest draft comes as the Biden administration ramps up its focus on addressing cyber-supply chain risk, including through the use of attestation forms and software bills of material.

In addition to expanding its scope, the latest draft has added a sixth function — govern — in addition to the document’s five existing functions: identify, protect, detect, respond and recover. It also provides additional specific guidance on how small firms should best implement the framework.

In January, NIST teased forthcoming updates to the framework and published a concept paper intended to spur feedback from industry.

The Commerce Department bureau will hold a workshop in the fall to discuss the draft and accept public comment until Nov. 4, although it does not intend to issue another draft version of the framework.

Commenting on the updated document, the framework’s lead developer Cherilyn Pascoe said: “With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well.”

“The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical,” she added.

NIST publishes expanded draft of key cybersecurity framework

More Like This

Security flaws in IRS systems pose risk to financial statements, GAO says

CISA’s chief data officer: Bias in AI models won’t be the same for every agency

Scientists must be empowered — not replaced — by AI, report to White House argues

Top Stories

ACLU seeks AI records from NSA, Defense Department in new lawsuit

IRS touts Direct File usage, while mulling the future of the program

DHS launches safety and security board focused on AI and critical infrastructure

GSA welcomes nominations for advisory committee focused on federal transparency efforts

DOJ seeks public input on AI use in criminal justice system

DHS picks OMB official to lead its new AI Corps

More Scoops

404 page: the error sites of federal agencies

Cybersecurity executive order requirements are nearly complete, GAO says

Department of Commerce announces US, UK AI safety partnership

AI talent role, releasing code, deadline extension among additions in OMB memo

From research to talent: Five AI takeaways from Biden’s budget

Updated NIST cybersecurity framework adds core function, focuses on supply chain risk management

Bipartisan Senate proposal calls for AI workforce framework from NIST

Latest Podcasts

NIST publishes expanded draft of key cybersecurity framework

CISA is building an automated ransomware warning program

GSA’s Login.gov platform gets a new director

DOD’s Ashley Elizabeth Evans on effectively implementing AI

Tech

Defense

Cyber

Acquisition