The National Institute of Standards and Technology (NIST) has unveiled a draft version of Cybersecurity Framework (CSF) 2.0 after meticulously considering more than a year’s worth of insights from the community. This upgraded rendition of the world’s leading cybersecurity guidance, initially introduced in 2014 to aid organizations in understanding, mitigating, and discussing cybersecurity risks, has been carefully redesigned to align seamlessly with today’s dynamic cybersecurity landscape.
Cherilyn Pascoe, the lead developer of the framework at NIST, explained, “With this revision, we’re seeking to harmonize the Cybersecurity Framework with its current usage while also anticipating its future applications. Originally tailored for critical sectors like finance and energy, the CSF has proven its value across a broad spectrum, encompassing educational institutions, small businesses, and both local and international governments. We’re aiming to make it universally valuable, transcending the boundaries of being exclusively for critical sectors.”
The draft version of the framework is open for public input until November 4, 2023. NIST does not have plans for further drafts. A workshop will be announced in the upcoming fall season, providing an additional avenue for the public to share feedback and insights on the draft. The finalized CSF 2.0 is anticipated to be released in early 2024.
The CSF encapsulates actionable steps that can be seamlessly integrated into cybersecurity strategies tailored to meet specific organizational needs. Over the past decade since its inception, the CSF has been downloaded by over two million users across 185 countries and translated into at least nine languages.
While responses to NIST’s inquiry in February 2022 underscored the enduring effectiveness of the CSF in reducing risks, many contributors suggested an update to accommodate technological advancements and the swiftly evolving threat landscape. Pascoe highlighted, “Numerous commentators emphasized the need to preserve and enhance the CSF’s core attributes, including its adaptability and voluntary nature. Simultaneously, there was a notable demand for more nuanced guidance on implementing the CSF to address emerging cybersecurity concerns, such as supply chain vulnerabilities and the widespread ransomware threat. Given that these challenges affect many entities, including small businesses, we recognized the need for an elevated approach.”
Pascoe strongly encouraged individuals to contribute feedback and comments on the updated CSF draft before the November 4 deadline, affirming, “This presents a golden opportunity for users to lend their perspectives to the evolution of CSF 2.0. If you haven’t engaged, now is the perfect moment to join in.”