NIST Introduces Cybersecurity Framework 2.0

The National Institute of Standards and Technology (NIST) unveiled the new version of its Cybersecurity Framework (CSF). Based on valuable contributions during its review, the CSF 2.0 is intended, according to the company's press release, to serve as a comprehensive guide in key areas of cybersecurity, offering advantages for both organizations and general users. With this version of CSF 2.0, NIST aims to change its perception from being seen as an expense to a comprehensive investment for protection and operational continuity.

The CSF was originally marketed to critical infrastructure organizations, however, it has undergone significant expansion in its utility and applicability. NIST stresses that CSF version 2.0 is designed to assist all organizations, regardless of industry, size, or level of security sophistication in reducing risks associated with cybersecurity.

Based on input received during the review of the CSF 2.0 draft, NIST has expanded core guidance and developed additional resources to support organizations in the comprehensive implementation of the framework. This new version supports the US National Cybersecurity Strategy and is structured around six core areas: identify, protect, detect, respond, recover, and govern. The governance function, introduced with this update, was considered central. 

"The addition of the governance function provides a vital piece that was previously missing from the NIST cybersecurity framework, important for critical elements such as risk management," Robert Booker, Chief Strategy Officer at HITRUST, a NIST collaborator in the development of CSF 2.0.

Benefits for CSF 2.0 users include access to implementation examples and quick-start guides tailored to their specific operational needs. In addition, the framework offers a searchable reference catalog, making it easier for organizations to assign guidance from among more than 50 relevant cybersecurity documents, as well as being available in more than a dozen languages, expanding its comprehensiveness.

"The CSF has been a vital tool for many organizations, helping them anticipate and address cybersecurity threats," says Laurie E. Locascio, Director, NIST. "CSF 2.0, which builds on previous versions, is not just a document. It is a set of resources that can be customized and used individually or in combination over time as an organization's cybersecurity needs change and its capabilities evolve." 

Katherine Ledesma, Head of Public Policy and Government Affairs at industrial cybersecurity firm Dragos, noted the importance of CSF 2.0 for organizations with industrial control systems (ICS) and operational technology (OT) systems. She highlighted how this framework transforms the conversation around cybersecurity from viewing it as a cost center to seeing it as an investment that supports not only protection, but also the ongoing functioning of business operations, especially in environments such as ICS and OT.

"While CSF 2.0 identified that the roles, categories and subcategories should be broad enough to apply to both IT and OT environments, as the dialogue around the CSF and related guidance continues, we will see specific attention paid to the different approaches needed to protect ICS/OT, given the unique purposes and risks of those types of systems. This includes continuing to update documents such as the OT Security Guidance, as well as incorporating these concepts into broader planning and guidance documents," Ledesma added.