The National Institute of Science and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) is asking for feedback on an updated risk management framework draft that will steer the future of the agency’s ransomware prevention guidance.
The draft put out today by NCCoE includes changes made to NIST’s Cybersecurity Framework (CSF) 1.1 to CSF 2.0 – which identifies security objectives that cover managing, detecting, responding to, and recovering from ransomware events.
The public comment period is open through March 14, 2025. Responses can be submitted to ransomware@nist.gov.
CSF was first published in 2014, with the latest version, CSF 2.0, published at the beginning of last year. The voluntary framework provides detailed guidance and recommendations on a wide range of cybersecurity topics.
“Ransomware can attack organizations of all sizes from any sector,” said NCCoE of the new draft document. “[Organizations] can use this publication to gauge your organization’s readiness to counter ransomware threats, mitigate potential consequences of a ransomware event, and to develop a ransomware countermeasure playbook.”
The new ransomware document highlights six CSF functions used to organize categories including govern, identify, protect, detect, respond, recover – reflecting the same categories used in CSF 2.0. It also includes basic ransomware tips that organizations can take now to protect against and recover from ransomware threats, a table that identifies categories and subcategories from CSF 2.0 that are relevant to mitigating ransomware risk, a call for patent claims, and additional ransomware resources from NIST.
Questions posed to respondents include gauging what elements of the document are helpful and can be improved; what additional resources are useful; what types of prioritizations are most helpful – such as control baselines, and high, medium, or low criticality; and which other ransomware resources have respondents found useful in improving ransomware risk mitigation strategies.
