NIST to update cybersecurity framework

The National Institute of Standards and Technology (NIST) is moving to update the technology-neutral Cybersecurity Framework (CSF) to provide more guidance on how to address a wider range of requirements.

Specifically, CSF 2.0 will provide additional examples of how to apply CSF to incident response and recovery, identity management, governance, and supply chain risk management. In addition, NIST is planning to map CSF sample profiles to specific standards or use cases involving, for example, a zero-trust IT environment.  However, there are no changes to the framework needed to accommodate zero-trust architecture (ZTA) principles. Nevertheless, NIST is encouraging comments and review to be sure.

NIST does plan, however, to create basic templates for implementing the profiles it defines to make the framework more accessible to a wider range of organizations, in addition to providing more guidance on how to measure and assess risks.

Finally, NIST plans to clarify the relationship between CSF and other NIST cybersecurity and privacy frameworks, including the Risk Management Framework, the Privacy Framework, the National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity, and the Secure Software Development Framework.

CSF was launched in 2013 with only one minor update in the intervening years so the need for additional guidance on how the framework remains relevant is clear. The cybersecurity landscape has changed dramatically in the past decade, starting with the rise of ransomware, cloud computing, working from home, and, more recently, attacks against software supply chains. NIST has, during that time, created several frameworks to address those specific cybersecurity challenges, but now an effort is underway to update CSF in a way that incorporates many of those concepts.

The degree to which organizations find the CSF valuable naturally depends on their overall level of cybersecurity maturity. At the very least, the CSF provides a common lexicon for describing cybersecurity functions and processes. It also gives organizations that don’t have a deep appreciation for cybersecurity a list of the processes and functions required that are relatively easy to follow. In the absence of such a framework, many valuable hours are wasted making sure security teams from different organizations are talking about the same thing. As such, NIST is now actively looking for suggestions for expanding the framework that could prove invaluable as digital processes continue to expand beyond the boundary of one organization.

Just as critically important, it provides a forum through which cybersecurity professionals can engage one another. One of the biggest issues organizations encounter today is establishing trust in the age of digital business transformation. Cybersecurity teams that have some familiarity with one another before those processes are deployed go a long way toward making it easier for the appropriate level of trust to be achieved.

Regardless of the motivation, cybersecurity teams need both formal and informal lines of communication to improve collaboration. Cybercriminal gangs are more organized than ever, and the only way to combat them effectively is to share intelligence. The CSF may not specifically address that requirement, but it could serve as one important means for achieving a much larger end.