By John E. Dunn
It’s been nearly seven years since the 1.1 revision of NIST’s Cybersecurity Framework. What might be coming in version 2.0?
Since its release in 2014, NIST’s Cybersecurity Framework (CSF) has grown into the one of the world’s most influential cybersecurity references for best practice and planning.
In January, the world finally caught sight of the draft CSF Concept Paper that will form the basis of the next version 2.0 overhaul due for release around mid-2023.
From this draft, it is clear that the CSF is developing fast, taking on new and much wider ambitions since the version 1.1 refresh in 2016. The first and perhaps most significant of these is what NIST calls “increased international collaboration engagement.” If this sounds a bit earnest, there appears to be more to it than that if you read between the lines.
“Since the launch of the CSF’s development in 2013, many organizations have made it clear that international use of the CSF would improve the efficiency and effectiveness of their cybersecurity efforts,” the paper notes.
NIST said it plans to have the Framework translated into multiple languages and to use the CSF to integrate with and influence global standards bodies such as the ISO.
While the CSF is by nature a framework rather than a set of formal standards it’s clear that NIST sees its success as heralding a wider global influence. There is a need for something. If this quickly becomes the de facto guide to best practice, this has implications for CISOs far beyond its home territory of the U.S.
Zero Trust
NIST also wants version 2.0 to map the advice it offers to other developments in cybersecurity, particularly zero trust architecture (ZTA), 5G Cybersecurity, Post-Quantum Cryptography (PQC) migration.
One issue with the CSF has been relating best practice to implementation. Version 2.0, NIST promises, will expand the list of ‘success stories’ that offer an example of how the Framework was used by different organizations.
Supply Chains
The 2016 version 1.1 update added supply chain management as a category and NIST is looking for industry input as to how version 2.0 might expand on this as directed to by the U.S. Government in 2021. As it notes:
“Given the increasing globalization, outsourcing, and expansion of the use of technology services, CSF 2.0 should make clear the importance of organizations identifying, assessing, and managing both first- and third-party risks.”
In other words, how organizations assess not only their own risk through a framework but that of their partners, something that might become a big theme in future updates.
SMB Cybersecurity
Since the initial version 1.0 focus on critical infrastructure there has been a growing focus on other sectors, for instance SMBs and the education sector. The Concept Paper is slightly vague on how this might affect the CSF but the fact that NIST has been encouraged to look at it by the current U.S. administration seems to have given things an extra push.
Version 2.0 is far from set. NIST is still looking for comment and feedback from industry parties by March 3, 2023 by emailing [email protected].