What's New in the NIST Cybersecurity Framework 2.0

First introduced nearly a decade ago as technical cybersecurity guidance for critical infrastructure interests like energy, banking, and hospitals, the National Institute for Standards and Technology (NIST)'s Cybersecurity Framework just got an update — and it's now aimed at organizations of all sizes.

The new version 2.0 of the popular NIST Cybersecurity Framework has expanded beyond the original framework's five functions of an effective cybersecurity program — identify, protect, detect, respond, and recover — and added a sixth, govern.

"It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership," NIST's new guidelines — still in the draft phase — said.

The new framework is also intended to help support organizations of all sizes, the agency said.

"With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well," NIST's lead developer of the framework, Cherilyn Pascoe, said in the CSF 2.0 release on Aug. 8. "The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments."

Business Benefits of Cybersecurity Framework 2.0

In a statement sent to Dark Reading, Bud Broomhead, CEO at Viakoo, explained that the new NIST update doesn't just help organizations with basic cybersecurity functions — it expands to other areas of the enterprise as well.

"By expanding the scope of the NIST framework to all forms of organizations (not just critical infrastructure) is an acknowledgment of how every organization faces cyber threats and needs to have a plan in place for managing cyber hygiene and incident response," Broomhead said. "This is already the case with cyber insurance, and NIST's recent update will help organizations not just reduce their threat landscape but also be better positioned for compliance, audit, and insurance requirements on cybersecurity."

The update is something that Joseph Carson, chief security scientist and advisory CISO with Delinea, praised as an "excellent refresh."

"It's great to see the framework moving on from simply a focus of critical infrastructure organizations and adapting to cybersecurity threats by providing guidance to all sectors," Carson said in a statement. "This includes the new 'Govern' pillar acknowledging the changes in the way organizations now respond to threats to support their overall cybersecurity strategy."

NIST is gathering comments on the draft CSF 2.0 until Nov. 4.