On February 12, 2014, the US National Institute of Standards and Technology (NIST) issued a landmark document, the Framework for Improving Critical Infrastructure Cybersecurity (CSF). Four years later, NIST issued the CSF 1.1, which included updates on supply chain risk management, vulnerability disclosure, and other rapidly developing issues.
Now, NIST is preparing to release another overhaul of the CSF following the early August release of a draft 2.0 version, developed after NIST issued a request for information (RFI), held two workshops, and requested comments on a core draft.
What is the Framework for Improving Critical Infrastructure Security?
Following an executive order (EO) by President Obama, NIST developed the CSF to provide a common language and structure to help organizations systematically better manage and communicate how they tackle cybersecurity risk management. The CSF has been adopted worldwide by private and public sector organizations. Many US government civilian and military procurement and guidance documents have incorporated the CSF to manage risk, including federal government agency contractor and subcontractor requirements for protecting unclassified information and the implementation guidance for President Biden’s National Cybersecurity Strategy.
NIST has designed the 2.0 draft to expand the use of the CSF, more fully embrace supply chain risk management, update other frameworks and resources, supply implementation guidance, address cybersecurity measurement and assessment, while adding an entirely new function. The following sections highlights some of these proposed changes to the CSF.
Broader use of the framework
President Obama’s initial EO focused on critical infrastructure, given the emerging significant cybersecurity threats to the nation’s energy and transportation systems and other critical assets without which essential activities could not function. To convey a broader focus more strongly in the US and internationally, NIST is changing the CSF name to its commonly used term, “Cybersecurity Framework,” removing the emphasis on critical infrastructure. The original framework” has proved useful everywhere from schools and small businesses to local and foreign governments,” NIST said in announcing the 2.0 version. “We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”
The new Govern function crosscuts everything
The current NIST CSF “core” consists of five functions: Identify, Protect, Detect, Respond, and Recover. Around those are clustered 23 categories and 108 subcategories of desired cybersecurity outcomes, and hundreds of informative references, mostly other frameworks, and industry standards.