NIST Expands Cybersecurity Framework with New Pillar

Cyber Security Threat Summary:
The US National Institute of Standards and Technology (NIST) has released a new draft version of its popular best practice security framework, designed to expand its scope and provide more guidance on implementation. The NIST Cybersecurity Framework (CSF) 2.0 is the first refresh since it was launched in 2014. It is designed to help organizations “understand, reduce and communicate about cybersecurity risk,” the standards body said. NIST says the latest update will reflect current usage and anticipated future usage.

NIST says that while the CSF was developed for critical infrastructure, it has proved to be a useful tool for all industries from schools, to small businesses, to foreign governments. NIST plans to cater the tool so that it is useful to all sectors, not just those designated as critical.

Security Officer Comments:
Version 2.0 of the NIST Cybersecurity Framework will official expand the framework’s scope from critical infrastructure to all organizations regardless of type or size. NIST also plans to add an additional “pillar” to the CSF. A “govern” pillar will be added alongside the previous identify, protect, detect, respond and recover. NIST says this new pillar is designed to emphasize that cybersecurity is a major source of enterprise risk and helps organizations to better devise and execute decisions to support security strategy.

“Finally, the new draft is designed to feature improved and expanded guidance on how to implement the CSF, via profiles covering specific sectors and use cases. It is hoped this will help particularly smaller organizations to use the framework effectively. Although no further draft will be released, NIST is encouraging anyone with recommendations to respond with comments by November 4 2023” (Info Security Magazine, 2023).