The National institute of Standards and Technology (NIST) on April 24 released a much anticipated draft of the core portion of version 2.0 of the agency’s Cybersecurity Framework.
The current version of the framework – first published in 2014 – has become a widely used voluntary framework throughout government and the private sector for mitigating organizational cybersecurity risks based on a range of standards, guidelines, and practices.
The core portion of the draft framework released this week focuses on, among other items, the “potential Functions, Categories, and Subcategories” that the agency been working on in developing the new cybersecurity framework.
“It is intended to increase transparency of the update process and promote discussion to generate concrete suggestions for improving the Framework,” NIST said.
The new framework is looking at making significant changes from current CSF version 1.1, including in the following areas:
- Cybersecurity outcomes applicable to all organizations, removing language specific to critical infrastructure across the Core;
- The prevention of cybersecurity incidents through outcomes focused in Govern, Identify, and Protect Functions and the detection and response of incidents through the Detect, Respond, and Recover Functions;
- Cybersecurity governance through a new Govern Function covering organizational context, risk management strategy, policies and procedures, and roles and responsibilities;
- Cybersecurity supply chain risk management outcomes;
- Continuous improvement through a new Improvement Category in the Identify Function;
- Leveraging the combination of people, process, and technology to secure assets across all Categories in the Protect Function;
- Resilience of technology infrastructure through a new Protect Function Category; and
- Cybersecurity incident response management, including the importance of incident forensics, through new Categories in the Respond and Recover Functions.
The proposed framework update gathers information from written responses from industry partners as well as input from other government agencies.
“The modifications from CSF 1.1 are intended to increase clarity, ensure a consistent level of abstraction, address changes in technologies and risks, and improve alignment with national and international cybersecurity standards and practices,” NIST said.
The draft also details the need for more work to be done to “implement the CSF 2.0 Concept Paper, including development of guidance on CSF implementation, the relationship and alignment of the CSF to other NIST and non-NIST resources,” said the agency.
NIST is seeking feedback on the draft, and said that input will inform the “NIST CSF 2.0 draft anticipated to be released for public comment this summer.”