What's New in the NIST Cybersecurity Framework 2.0What's New in the NIST Cybersecurity Framework 2.0
Update to the NIST framework adds new "govern" function for cybersecurity.
August 14, 2023
First introduced nearly a decade ago as technical cybersecurity guidance for critical infrastructure interests like energy, banking, and hospitals, the National Institute for Standards and Technology (NIST)'s Cybersecurity Framework just got an update — and it's now aimed at organizations of all sizes.
The new version 2.0 of the popular NIST Cybersecurity Framework has expanded beyond the original framework's five functions of an effective cybersecurity program — identify, protect, detect, respond, and recover — and added a sixth, govern.
"It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership," NIST's new guidelines — still in the draft phase — said.
The new framework is also intended to help support organizations of all sizes, the agency said.
"With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well," NIST's lead developer of the framework, Cherilyn Pascoe, said in the CSF 2.0 release on Aug. 8. "The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments."
Business Benefits of Cybersecurity Framework 2.0
In a statement sent to Dark Reading, Bud Broomhead, CEO at Viakoo, explained that the new NIST update doesn't just help organizations with basic cybersecurity functions — it expands to other areas of the enterprise as well.
"By expanding the scope of the NIST framework to all forms of organizations (not just critical infrastructure) is an acknowledgment of how every organization faces cyber threats and needs to have a plan in place for managing cyber hygiene and incident response," Broomhead said. "This is already the case with cyber insurance, and NIST's recent update will help organizations not just reduce their threat landscape but also be better positioned for compliance, audit, and insurance requirements on cybersecurity."
The update is something that Joseph Carson, chief security scientist and advisory CISO with Delinea, praised as an "excellent refresh."
"It's great to see the framework moving on from simply a focus of critical infrastructure organizations and adapting to cybersecurity threats by providing guidance to all sectors," Carson said in a statement. "This includes the new 'Govern' pillar acknowledging the changes in the way organizations now respond to threats to support their overall cybersecurity strategy."
NIST is gathering comments on the draft CSF 2.0 until Nov. 4.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Get the Gartner Report: SOC Model Guide
Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
Building Immunity: The 2021 Healthcare and Pharmaceutical Industry Cyber Threat Landscape Report