The National Institutes of Standards and Technology intends to release version 2.0 of its Cybersecurity Framework in the coming years, and this week, the agency teased some of the “potential significant updates” that may land in that new framework.
On Thursday, NIST published a concept paper outlining significant changes to the Cybersecurity Framework and opening them to public feedback over the next several weeks.
The framework is a voluntary guide to help organizations in all sectors to better understand, manage, reduce, and communicate cybersecurity risks. It is used widely, along with NIST’s Risk Management Framework, by federal agencies to plan their own cybersecurity approaches.
Of the proposed changes in the concept paper, the most notable are broadening the scope of the framework beyond critical infrastructure use cases to better include other organizations like small businesses and higher education institutions; including more guidance for implementation; and emphasizing the importance of cybersecurity governance and cybersecurity supply chain risk management, among others.
These updates come directly from responses to NIST’s cybersecurity request for information opened last February.
Largely, NIST says, that RFI showed that “the CSF remains effective in addressing cybersecurity risks by facilitating governance and risk management programs and enhancing communication within and across organizations,” it writes in the new concept paper.
“The CSF has been adopted voluntarily and in governmental policies and mandates at all levels around the world, reflecting its enduring and flexible nature to transcend risks, sectors, technologies, and national borders. The CSF is intended to be a living document that is refined and improved over time,” the paper reads. “The ‘CSF 2.0’ version reflects the evolving cybersecurity landscape — but community needs will drive the extent and content of the changes.”
NIST’s Cybersecurity Framework 1.0 was released in 2014 and updated in 2018 with version 1.1. Per its timeline, NIST hopes to publish a draft of version 2.0 this summer and the final framework in the winter of 2024.
Public responses to the concept paper are due by March 3.