Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

NIST Cybersecurity Framework 2.0 Officially Released

NIST releases Cybersecurity Framework 2.0, the first major update since the creation of the CSF a decade ago.

NIST

NIST on Monday announced the official release of version 2.0 of its Cybersecurity Framework (CSF), the first major update since its creation a decade ago.

The cybersecurity framework was originally aimed at critical infrastructure organizations, but it has been widely used and widely recommended and NIST highlighted that CSF 2.0 is designed to help all organizations reduce risks, regardless of sector, size, or level of security sophistication. 

Based on the feedback it received on the draft of the Cybersecurity Framework 2.0, NIST expanded the core guidance and created additional resources to help organizations use the CSF to its full potential. 

[ Read: Industry Reactions to NIST Cybersecurity Framework 2.0 ]

The CSF 2.0 supports implementation of the National Cybersecurity Strategy and it’s organized around six key areas: identify, protect, detect, respond, recover and govern. The govern function was introduced with this major update of the CSF. 

“The addition of the Govern function provides a vital and previously missing piece to the NIST Cybersecurity Framework, important to critical elements such as risk management,” Robert Booker, chief strategy officer at HITRUST, a contributor to the development of CSF 2.0, said via email.

Users are provided implementation examples and quick-start guides that are tailored to their specific needs. 

The CSF 2.0 also offers a searchable catalog of references that enables organizations to map guidance to over 50 other relevant cybersecurity documents. 

Advertisement. Scroll to continue reading.

The first major version of NIST’s cybersecurity framework is available in over a dozen languages and volunteers from around the world will likely translate CSF 2.0 as well. 

“The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats,” said NIST Director Laurie E. Locascio. “CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.” 

Katherine Ledesma, head of public policy & government affairs at industrial cybersecurity firm Dragos, has made some interesting comments on the implications and benefits for organizations with industrial control systems (ICS) and operational technology (OT) systems.

“Similar to the National Cybersecurity Strategy released last year, the CSF 2.0 continues to move the conversation from cybersecurity investment as a cost center to cybersecurity investment as a way not only to protect but also support business operations, particularly when it comes to ICS and OT cybersecurity. This is important to manufacturing facilities that need to maintain safe, continuous operation, as well as for electric or water utilities that need to provide reliable, essential services to communities,” Ledesma told SecurityWeek.

“Although the CSF 2.0 identified that functions, categories, and subcategories are intended to be broad enough to apply to both IT and OT environments, as the dialogue around the CSF and related guidance continues, we will see specific attention paid to the distinct approaches needed to protect ICS/OT, given the unique purposes of and risks to those types of systems. This includes continuing to update documents such as the Guide to OT Security, and also incorporation of these concepts into broader planning and guidance documents,” Ledesma added.

Related: US Publishes Implementation Plan for National Cybersecurity Strategy

Related: NIST: No Silver Bullet Against Adversarial Machine Learning Attacks

Related: NIST Publishes Final Version of 800-82r3 OT Security Guide

Related: Using the Full NIST Cybersecurity Framework for the Win

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.