As the National Institute of Standards and Technology (NIST) is in the process of updating its Cybersecurity Framework (CSF), it plans to hold a series of workshops and release at least one more draft for public comment before releasing CSF 2.0, according to a NIST blog.
NIST first released its CSF in 2014 before updating it in 2018. The agency released a request for information (RFI) in February to get comments on how to further update and revamp the framework. According to the blog, the RFI received 134 comments as of the blog’s publication on June 3.
“The comments in response to the RFI will drive multiple efforts at NIST; they covered important issues like cybersecurity risk management, supply chain cybersecurity, cybersecurity metrics, privacy, and emerging technologies – which overlap nicely with NIST’s cybersecurity and privacy program priority areas,” CSF Program Manager Cheri Pascoe wrote.
“The comments will inform improvements to the CSF, as well as guide our efforts under the National Initiative for Improving Cybersecurity in Supply Chains (NIICS), our recently launched public-private partnership to build on our efforts in supply chain cybersecurity,” Pascoe continued.
As NIST looks to publish CSF 2.0, Pascoe said that the agency plans to hold multiple workshops both virtually and in-person over the next year. The blog said the workshops will be another opportunity for attendants to help NIST identify specific updates to the NIST CSF.
Among the overarching themes throughout the comments, NIST said the public comments fall into one of seven categories. Respondents commented that NIST should:
- “Focus on maintaining and building on the key attributes of the CSF with the update;”
- “Align the CSF with existing efforts by NIST and others;”
- “Offer more guidance for implementing the CSF;”
- “Ensure the CSF remains technology neutral but allows it to be readily applied to different technology issues – including new advances and practices;”
- “Emphasize the importance of measurement, metrics, and evaluation in using the CSF;”
- “Consider cybersecurity risks in supply chains in the CSF;” and
- Use the NIICS “to align practices and provide effective practices, guidance, and tools to bolster cybersecurity supply chain risk management.”
While Pascoe did not give a timetable on when she expects to release the NIST CSF 2.0, the blog says that NIST intends to publish “at least” one draft for public input before finalizing the updated framework.