Federal cybersecurity leaders are looking forward to a major update for the National Institute of Standards and Technology’s Cybersecurity Framework, as NIST aims to add new details on governance, supply chain risks and more to a document that guides many organizations’ cybersecurity practices.
NIST released the original framework in 2014 and last updated the document in 2018. It began gathering feedback on the shift to “CSF 2.0” through a request for information last February, and hosted an initial workshop on the new framework in June.
Last month, NIST published a concept paper laying out some of the initial planned changes. Comments on the paper are due March 3. NIST plans to have a draft of CSF 2.0 ready by this summer, before releasing a final version in early 2024.
During a Wednesday workshop hosted by the standards agency, CISA Director Jen Easterly was among the agency leaders who appeared to applaud NIST’s work to update the framework.
“The framework has served as a powerful tool for providing a common taxonomy to help organizations create cybersecurity programs that align with the organization’s risk tolerance, that enable continuous improvement and facilitate communication around complex topics using a common lexicon,” Easterly said. “We’ve used the framework as a guide and to complement many of the resources offered by CISA.”
The framework was initially developed for critical infrastructure organizations. But it has been since adopted by organizations small and large across the globe.
At the same time, the Government Accountability Office has found some sector-risk management agencies haven’t taken steps to determine whether the critical infrastructure industries they oversee have actually adopted the framework.
Last year, CISA established new “Cybersecurity Performance Goals” (CPGs) for critical infrastructure organizations. The goals are based on the Cybersecurity Framework.
The CPGs are voluntary, although officials have said they could be used in future cyber regulations. Easterly said it’s crucial for organizations to adopt a minimum level of security.
“While we fully recognize that cybersecurity needs vary among critical infrastructure sectors, we also know that our nation’s cybersecurity posture can’t improve without baseline goals are consistent across all sectors,” Easterly said.
During the webinar, officials discussed many of the major changes laid out in last month’s concept paper, including the addition of a sixth “govern” function to the framework.
“This is not a decision that we’re making lightly,” Cherilyn Pascoe, CSF Program Lead at NIST, said during the event. “The five functions within the framework have really become the definition for cybersecurity, they are included in policies and requirements and standards around the world. But we do believe that elevating governance through a function is the right thing and the right time to do it.”
The new function will cut across the five established functions, and expand consideration of related topics like cybersecurity roles and responsibilities; legal and regulatory requirements; and risk management process, according to the January concept paper.
NIST is also expanding cover of supply chain risk management as part of CSF 2.0.
“Given the increasing globalization, outsourcing and expansion of the use of technology services (such as cloud computing), CSF 2.0 should make clear the importance of organizations identifying, assessing and managing both first- and third-party risks,” the concept paper states.
Chris DeRusha, the federal chief information security officer at the White House Office of Management and Budget, applauded many of the proposed changes, including integrating supply chain risks into the framework. Last year, OMB issued new software supply chain security requirements for agencies.
“We’ve really been focused on in executive action, and subsequent memos and efforts to just understand the importance and challenges of managing complex supply chain risk, and doing a lot to incentivize adoption of other frameworks like NIST’s Secure Software Development Framework,” DeRusha said. “How we integrate that into the CSF is a really important question.”
DeRusha also applauded NIST’s commitment to staying technology- and vendor-neutral in CSF 2.0.
At the same time, NIST is planning to work with the cybersecurity community to allow organizations to map the CSF 2.0 to other frameworks. Respondents to NIST’s original RFI requested mappings to nearly 50 other cybersecurity standards, guidelines and frameworks, according to the concept paper.
“There are obviously big differences as you implement across platforms like it [Internet-of-Things], operational technology, cloud computing,” DeRusha said.
NIST is also planning to include “updated and expanded guidance” on how to implement the CSF 2.0 framework. The agency said there were more than 500 references in RFI responses “supporting the need for more guidance to support CSF implementation, and many users expressed a desire for greater detail in the CSF while maintaining a non-prescriptive approach.”
NIST plans to include notional implementation examples to help different organizations understand how the framework could be implemented, according to the concept paper.
“There’s been a really big interest, as we saw in the RFI comments, to cover more topics, cover more guidance, cover specific technologies, specific use cases — folks want more,” Pascoe said. “But of course, everyone also mentioned that they want the CSF to remain the same level of detail, the same level of simplicity. So there’s some tension there.”