Skip to main content

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (“CSF” or “Framework”) was developed in 2014, and later updated in 2018, in response to increased cybersecurity risk to the nation’s critical infrastructure. Once again, NIST is seeing the need to modify the framework to combat the most prevalent cyber risks and is adding another pillar of guidance to create CSF 2.0.

NIST plans to add “Govern” to the current framework that already features Identify, Protect, Detect, Respond, and Recover. Govern will be a cross-sectional pillar that informs the other framework sections about the evaluation of cybersecurity risk, determination of cybersecurity roles and responsibilities, and establishment of cybersecurity policies and procedures. The update aims to emphasize the importance of risk management and continuous monitoring of regulatory requirements within your organization.

In this update NIST identifies a “Call to Action” singling out ways in which the community can contribute to improvements to CSF 2.0 and associated resources:

  • Share International Resources
  • Provide Mappings
  • Share additional example profiles for specific sectors, threats, and use cases,
  • Submit CSF Resources – These can include approaches, implementation guides, mappings, case studies, tools, and others.
  • Share Success Stories
  • Share Use of the CSF in Measuring and Assessing Cybersecurity
  • Comment on Performance Measurement Guide for Information Security

In addition to the change in framework structure, CSF 2.0 will include additional guidance on supply chain management risk and impact. Contractors whose supply chain operations utilize third-party organizations, outsourcing, and new supply chain technology will be expected to enhance risk assessment strategy that could include the implementation, or appointment, of a team to mitigate that risk.

Among the already discussed updates, NIST plans to:

  • Keep guidance broad so that it does not limit the application across sector, industry, business line.
  • Provide contractors examples for ways in which the framework could be implemented.
  • Provide additional resources that help contractors measure cybersecurity risk. This will include ways that other contractors have performed assessment and mitigation.

Although the CSF 2.0 has not been finalized, it has garnered a positive response throughout the cybersecurity community and should be on your organizations’ radar.

Have Questions? We Are Here To Help. Contact Us Today!