The Next Chapter: Delving into the Cybersecurity Framework 2.0 Draft


Posted on by Mike Green

The unveiling of the initial public draft of the Cybersecurity Framework (CSF) 2.0 by the National Institute of Standards and Technology (NIST) marks a significant milestone in the ongoing evolution of the framework. With several notable updates and enhancements, this release promises to contribute to the strengthening of cybersecurity practices across industries.


Governance Takes Center Stage


One of the standout features of the draft CSF 2.0 is the increased emphasis on governance. The newly introduced "Govern" Function is reminiscent of the CSF 2.0 Core Discussion Draft shared earlier in April 2023. However, it is accompanied by two additional categories, namely Cybersecurity Supply Chain Risk Management (GV.SC) and Oversight (GV.OV). This expanded Govern Function underlines the importance of effective oversight and risk management for organizations of all sizes. Additionally, the inclusion of GV.SC reinforces the importance of understanding and effectively managing an organization’s supply chain in accordance with assessed risk to the organization.


Streamlining Categories


The original five functions, which form the backbone of the framework, have undergone strategic realignment and consolidation. This streamlining aims to enhance the framework's precision by ensuring that each function accurately captures the essence of its constituent categories. While streamlining categories may represent a significant change, the intention is to improve clarity and align the framework more closely with real-world cybersecurity challenges. Additionally, NIST has provided pointers and notations regarding renamed, moved, and dropped subcategories to help orient the community to the deltas.


Ample Implementation Guidance


A notable facet of the draft CSF 2.0 is the comprehensive guidance it offers for implementation. This iteration provides a wealth of "Implementation Examples" offering practical insights into how the CSF categories can be achieved via action-oriented processes (e.g., “Assign data classifications to designated data types through tags or labels”). Moreover, the guidance extends to crafting profiles by including a notional template for use in applying the framework and tailoring to suit specific organizational needs. This level of practical direction serves as a valuable resource for organizations seeking to translate theory into effective action by implementing cybersecurity practices and capabilities. To ensure implementation examples continue to be relevant and applicable, NIST plans to host examples on the CSF website and dynamically update them over time.


Enhanced Clarity in Cyber Measurement


The updated draft version of the CSF 2.0 also brings forth clarification in the realm of cyber measurement. Notably, the draft CSF 2.0 explicitly directs users to the supplementary guidance provided in NIST SP 800-55: Performance Measurement Guide for Information Security, ensuring that users have access to comprehensive information for the development of effective cyber measurement tailored for their organization. Using organization defined metrics, based on performance measure principles, will allow for both prioritization and demonstration of progress as an organization moves from current to target profiles.


Upcoming Workshop and Feedback


In conjunction with the release of the draft CSF 2.0, NIST announced Workshop No. 3—a hybrid event scheduled for September 19-20, 2023. This workshop provides a platform for stakeholders to engage directly with community, NIST experts, share insights, and contribute to the ongoing evolution of the framework. NIST has also requested feedback from stakeholders on the updates introduced in the draft of the Cybersecurity Framework 2.0. The feedback submission deadline is set for November 4th, 2023. As NIST gathers insights from industry professionals, organizations, and cybersecurity experts, the framework will undergo further refinements. The final version of the Cybersecurity Framework 2.0 is anticipated to be released in early 2024, incorporating the collective wisdom of the cybersecurity community.


In conclusion, the draft of the Cybersecurity Framework 2.0 reflects NIST's commitment to providing a dynamic and responsive cybersecurity framework that addresses the evolving challenges of today's digital landscape. From years of working with organizations across diverse sectors and industry verticals to use the Cybersecurity Framework to gain understanding of current capabilities and drive maturation of their cybersecurity programs, it is promising to see this assurance from NIST that they also recognize the value of this framework. With a renewed focus on governance, streamlined categories, extensive implementation guidance, and enhanced clarity in cyber measurement, this iteration marks a crucial step forward.

Contributors
Mike Green

Cybersecurity Engineer, Optic Cyber Solutions

Risk Management & Governance

innovation risk management practitioner perspectives standards & frameworks

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs