The NIST Cybersecurity Framework was meant to be a dynamic document that is continuously revised, enhanced, and updated. These upgrades allow the Framework to keep up with technological and threat developments, incorporate lessons learned, and transform best practices into standard procedures. NIST created the Framework in 2014 and updated it with CSF 1.1 in April 2018.
The National Institute of Standards and Technology (NIST) is planning a new, more significant update to the Framework, CSF 2.0, in response to feedback from stakeholders in order to reflect the ever-evolving cybersecurity landscape and assist organizations in managing cybersecurity risk more efficiently.
A widely adopted framework
NIST CSF is a cornerstone cybersecurity publication and is being adopted and enforced across all sectors and industries not only in the U.S. but also internationally, with the English version complemented by nine translations. The following perspectives, available in the Framework website, provide a demonstration of the Framework’s importance and acceptance.
“The Cybersecurity Framework was well-aligned with our main objective, which was to establish a common language for communicating cybersecurity risks across the Division.”
Plamen Martinov, CISO, Biological Sciences Division, University of Chicago
“It has helped us explain to people outside information security what we do and to hone our communication skills, especially with the senior leaders of the organization so they can be advocates for us.”
Steffani Webb, Vice Chancellor for Administration, University of Kansas Medical Center
“The NIST Cybersecurity Framework was instrumental in identifying best practices and voluntary measures that can help companies operationalize security risk management and security-by-design.”
Loretta Polk, Vice President & Deputy General Counsel, and Rick Chessen, Senior Vice President Law & Regulatory Policy, NCTA – The Internet & Television Association (NCTA)
“The NIST CSF has served as a superb standard to enable all agencies to be on the same ‘measurement’ page. The majority of California counties have also adopted NIST’s CSF as the appropriate tool for our statewide standard.”
Gary Coverdale, CISO, Napa and Mono Counties, CA
“What the CSF does so well is create an ability to take very complex risk concepts and produce a simplified outcome that can be effectively communicated to a broad group of stakeholders. That creates a more healthy conversation between companies as to how best protect that data.”
Troy Leach, CTO – PCI Council
“Since the NIST Cybersecurity Framework is globally applied, it has helped the Cross-Sector Forum have a shared language among different industry sectors and facilitated our comprehensive discussions between member companies in Japan and their subsidiaries outside Japan.”
Koji Ueno, Chairperson, Japanese Cross-Sector Forum
“A lot of cybersecurity issues is still about raising awareness among people. And that’s really the huge benefits that in this Cybersecurity Framework provided to us because it’s this change of thinking. It’s not thinking of security as a state you can achieve, but it’s a way of thinking security as a process.”
Daniel Caduff, Deputy Head, ICT DIvision, Federal Office for National Economic Supply, Government of Switzerland
What does the industry want to improve on CSF 2.0?
NIST has released a Request for Information (RFI) titled “Evaluating and Improving NIST Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management.” The RFI solicited information on the application of the NIST Cybersecurity Framework as well as suggestions for enhancing the Framework’s efficacy and its compatibility with other cybersecurity resources.
By June 2022, NIST had received more than 130 RFI responses which were analyzed and summarized on a document. Based on a review of the responses, NIST identified seven themes and 25 subthemes. Of these, six themes and 20 subthemes apply to the Cybersecurity Framework. One additional theme and five subthemes apply to the National Initiative for Improving Cybersecurity in Supply Chains (NIICS), recognizing that there may be some overlap with the Framework.
Theme 1: Focus on maintaining and building on the key attributes of the CSF with the update
The key qualities of the CSF, such as its adaptability, simplicity, ease to use, and voluntariness, have facilitated its adoption by businesses of diverse sizes and industries. Most commenters agreed that NIST should seek to preserve the advantageous characteristics of CSF 1.1 while expanding upon its foundation and enhancing its utility in CSF 2.0.
