Credit:
Natasha Hanacek, NIST
The NIST Cybersecurity Framework (CSF) development process all started with Executive Order (EO)13636 over a decade ago, which called for building a set of approaches (a framework) for reducing risks to critical infrastructure. Through this EO, NIST was tasked with developing a “Cybersecurity Framework.” We knew that, to do this the right way, NIST would need to work alongside industry, academia, and other government agencies. This is exactly what we did—and have been doing over the past 10 years—as the CSF became more popular around the globe.
We also knew that the CSF needed to be a living document that should be refined, improved, and evolve over time. To address current and future cybersecurity challenges and improvements, NIST set out on the journey of developing the CSF 2.0. Along the way, NIST has solicited input via formal Requests for Information, workshops and smaller meetings, suggestions from users and non-users alike, and draft documents for public comment. This all resulted in CSF Versions 1.0 and 1.1 and, most recently, a draft of CSF 2.0.
What Organizations Should Know About NIST’s CSF 2.0…and Related Resources
The CSF 2.0, along with NIST’s supplementary resources, can be used by organizations to understand, assess, prioritize, and communicate cybersecurity risks. It is particularly useful for fostering internal and external communication at all levels (including across internal teams, from the C-Suite through middle management—and to those carrying out daily cybersecurity responsibilities). The CSF also seeks to improve communication with suppliers and partners and is intended to help organizations integrate cybersecurity-related issues with broader enterprise risk management strategies.
The CSF 2.0 is organized by six Functions — Govern, Identify, Protect, Detect, Respond, and Recover. Together, these Functions provide a comprehensive view for managing cybersecurity risk. The Framework is also comprised of the following:
CSF Core — A taxonomy of high-level cybersecurity outcomes that can help any organization manage its cybersecurity risks. This can be found in Appendix A in the CSF 2.0 (and the Core can be browsed via the CSF 2.0 Reference Tool).
CSF Organizational Profiles— A mechanism for describing an organization’s current and/or target cybersecurity posture in terms of the CSF Core’s outcomes.
CSF Tiers — An approach that can be applied to CSF Organizational Profiles to characterize the rigor of an organization’s cybersecurity risk management practices. Today’s big news is not just about one singular document; it is about a suite of resources (documents and applications) that can be used individually, together, or in combination over time as cybersecurity needs change and capabilities evolve. The materials are designed to reach all audiences and to span across industries and organization types.
The CSF 2.0 improves on prior versions; we listened to your feedback, made key updates, developed new resources and tools, and adjusted our guidance based on today’s cybersecurity environment.
- By offering practical and actionable suggestions, NIST’s resources—especially the set of Quick Start Guides we are sharing today (and the ones we add later in the future)—can help organizations immediately improve their cybersecurity posture because they focus on how the CSF can be implemented.
- To better integrate related resources, NIST’s mapping solution demonstrates how users can move quickly from CSF outcome statements to better cybersecurity in practice.
- New implementation examples enables users to review action-oriented steps to help them get started (or keep going).
Explore the Resources!
Now that the big release day is finally here, we hope organizations (and those who guide or carry out cybersecurity strategies) will find the CSF 2.0 suite of documents and tools to be difference makers in managing and reducing cybersecurity risks.
NIST continues to encourage candid, constructive discussions and other engagements about organizations’ experiences with the CSF. Remember, cybersecurity risk management is always a journey – and the CSF 2.0 is a navigational guide that can help make that journey more successful.
Comments, questions, or feedback? Email us at cyberframework [at] nist.gov (cyberframework[at]nist[dot]gov)! You can also follow us on X via @NISTcyber to stay updated as we make more pitstops along the way.
About Author
