What do we know about NIST CSF 2.0?

What is NIST CSF?

The NIST CSF (cybersecurity framework) is a set of guidelines for organising and improving the cybersecurity program of an organisation. It was created with an intention to have a framework that would evolve with the evolving threat landscape and serve as a guideline for organisations to protect their assets and information in the face of emerging threats.

NIST CSF is a voluntary framework that can be adopted to manage and reduce cyber risks. While its goal is similar to other international security standards such as ISO 27001, the approach is slightly different. (Also read the blog ISO 27001 vs NIST CSF)

The guidelines under NIST CSF rely on 5 core measures.

1. Identify: Identify assets, risks, vulnerabilities, strategies to overcome threats, etc.
2. Protect: Implement security controls, processes, and procedures to protect assets.
3. Detect: Monitor and detect security incidents and anomalies.
4. Respond: Plan for responding to security events and mitigating damage.
5. Recover: Restore systems and plan improvements to prevent future incidents.

What is NIST CSF 2.0?

NIST CSF was first introduced in 2014. In April 2018, a revised version, NIST CSF 1.1 was released. The revisions to the framework incorporated stakeholder feedback and cyber attack trends. The idea was to help organisations effectively and easily manage cybersecurity.

A more significant update to NIST CSF is expected now which will be released under NIST CSF 2.0. This update comes with the aim to further improve the feedback in the current times when cyber threats are fast evolving.

An update is also awaited for the National Initiative for Improving Cybersecurity in Supply Chains (NIICS), which was announced by NIST a few months ago.

Important updates for NIST CSF 2.0

1. Request for information (RFI)

A notice by NIST was released on February 22, 2022, requesting information that can help with identifying and prioritising cybersecurity needs for risks related to supply chains. The responses to this notice were accepted till April 25, 2022.

2. Responses received

Over 130 responses were received by NIST against the RFI issued.

3. Analysis of RFI responses

Each response to the RFI was analysed to identify key themes. 6 themes and 20 subthemes were identified for the cybersecurity (CSF) framework; 1 theme and 5 subthemes were identified for the new supply chain framework (NIICS).

4. NIST CSF 2.0 workshop

The latest development is the NIST CSF 2.0 workshop that was conducted on August 17, 2022.

Topics covered in the NIST CSF 2.0 workshop

The workshop had several discussions by eminent panellists. Some of the topics included in the workshop were:

• Lessons learned from the development and use of CSF profiles
• International use and alignment in CSF
• Governance in CSF
• Measuring and assessing CSF
• Consideration of supply chain cybersecurity in CSF

What’s next?

The NIST CSF 2.0 draft is expected to be released, the date for which will be informed by NIST soon. While it needs to be seen what exact changes have been made to the framework in the new edition, it is evident that it will offer an improved way of applying CSF while taking into account the technological advances and threat landscape. It will also seek to align CSF with other NIST and non-NIST models for cybersecurity. And of course, it will introduce the guidelines for managing the threats in technology supply chains.

For NISF CSF and other compliances, get in touch with our team to know how 6clicks and its automation can help.

Related useful resources

• Cybersecurity, GRC, and the role of penetration testing

• Addressing the cybersecurity and GRC gaps for organizations

• Cyber security risk 101: Introduction, frameworks and management