Cybersecurity guidance

NIST Plans Updates to Cybersecurity Framework

The National Institute of Standards and Technology plans to make new revisions to its Cybersecurity Framework with a focus on cyber defense inclusivity across all economic sectors.

According to NIST, the updates will use information gathered from a previous workshop about the forthcoming CSF 2.0 framework and a request for information published in February 2022. Some of the responses that NIST officials want to include are changes to cybersecurity best practices, sector-specific needs and new uses based on framework modifications.

Other potential updates would cover international cybersecurity collaboration, improvements to the CSF website, supply chain coverage and enhanced governance outcomes.

NIST will accept comments on CSF 2.0 until March 3. The agency will also host a virtual workshop on Feb. 13 to allow interested parties to comment on the framework’s development, Nextgov reported Thursday.

NIST plans to retain some elements within existing standards and guidelines to keep the framework scalable and useful to as many organizations as possible.

According to the concept paper for CSF 2.0, the updates are designed to reflect the evolving cybersecurity landscape. NIST will welcome more substantial changes than it did with update 1.1.

CSF was first published in 2014 through Executive Order 13636 as a non-voluntary guide for protecting critical infrastructure networks. It contains standards, guidelines and practices for network protection and uses a flexible, repeatable and cost-effective approach to help owners manage risks more easily.

The first update to the framework was done in 2018. It includes clarifications of key terms, details on self-assessment, better explanations of cyber supply chain risk management, refinements to identity and authentication security and consideration of coordinated vulnerability disclosure.