What We Know So Far About the NIST Cybersecurity Framework 2.0
Frameworks are an effective tool in cybersecurity because of the complexity of cybersecurity challenges and because so many organizations have so little structure to their cybersecurity operations.
Introduced in 2014, the NIST Cybersecurity Framework (CSF) gives companies concrete steps to organize and improve the security of IT systems. However, eight years is a lifetime in cybersecurity, and the CSF is due for a major update. What’s going to change in CSF 2.0, and how far away are we from a new framework?
In this article, we’ll look at the responses to the NIST’s request for information (RFI) and discuss the next steps.
Why Does the CSF Require a Refresh?
Right from version 1.0, the NIST Cybersecurity Framework was meant to be a document that adjusts to the changing cybersecurity landscape, so it’s no surprise that change is finally underway – even if it’s somewhat overdue.
The last update was in April 2018, to CSF 1.1, and that was a minor update. The main elements of CSF remained in place including its core “functions”: identify, protect, detect, respond, and recover. However, version 1.1 broadened the applicability of the framework to include the Internet of Things (IoT) and Operational Technology (OT). The 1.1 update also included a bigger emphasis on supply chain security.
Nearly four years later, it was clear that the CSF needed a major revamp to reflect a changing technology and security environment. So, on February 22, 2022, NIST issued an RFI to the public. It generated 130 responses, and in June NIST published a summary.
The Proposal So Far
NIST identified several key themes based on the 130 responses, and it’s interesting to note that the first few themes tended to illuminate just how effective the first version of the Cybersecurity Framework was. “RFI respondents highlighted numerous ways in which the CSF has been effective in helping organizations understand and manage cybersecurity risks…”, according to the NIST.
Respondents requested that the focus stays on building out the existing key attributes of the CSF, and that the CSF aligns better with the NIST’s broader efforts (e.g. more mappings with OLIR) and the efforts of external organizations (e.g. ISO 27000).
Organizations also wanted the framework to include more implementation guidance, because the technology and vendor-neutral stance of CSF 1.0 and 1.1 led to a lack of detail and specificity.
Another key theme was around building a greater emphasis on performance evaluation. Stakeholders asked the NIST to provide guidance on measurements and metrics to benchmark cybersecurity risk, and to measure the level to which CSF outcomes were attained.
Consideration of supply chain risks also surfaced in the feedback. Respondents wanted guidance on managing supplier relationships, tools to analyze risk in supply chains, and a model that helps guide organizations in countering supply chain risk.
Next Steps for CSF 2.0
The NIST summary analysis is just a starting point, and we don’t yet know how NIST will respond to the proposals in CSF 2.0, though it does indicate in which direction the wind is blowing.
NIST said relatively little about the roadmap to publishing version 2.0, with the latest major step being a September workshop. Nonetheless, it appears as if version 2.0 is well underway, including through discussions with numerous stakeholders.
With no draft for CSF 2.0 and no deadline for the final version, you might say that there’s nothing else you can do other than wait for a new version to be published – but you’d be wrong.
The cybersecurity world has moved on since 2014, and while the NIST framework from 2014 still holds valuable lessons, your cybersecurity regime needs to continuously adapt.
The comments on the NIST consultation process offer a degree of guidance, but as a cybersecurity team tasked with keeping your organization’s assets safe, you should focus on adapting to trends by doing your own monitoring and research.
Always Monitor the Landscape
Think about changes to the attack surface, for example. In 2014, remote working was much less of a cybersecurity factor than it is in 2022. We’ve also seen a whole range of new cybersecurity tools emerge in the last decade or so, some of which are true game changers.
One of TuxCare’s key services, live patching, is one of the tools that would probably have had just a cursory mention in a cybersecurity framework written in 2014. Today, of course, live patching is a powerful component in any modern organization’s cybersecurity toolset.
Staying ahead of the game has always been critical to successfully defending technology assets. We expect NIST CSF 2.0 to be a big step forward in the fight against cybercriminals. In the meantime, keep an eye on the cybersecurity landscape and make sure your organization uses cutting-edge tools, including live patching.