NIST finalizes Cybersecurity Framework updates

The National Institute of Standards and Technology is out with a major update to its landmark Cybersecurity Framework.

But the key changes in “CSF 2.0” aren’t major shifts in cybersecurity best practices. Instead, officials point out that the new document reflects the broad use of the framework across different industries and technologies, as well as the deepening push to regulate cybersecurity in many sectors.

NIST released the CSF 2.0 today, culminating a two-year effort to update a framework that was first published in 2014.

The document retains the five “core” functions that have been mainstays of the framework for the past decade: identify, protect, detect, respond and recover.  Those functions, for instance, form the basis of the Federal Information Security Modernization Act (FISMA) metrics that agencies are graded upon every year.

But CSF 2.0 now includes a sixth “govern” function aimed at making sure senior leaders account for cybersecurity risks the same way they do for financial or reputational concerns.

During an event at the Aspen Institute in Washington today, NIST Director Laurie Locascio said the standards agency received numerous comments about how the CSF needed a section on approaching cybersecurity at a strategic level.

“Govern really represents the fact that we have to bring this into the boardroom for discussion,” Locascio said. “It’s recognized now that cybersecurity is such an important enterprise risk. And so it should has to be managed at that level.”

The new focus on governance also reflect the growth of cybersecurity requirements and regulations across different sectors. Cherilyn Pascoe, director of NIST’s National Cybersecurity Center of Excellence, pointed out that the CSF is now used as a baseline for many regulatory schemes.

“That is one thing that we heard quite a bit from those that submitted comments, is the need to harmonize this growing suite of cybersecurity regulations around the CSF,” Pascoe said. “And even today, we talked about the CSF being voluntary, but we’re increasingly seeing it mentioned in regulations, in federal grants and different incentive programs and state legislations. So the landscape around the CSF is changing as well.”

The cybersecurity framework’s new governance section addresses issues around roles and responsibilities, policy and oversight. It also includes new details on a common challenge for agencies and industry alike: cyber supply chain risk management.

Pascoe said the governance section is aimed at helping organizations “better understand the cybersecurity risk tolerances and appetites of their senior leadership, of their customers, of their regulators, so that they can understand kind of what strategy and steps they should take to address their risks.”

Cybersecurity Framework implementation

Whether required or voluntary, many organizations have also had questions about how to implement the CSF, NIST officials said. The 2.0 framework includes implementation examples, mapping tools, and “quick start guides.” The guides are designed for specific users like small businesses, enterprise risk managers, and organizations interested in supply chain risk management.

Pascoe said NIST has also developed “community profiles” that detail what it means to implement the cybersecurity framework in specific sectors.

“We’ve got profiles in space systems, in electric vehicles, in liquefied natural gas,” Pascoe said. “We’ve done a lot of these in coordination with relevant federal agencies that oversee a particular sector.”

The NIST Cybersecurity Center of Excellence is now focused on helping organizations implement the CSF 2.0 to meet their specific requirements. For example, Pascoe said the center is working with 24 technology vendors to build different examples of “zero trust” security architectures.

“As part of that work, we’re mapping the ZTA principles as well as the security characteristics of each of those products back to the CSF,” Pascoe said. “So you can see how the higher level outcomes that are found in CSF subcategories can be mapped back to security capabilities that are found in products and services that you may acquire. I think that’s really powerful to show really in real life, how an organization might use the CSF.”

AI and cybersecurity

The release of the latest cybersecurity framework comes as NIST is also deeply involved in the Biden administration’s efforts around artificial intelligence. President Joe Biden’s AI executive order directs NIST to develop guidelines, standards, and best practices for AI safety and security.

Locascio said NIST’s existing “AI Risk Management Framework” ties to the cybersecurity framework, as do other key publications, including the agency’s privacy framework. She said the goal is for the different publications to be interoperable, as organizations navigate the intersection of cybersecurity, privacy, AI and other technological complexities.

“We don’t want people to be confused as they’re using our frameworks,” Locascio said. “We wanted them to feel like this is something they they kind of get. And so we think about that interoperability. And we also think about how we need to make sure there are pointers when they’re necessary.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.