On January 19, 2023, the National Institute of Standards and Technology (“NIST”) published a Concept Paper setting out “Potential Significant Updates to the Cybersecurity Framework.” Originally released in 2014, the NIST Cybersecurity Framework (“CSF” or “Framework”) is a framework designed to assist organizations with developing, aligning, and prioritizing “cybersecurity activities with [] business/mission requirements, risk tolerances, and resources.” Globally, organizations, industries, and government agencies have increasingly relied upon the Framework to establish cybersecurity programs and measure their maturity. The NIST CSF was previously updated in 2018, and NIST now seeks public comment on the latest changes outlined in the Concept Paper.
NIST Concept Paper. As the name suggests, the Concept Paper outlines potential significant updates to the Framework, and NIST previews that some of the proposed changes are “larger structural changes that may impact compatibility” with the current version of the Framework. NIST also warns that the Concept Paper does not cover all changes that might be implemented.
Request for Comment. NIST requests feedback and comments on the potential updates via email to cyberframework@nist.gov by March 3, 2023. Specifically, NIST seeks feedback for each section discussed in the Concept Paper (outlined below in bullets) and lists a series of questions, including whether “the proposed changes are sufficient and appropriate” and whether “the proposed changes [would] affect continued adoption of the Framework.” In addition to written feedback, NIST intends to discuss the proposed changes at the CSF 2.0 virtual workshop on February 15, 2023 and during the CSF 2.0 in-person working sessions on February 22 and 23, 2023. After reviewing the feedback, “NIST intends to publish the draft Cybersecurity Framework 2.0 in the coming months for a 90-day public review.”
Potential Significant Updates. The NIST Concept Paper outlines some potential significant updates to the NIST CSF, including:
- Acknowledging the CSF’s Scope Beyond “Critical Infrastructure” – While the original CSF was developed to address critical infrastructure cybersecurity risks, the CSF has been used much more widely in practice, including internationally. NIST proposes changes to the CSF to explicitly recognize that the CSF is intended to be used “by all organizations” – not just critical infrastructure.
- Adding a New “Govern” Function – NIST proposes expanding the five functions (Identify, Protect, Detect, Respond, and Recover) to add a new function on cybersecurity governance (“Govern”), recognizing that “cybersecurity governance is critical to managing and reducing cybersecurity risk.” NIST seeks input on what should be moved to or included within the new governance function. Overall, NIST’s emphasis on cybersecurity governance follows closely after recently proposed regulations by other agencies, including by the New York Department of Financial Services and the U.S. Securities and Exchange Commission, that would expand sector-specific cybersecurity governance requirements.
- Providing Context on Existing Standards and Resources – NIST aims to retain the CSF’s flexibility and level of detail, which serves as “a common organizing structure for multiple approaches to cybersecurity,” but proposes relating the CSF more clearly to other NIST frameworks (like the Privacy Framework or Secure Software Development Framework) and to develop or integrate additional mapping tools to other resources. NIST also emphasizes that “CSF 2.0 will expand consideration of outcomes in the CSF Response and Recover Functions[,]” noting that the “CSF must continue to emphasize the importance of incident response and recovery[.]”
- Updating and Expanding Guidance on Implementation – NIST proposes to include additional guidance to support implementation of the CSF, including adding “implementation examples for CSF subcategories.” NIST states that “[t]his small list of examples would not be a comprehensive list of all actions that could be taken by an organization to meet CSF outcomes, nor would they represent a baseline of required actions to address cybersecurity risks.”
- Emphasizing the Importance of Cybersecurity Supply Chain Risk Management (“C-SCRM”) – In CSF 2.0, NIST proposes to “make clear the importance of organizations identifying, assessing, and managing both first- and third-party risks” by including additional supply chain risk management outcomes. In its Concept Paper, “NIST invites feedback as to how best to address C-SCRM in CSF 2.0” and has proposed a list of potential options, including “further integrating C-SCRM outcomes throughout the CSF Core across Functions[.]”
- Advancing Measurement and Assessment – NIST proposes providing additional guidance on measurement and assessment of outcomes using the CSF, including by providing “examples of how organizations have used the CSF to assess and communicate their cybersecurity capabilities.”
Looking Ahead. As noted, NIST seeks feedback and comments via email to cyberframework@nist.gov by March 3, 2023. Additionally, NIST plans to discuss these proposed changes to the Cybersecurity Framework at the CSF 2.0 virtual workshop on February 15, 2023 and during the CSF 2.0 in-person working sessions on February 22 and 23, 2023. After reviewing feedback and comments, “NIST intends to publish the draft Cybersecurity Framework 2.0 in the coming months for a 90-day public review.”