Theme 2: Align the CSF with existing efforts by NIST and others
The responses to the RFI underscored the need to maintain and improve the CSF’s alignment with other NIST and non-NIST resources and models. While CSF complements multiple current resources from NIST and numerous other sources, it has been suggested that NIST could strengthen and expand these alignments and provide additional direction on how to apply these diverse standards, techniques, procedures, and processes together.
Theme 3: Offer more guidance for implementing the CSF
The CSF was intended to be technology-neutral and applicable across industries. Consequently, the level of complexity and precision in the CSF represents the scalability and adaptability required to suit the needs of a diverse variety of stakeholders from different sectors. More than 500 references in the comments supported the need for additional information to help CSF implementation, and many users stated a need for greater detail while keeping a non-prescriptive approach. Identifying the appropriate balance between simplicity and detail in CSF updates is a significant takeaway that will require additional debate.
Theme 4: Ensure the CSF remains technology neutral but allows it to be readily applied to different technology issues
Commentators highlighted both the benefits and challenges of the CSF’s vendor- and technology-neutral design. Although technology has developed since the framework’s inception, the CSF functions and outcomes continue to enhance business risk management and cybersecurity program improvement. The advantages of a technology-neutral approach were widely acknowledged, but numerous commentators suggested that modifications may be required to ensure that the CSF update clearly addresses cybersecurity for various types of systems, including IT, OT, IoT, and cloud-based systems. In addition, critics urged that the CSF devote more attention to software security.
Theme 5: Emphasize the importance of measurement, metrics, and evaluation in using the CSF
Multiple stakeholders have expressed the need for greater CSF guidance and resources to enable cybersecurity metrics and measurement. Several described the CSF update as an opportunity to improve the measurement of cybersecurity risk management. Some comments sought for more detailed information on how to measure CSF outcome attainment. Others have requested that the CSF (or supplementary materials) contain suggested metrics and examples. In the responses to the RFI, monitoring the performance of an entity in building and enhancing a cybersecurity program was identified as a critical need.
Theme 6: Consider cybersecurity risks in supply chains in the CSF
The majority of responses supported include more references to supply chain risk management in the revised CSF. Many participants considered the need for a new supply chain-specific framework and advised expanding and enhancing the CSF rather than developing a new model to meet this need. The comments requested NIST to produce more advice and reference materials to assist businesses in addressing supply chain risks.
Theme 7: Use NIICS to align practices and provide effective practices, guidance, and tools to bolster cybersecurity supply chain risk management
Finally, comments on cybersecurity concerns in supply chains assisted NIST in defining the scope of NIICS. The significance of cybersecurity supply chain risk management (C-SCRM) was widely acknowledged by respondents, particularly in light of recent security incidents. Numerous companies, especially small businesses, appreciate the significance of C-SCRM but are resource-constrained; therefore, a centralized hub for guidance, templates, tools, and information exchange would be quite beneficial.
During the first workshop on the NIST CSF update, Chris Inglis, National Cyber Director, offered three framing thoughts, which will serve as the conclusion to this article.
“First, we need to put cyber in its proper place. Cyberspace, digital infrastructure, or the Internet of Everything does not exist for its own sake. It is the foundation of everything we do. Like any critical asset, it is important to invest across the entire life cycle of its existence. In the lexicon of the business world, cyber considerations should be motivated by capital expenditures, not response or operational expenditures.
Second, the original NIST Framework was as much about reframing doctrine as it was about collecting and organizing the details of contemporary practice. The original doctrine introduced the premise that we can and must determine a system’s intended use, its essential characteristics upfront so we might be better able to deliver and sustain those characteristics, and more importantly, our ability to sustain those functions that are dependent on those systems in the face of threats that range from natural to man-made. It serves to this day as a foundational doctrine and a useful framework for resilience by design, for proactively defending defensible systems and employing all remedies and resources to sustain desired functionality through various failure modes.
Point three. The initiative we are kicking off today builds on those best practices while shoring up the collective efforts that will sustain and power them into the future.”