NIST Seeks Public Comments on Cybersecurity Framework Update

The National Institute of Standards and Technology is seeking feedback on a draft of the Cybersecurity Framework 2.0, the successor to a 2014 document meant to help organizations understand, address and communicate about cyber risks. NIST intends for the new version to reflect changes in the field and simplify implementation.

Cherilyn Pascoe, the CSF 2.0’s lead developer, explained that the guidance has helped non-critical sectors despite originally being designed for industries such as banking and energy. She said the update is intended to anticipate future usage in addition to current usage.

Interested parties can submit feedback until Nov. 4. A subsequent draft is not planned, and a workshop is expected to be held later in 2023 to field additional comments from the public.

The final version of the CSF 2.0 will be released in early 2024, NIST said.

Jen Easterly, Cybersecurity and Infrastructure Security Agency director and a 2023 Wash100 winner, welcomed the proposed update, noting that it would support her organization’s efforts to promote secure-by-design principles in products acquired by the government.

She added that the framework has supported the establishment of cybersecurity programs that align with risk tolerance standards and facilitated clear communications about complex topics.