NIST Cybersecurity Framework Gets ‘Significant Update’

For this week’s post, a found an interesting article talking about National Institute of Standards and Technology (NIST) and how they are currently in the process of making some significant updates to the Cybersecurity Framework (CSF) that we discussed in class this week.

A short history of the revision cycles to the CSF, the original framework (CSF 1.0) was published back in 2014. These standards typically go through a revision process every three to five years. As such, the NIST CSF 1.1, which only included some minor modifications and changes, was published in 2018. In 2022, a Request for Information (RFI) was sent out to industry about changes to the framework, the responses back where very clear that a major revision to the CSF needs to take place. Over 130 responses came back and in April 2023, a draft version of CSF 2.0 was released for comments.

CSF 2.0 updates will cover vital areas such as supply chains and cybersecurity governance, which have been important topics of conversations over the past few years. Some other areas include “cybersecurity measurement and assessment” which the industry has struggled with since the original CSF was published. Finally, CSF will now includes privacy risk management concepts.

As far as final drafts of CSF 2.0, NIST has stated that it will continue to provide drafts for comments and the final published version has been targeted for release in early 2024.