NIST plans for a significant update to the NIST CSF Framework this summer. They recently published a discussion draft that included planned updates to the Core elements of the framework, based on feedback from the industry. The discussion draft is a preliminary document and has been released to improve transparency and encourage discussion toward the complete draft.
NIST received many written responses and suggestions to its RFI call earlier this year, including a response from Centraleyes.
NIST is currently seeking feedback on whether the cybersecurity outcomes detailed in the discussion draft fully address the current challenges faced by organizations.
As per the discussion draft recently published, the Discussion Core focuses on:
- Cybersecurity outcomes applicable to all organizations, removing language specific to critical infrastructure across the Core
- The prevention of cybersecurity incidents through outcomes focused in Govern, Identify, and Protect Functions
- The detection and response of incidents through the Detect, Respond, and Recover Functions;
- Cybersecurity governance through a new Govern Function covering organizational context, risk management strategy, policies and procedures, and roles and responsibilities;
- Cybersecurity supply chain risk management outcomes
- Continuous improvement through a new Improvement Category in the Identify Function
- Leveraging the combination of people, processes, and technology to secure assets across all Categories in the Protect Function
- The resilience of technology infrastructure through a new Protect Function Category; and
- Cybersecurity incident response management, including the importance of incident forensics, through new Categories in the Respond and Recover Functions.
Expected Changes to the CSF
Broader Use and Expanded Scope
To “embrace and enhance its broader use, the scope of CSF 2.0 will cover all organizations across government, industry, and academia, including, but not limited to, critical infrastructure.
Emphasis on SMBs
NIST will place added emphasis on ensuring the 2.0 CSF framework is adaptable and helpful to a wider scope of organizations, regardless of sector, type, or size.
NIST will prioritize exchanges with foreign governments and continue to encourage foreign entities to provide input on potential changes to the framework.
CSF Mappings to Other Frameworks
NIST states that it would like to work with the community to “encourage and enable the production of mappings that support the CSF 2.0.
New Govern Function
The proposed governance function is described as “crosscutting”, in that it will inform and support the other functions and will make it clear that governance practices inform the prioritization and implementation of each of the current functions.
Supply Chain Risk Management
The new framework will, for the first time, place a significant emphasis on supply chain risk management, assisting and encouraging businesses to address third-party risks of all kinds, including those posed by non-technology supply chains, and cloud computing as well as by computers, software, and networking hardware.
As the cybersecurity policy landscape changes, you can trust Centraleyes to keep your compliance programs up-to-date with the CSF and other regulatory and voluntary security objectives