NIST on Monday announced the official release of version 2.0 of its Cybersecurity Framework (CSF), the first major update since its creation a decade ago.
The cybersecurity framework was originally aimed at critical infrastructure organizations, but it has been widely used and widely recommended and NIST highlighted that CSF 2.0 is designed to help all organizations reduce risks, regardless of sector, size, or level of security sophistication.
Based on the feedback it received on the draft of the Cybersecurity Framework 2.0, NIST expanded the core guidance and created additional resources to help organizations use the CSF to its full potential.
The CSF 2.0 supports implementation of the National Cybersecurity Strategy and it’s organized around six key areas: identify, protect, detect, respond, recover and govern. The govern function was introduced with this major update of the CSF.
“The addition of the Govern function provides a vital and previously missing piece to the NIST Cybersecurity Framework, important to critical elements such as risk management,” Robert Booker, chief strategy officer at HITRUST, a contributor to the development of CSF 2.0, said via email.
[ Read: Using the Full NIST Cybersecurity Framework for the Win ]
Users are provided implementation examples and quick-start guides that are tailored to their specific needs.
The CSF 2.0 also offers a searchable catalog of references that enables organizations to map guidance to over 50 other relevant cybersecurity documents.
The first major version of NIST’s cybersecurity framework is available in over a dozen languages and volunteers from around the world will likely translate CSF 2.0 as well.
“The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats,” said NIST Director Laurie E. Locascio. “CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.”
Katherine Ledesma, head of public policy & government affairs at industrial cybersecurity firm Dragos, has made some interesting comments on the implications and benefits for organizations with industrial control systems (ICS) and operational technology (OT) systems.
“Similar to the National Cybersecurity Strategy released last year, the CSF 2.0 continues to move the conversation from cybersecurity investment as a cost center to cybersecurity investment as a way not only to protect but also support business operations, particularly when it comes to ICS and OT cybersecurity. This is important to manufacturing facilities that need to maintain safe, continuous operation, as well as for electric or water utilities that need to provide reliable, essential services to communities,” Ledesma told SecurityWeek.
“Although the CSF 2.0 identified that functions, categories, and subcategories are intended to be broad enough to apply to both IT and OT environments, as the dialogue around the CSF and related guidance continues, we will see specific attention paid to the distinct approaches needed to protect ICS/OT, given the unique purposes of and risks to those types of systems. This includes continuing to update documents such as the Guide to OT Security, and also incorporation of these concepts into broader planning and guidance documents,” Ledesma added.
