The National Institute of Standards and Technology updated their cybersecurity framework for the third time in a new draft. The new framework offers guidance to organizations about reducing cybersecurity risks. It contains a set of outcomes so that any organization can evaluate, prioritize, grasp, and communicate its cybersecurity measures in an effective way.
The draft comes five years after its second update to the framework, released in April 2018. New challenges and the need to make it simpler to use merit an update, according to the press release. In crafting the new draft, NIST considered over a year’s worth of public input spread across 283 written responses, three workshops, and more.
ISACA, a global association focused on IT governance, sent an email providing feedback on the draft. The author pushed for more direct language and explanations of why categories and subcategories were added, realigned, dropped, or renamed. Meanwhile, an email from a cybersecurity official at JPMorgan Chase & Co. flagged two subcategories which he believed conflated disparate objectives. The official also recommended that NIST delete discussions of public relations and reputation repairs from the draft.
One major change seen in the new draft is its name and scope. While the previous framework only applied to critical infrastructure, the new one can be used for all organizations, regardless of type, size, or location. It also provides guidance on how organizations can carry out internal decisions in support of their cybersecurity goals, noting that cybersecurity is a substantial form of business risk that leadership should consider alongside legal or financial risks.
Other updates include additional information to clarify understanding of cybersecurity measurement and assessment; a new category about supply chain risk management; and added examples of how to achieve certain outcomes discussed in subcategory sections.
A pivotal objective of the framework will be to show organizations how they can implement it by using more guidance from NIST and other sources. Accordingly, NIST will release a reference tool in the coming weeks.
The final version of the framework is expected to be released by early 2024. NIST seeks email feedback on the draft until November 4, 2023. Individuals are encouraged to convey whether the draft addresses current and future cybersecurity challenges, is aligned with best practices and related resources, and considers existing feedback. The draft will be examined in a workshop which will be held this fall.
Cherilyn Pascoe, the lead developer of the framework at NIST, noted that most organizations find the current framework helpful, but the update will assist in mitigating new risks. “The CSF was intended to be a living document that is refined, improved, and evolves over time to keep pace with technology and threat trends, integrate lessons learned, and move best practice to common practice,” she said.
