NIST CSF 2.0 concept paper seeks additional input on structure, direction ahead of draft release

NIST CSF 2.0 concept paper seeks additional input on structure, direction ahead of draft release

The National Institute of Standards and Technology (NIST) released on Thursday a concept paper seeking additional input on the structure and direction of the Cybersecurity Framework (CSF) before crafting a draft of CSF 2.0. The paper delves into the changes NIST is considering for the development of CSF 2.0, some of which have been suggested to be more substantial. The planned modifications are based on a large amount of input received so far, including the NIST Cybersecurity Request for Information (RFI) and the inaugural workshop concerning CSF 2.0.

Feedback and comments should be directed to the NIST by Mar. 3, 2023. NIST CSF 2.0’s website will make all pertinent remarks, along with attachments and other related documentation, accessible for public viewing. No personal, sensitive, or confidential information should be included, and any comments that contain inappropriate language will not be accepted. The concept paper’s proposed amendments will be debated in the upcoming virtual CSF 2.0 workshop on Feb. 15, 2023, and further discussed at the CSF 2.0 physical working sessions to be held on Feb. 22 to 23.

After carefully analyzing the feedback on this concept paper and taking into account the outcomes of workshops, NIST is planning to release a draft version of Cybersecurity Framework 2.0 for public review in the upcoming months and will be open for comments over 90 days.

Reflecting the wider usage of the term, CSF 2.0 will be known as the ‘Cybersecurity Framework’ instead of its original name ‘Framework for Improving Critical Infrastructure Cybersecurity.’ The scope of CSF 2.0 will cover all organizations across government, industry, and academia, including but not limited to critical infrastructure. References to critical infrastructure in the CSF may be maintained as examples, but the framework text will be reviewed for broad applicability. 

Responding to the community’s feedback and Congressional direction, NIST will increase its efforts to ensure the framework is helpful to organizations, irrespective of sector, type, or size when it comes to addressing cybersecurity challenges and encourages all interested parties to participate in the process, the concept paper added.

The RFI responses called for increased international collaboration and engagement as an important theme for the CSF 2.0 update, NIST said. Since the launch of the CSF’s development in 2013, many organizations have made it clear that international use of the CSF would improve the efficiency and effectiveness of their cybersecurity efforts. 

“To facilitate international collaboration and engagement, NIST will prioritize exchanges with foreign governments and industry as part of CSF 2.0 development. NIST will continue to engage directly and through interagency partnerships to share the benefits of CSFuse, as well as to solicit input on potential changes, so that the CSF can continue to be recognized as an international resource,” the concept paper said. “NIST will also prioritize working with organizations to develop translations of CSF 2.0 in conjunction with its development, building on prior efforts to translate CSF 1.1 and relevant resources.”

The concept paper said that CSF 2.0 will remain a framework, providing context and connections to existing standards and resources. NIST aims to maintain the current level of detail and specificity in CSF 2.0 with the intent of making it scalable and adaptive for use by a variety of businesses. The framework will continue to offer a uniform organizing system for multiple approaches to cybersecurity, by leveraging and connecting to, instead of replacing globally recognized standards and guidelines.

The CSF 2.0 concept paper will also work on relating the CSF clearly to other NIST frameworks and use cybersecurity and privacy reference tool for online CSF 2.0 Core, which offers a consistent machine-readable format and user interface for accessing reference data. It will also use updatable, online informative references, with further mappings, especially to sector-specific standards or specific use cases, which can also be found in CSF sample profiles and NIST publications, such as the Cybersecurity Practice Guides (SP 1800 series) published by the National Cybersecurity Center of Excellence (NCCoE).

The NIST CSF 2.0 concept paper said that it will use informative references to provide more guidance to implement the CSF. Deploying online references, the CSF can be mapped to more specific resources to provide additional guidance, such as those for securing controlled unclassified information, cloud computing, Internet of Things (IoT) and operational technology (OT) cybersecurity, zero trust architecture (ZTA), and more. The framework will also remain technology-and vendor-neutral, but reflect changes in cybersecurity practices.

The concept paper said that CSF 2.0 and companion resources will include updated and expanded guidance on framework implementation. It will add implementation examples for CSF subcategories, develop a CSF profile template, and improve the CSF website to highlight implementation resources. 

NIST said that CSF 2.0 will emphasize the importance of cybersecurity governance. Reflecting substantial input to NIST, CSF 2.0 will include a new ‘Govern’ function to emphasize cybersecurity risk management governance outcomes and improve the discussion of the relationship to risk management. 

The CSF 2.0 will emphasize the importance of cybersecurity supply chain risk management (C-SCRM). On expanding coverage of supply chain security, the NIST revealed that RFI respondents agreed that cybersecurity risks in supply chains and third parties are a top risk across organizations. While respondents largely agreed that NIST should not develop a separate framework to address these risks, they were mixed in on how this concern should be addressed in the CSF update. 

NIST believes CSF 2.0 should include additional C-SCRM-specific outcomes to provide additional guidance to help organizations address these distinct risks. NIST invites feedback as to how best to address C-SCRM in CSF 2.0. Options may include further integrating C-SCRM outcomes throughout the CSF Core across functions, creating a new function focused on outcomes related to oversight and management of C-SCRM, or expanding C-SCRM outcomes within the current ID.SC category in the identify function. 

CSF 2.0 will advance understanding of cybersecurity measurement and assessment The RFI responses indicate respondents seek additional CSF guidance and resources to support measurement and assessment of an organization’s use of the CSF. 

CSF 2.0 will make clear that by leveraging the CSF, organizations have a common taxonomy and lexicon to communicate the outcome of their measurement and assessment efforts, regardless of the underlying risk management process. Across all organizations, a primary goal of cybersecurity measurement and assessment is to determine how well they are managing cybersecurity risk, and if and how they are continuously improving. The activities supporting measurement and assessment are inputs to determining maturity and supporting risk management decisions.

Each organization’s risks, priorities, and systems are unique, so the methods and actions used to achieve the outcomes described by the Framework Core vary. As such, the measurement and assessment of outcomes vary depending on the context. As there is no single approach to measure and assess the CSF, NIST will not put forward a single approach to assessment in the CSF 2.0 to continue flexibility in how organizations may implement the framework. 

The NIST also encourages organizations to share information with the agency about how they are using the CSF to measure and assess their cybersecurity. In addition, NIST encourages organizations to share information with NIST about the use of CSF Tiers. Relevant use cases could be incorporated into the CSF or provided as separate resources for additional implementation guidance.

The NIST CSF 2.0 concept paper has been released in the same week, as two key European Union (EU) directives on critical and digital infrastructure came into force on Jan. 16, strengthening the region’s resilience against online and offline threats, from cyberattacks to crime, risks to public health, or natural disasters. The directives include the NIS 2 Directive covering measures for a high common level of cybersecurity across the Union and the resilience of critical entities (CER) directive that works to widen their scope across critical sectors and bring about more unified cybersecurity rules in the region.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related