It’s been 10 years since the National Institute of Standards and Technology (NIST) released the Cybersecurity Framework (CSF). The changes that just launched in CSF 2.0 bridge key gaps that widened in the last decade as cybersecurity evolved. Here are the five big ones to know now:
- CFS 2.0 serves a much wider audience. Originally focused on critical infrastructure, the framework is now designed for all audiences, industry sectors and organization types, from the smallest schools and nonprofits to the largest agencies and corporations — regardless of their degree of cybersecurity sophistication.
- New Govern function brings leadership into security. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders must consider alongside others such as finance and reputation. The objectives are to integrate cybersecurity with broader enterprise risk management, roles and responsibilities, policy and oversight at organizations, as well as better support the communication of cybersecurity risk to executives.
- Supply chain risk management is a central component. The Govern function includes a category for Cybersecurity Supply Chain Risk Management (C-CSRM) as a systemic process to manage exposure to cyber risks by developing strategies, policies, processes and procedures.
- NIST has introduced new resources to help users get the most out of the framework. They ease the implementation and continuous use of CFS 2.0 and include:
- The CSF 2.0 Quick-Start Guide for Creating Organizational Profiles
- The CSF 2.0 Searchable Reference Tool
- The NIST Informative Reference Catalog
- Cybersecurity and Privacy Reference Tool
- CSF 2.0 Success Stories
- Translations are expected soon. The CSF is used widely internationally. Versions 1.0 and 1.1 have been translated into 13 languages, and NIST expects CSF 2.0 will be translated by volunteers around the world. Those translations will be added to NIST’s expanding portfolio of CSF resources.
Read the official news release from NIST.