Cybersecurity Framework 2.0

Kaitlyn ClarkeAPEX Accelerator

By Thomas Gerke, Utah APEX Accelerator Consultant
Credit: Phil Muncaster UK /EMEA News Reporter, Infosecurity Magazine

The U.S. National Institute of Standards and Technology (NIST) released a new draft version of its popular best practice security framework. It is designed to expand its scope and provide more guidance on implementation.

While following NIST 800-171 is mandatory for organizations to be eligible for Department of Defense (DOD) ocontracts, NIST Cybersecurity Framework (CSF) compliance is voluntary. However, following NIST CSF guidelines will ensure your business meets cybersecurity standards and best practices. 

The NIST Cybersecurity Framework 2.0 guidance guides industry, government agencies, and other organizations to reduce cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization, regardless of its size, sector, or maturity, to better understand, assess, prioritize, and communicate its cybersecurity efforts. 

The framework does not prescribe how outcomes should be achieved. Instead, it refers to resources that provide additional guidance on practices and controls that could be used to achieve those outcomes. This document explains Cybersecurity Framework 2.0 and its components and describes how it can be used.

It is the first refresh since its 2014 launch designed to help organizations “understand, reduce and communicate about cybersecurity risk,” according to NIST.  

“With this update, we are trying to reflect current usage of the Cybersecurity Framework and to anticipate future usage as well,” said the framework’s lead developer, Cherilyn Pascoe. “The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere, from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”

Version 2.0 expands the framework’s scope from critical infrastructure to all organizations regardless of type or size. Its official name is now the CSF rather than the ”Framework for Improving Critical Infrastructure Cybersecurity.”

NIST has added an extra pillar to the CSF. Alongside identifying, protecting, detecting, responding, and recovering now comes “governing.” This pillar emphasizes “cybersecurity is a major source of enterprise risk” and helps organizations better devise and execute decisions to support security strategy.

Additionally, the new draft is designed to feature improved and expanded guidance on implementing the CSF using profiles covering specific sectors and use cases. The NIST hopes this draft version will help smaller organizations use the framework effectively.

Although no further draft will be released, NIST encourages anyone with recommendations to respond with comments by Nov. 4, 2023.