Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
December 28, 2022 - Tech Evangelist
Frameworks are an effective tool in cybersecurity because of the complexity of cybersecurity challenges and because so many organizations have so little structure to their cybersecurity operations.
Introduced in 2014, the NIST Cybersecurity Framework (CSF) gives companies concrete steps to organize and improve the security of IT systems. However, eight years is a lifetime in cybersecurity, and the CSF is due for a major update. What’s going to change in CSF 2.0, and how far away are we from a new framework?
In this article, we’ll look at the responses to the NIST’s request for information (RFI) and discuss the next steps.
Right from version 1.0, the NIST Cybersecurity Framework was meant to be a document that adjusts to the changing cybersecurity landscape, so it’s no surprise that change is finally underway – even if it’s somewhat overdue.
The last update was in April 2018, to CSF 1.1, and that was a minor update. The main elements of CSF remained in place including its core “functions”: identify, protect, detect, respond, and recover. However, version 1.1 broadened the applicability of the framework to include the Internet of Things (IoT) and Operational Technology (OT). The 1.1 update also included a bigger emphasis on supply chain security.
Nearly four years later, it was clear that the CSF needed a major revamp to reflect a changing technology and security environment. So, on February 22, 2022, NIST issued an RFI to the public. It generated 130 responses, and in June NIST published a summary.
NIST identified several key themes based on the 130 responses, and it’s interesting to note that the first few themes tended to illuminate just how effective the first version of the Cybersecurity Framework was. “RFI respondents highlighted numerous ways in which the CSF has been effective in helping organizations understand and manage cybersecurity risks…”, according to the NIST.
Respondents requested that the focus stays on building out the existing key attributes of the CSF, and that the CSF aligns better with the NIST’s broader efforts (e.g. more mappings with OLIR) and the efforts of external organizations (e.g. ISO 27000).
Organizations also wanted the framework to include more implementation guidance, because the technology and vendor-neutral stance of CSF 1.0 and 1.1 led to a lack of detail and specificity.
Another key theme was around building a greater emphasis on performance evaluation. Stakeholders asked the NIST to provide guidance on measurements and metrics to benchmark cybersecurity risk, and to measure the level to which CSF outcomes were attained.
Consideration of supply chain risks also surfaced in the feedback. Respondents wanted guidance on managing supplier relationships, tools to analyze risk in supply chains, and a model that helps guide organizations in countering supply chain risk.
The NIST summary analysis is just a starting point, and we don’t yet know how NIST will respond to the proposals in CSF 2.0, though it does indicate in which direction the wind is blowing.
NIST said relatively little about the roadmap to publishing version 2.0, with the latest major step being a September workshop. Nonetheless, it appears as if version 2.0 is well underway, including through discussions with numerous stakeholders.
With no draft for CSF 2.0 and no deadline for the final version, you might say that there’s nothing else you can do other than wait for a new version to be published – but you’d be wrong.
The cybersecurity world has moved on since 2014, and while the NIST framework from 2014 still holds valuable lessons, your cybersecurity regime needs to continuously adapt.
The comments on the NIST consultation process offer a degree of guidance, but as a cybersecurity team tasked with keeping your organization’s assets safe, you should focus on adapting to trends by doing your own monitoring and research.
Think about changes to the attack surface, for example. In 2014, remote working was much less of a cybersecurity factor than it is in 2022. We’ve also seen a whole range of new cybersecurity tools emerge in the last decade or so, some of which are true game changers.
One of TuxCare’s key services, live patching, is one of the tools that would probably have had just a cursory mention in a cybersecurity framework written in 2014. Today, of course, live patching is a powerful component in any modern organization’s cybersecurity toolset.
Staying ahead of the game has always been critical to successfully defending technology assets. We expect NIST CSF 2.0 to be a big step forward in the fight against cybercriminals. In the meantime, keep an eye on the cybersecurity landscape and make sure your organization uses cutting-edge tools, including live patching.
Learn About Live Patching with TuxCare
Regulations and standards guide companies toward a consistent cybersecurity response....
Anyone that’s committed to a five-nines mandate will dread the...
Hackers frequently target payment card industry (PCI) data. To help...
Cybersecurity insurance policies are considered by many to be a...
It’s the making of a horror film: a cyberattack that...
As expected, 2022 was a tough year for cybersecurity, with...