The National Institute of Standards and Technology (NIST) has released a new version of its Cybersecurity Framework (CSF). NIST first launched the CSF in 2014, and now a decade later brings a significant update, in the form of version 2.0 and a suite of supplementary resources. While CSF 1.0 originally homed in on critical infrastructure, this new version is intended to speak to organizations across sectors, “from the smallest schools and nonprofits to the largest agencies and corporations — regardless of their degree of cybersecurity sophistication,” per NIST.
While only federal government agencies are required to follow CSF, many state and local governments and private organizations also find it helpful to voluntarily adopt.
The original CSF outlined five functions that a cybersecurity program needs: Identify, Protect, Detect, Respond and Recover. Now, CSF 2.0 expands that list byadding “Govern.”
CSF and the accompanying resources aim to help organizations “understand, assess [and] prioritize” cybersecurity risks, as well as communicate about those risks both with stakeholders throughout an organization and with suppliers and partners. The guide also aims to help organizations blend cybersecurity into their larger risk management strategies.
The new framework includes features like “CSF Core,” a “taxonomy of high-level cybersecurity outcomes” intended to help with risk management. And organizations can use the new CSF Organizational Profiles to explain their current — or desired — cybersecurity posture in connection to those Core outcomes. NIST also released success stories demonstrating how different kinds of organizations used CSF, as well as the benefits and lessons learned.
Finally, various Quick Start Guides aim to make it easier for organizations to see how to implement the CSF.