NIST Cyber Security Framework 2.0

Analysis of the NIST Cyber Security Framework 2.0 and major potential changes

Author: Jose Monteagudo, Editor-in-Chief, @ Cyber Startup Observatory

NIST Cyber Security Framework 2.0The initial version of the NIST Cyber Security Framework was released in 2014 and updated to CSF 1.1 in 2018.

As of early 2022, NIST is working on an ambitious upgrade project.

In February 2022 an RFI is launched and receives more than 130 responses.

In January 2023, the “NIST Cyber Security Framework 2.0 Concept Paper” on which this article and analysis is based is published.

Version 2.0 of the NIST CSF is scheduled for release in the winter of 2024.

The timetable for this fascinating process is shown in Figure 1, the initial planning for CSF 2.0:

NIST Cyber Security Framework 2.0

Figure 1: Initial planning of CSF 2.0

Main potential changes that CSF 2.0 will incorporate

Figure 2 shows the main elements of CSF 2.0:

NIST Cyber Security Framework 2.0

Figure 2: Potential changes in the CSF 2.0

As we have mentioned, this is an ambitious transformation that is structured in the six following points:

1.- CSF 2.0 will explicitly recognize the broad use of the framework to clarify its potential applications

In this sense, it will change its name to reflect that it is aimed at all types of organizations, regardless of their sector, type or size.

It will also work to increase international collaboration and involvement.

2.-CSF 2.0 will continue to be a framework that will provide context and connections to existing standards and resources

Other existing frameworks – such as the Risk Management Framework, Privacy Framework, National Initiative for Cyber Security Education Workforce Framework for Cyber Security, and the Secure Software Development Framework – currently relate to the CSF, and will be referenced in CSF 2.0 in accompanying documents.

In addition, CSF 2.0 will remain vendor or software publisher neutral and will reflect changes in common practices in the cyber security industry.

3.- The CSF 2.0 (and accompanying resources) will include updated and expanded guidance on the implementation of the framework

It will include implementation examples, templates, and will enhance the website to simplify and streamline access to existing resources.

4.-CSF 2.0 will emphasize the importance of cyber security governance

The new model will add a new governance function that will inform and support the other functions of the new framework.

5.-CSF 2.0 will emphasize the importance of cybersecurity supply chain risk management (C-SCRM)

Supply chain risk management is one of the major improvements of the new model so it will take into account the identification, assessment and management of third party risks.

6.-CSF 2.0 will advance the understanding of cybersecurity measurement and assessment

CSF 2.0 will clarify how using the framework, organizations can measure and assess cyber security programs and provide practical examples of measurement.

All of these elements are explained in detail in the “NIST Cyber Security Framework 2.0 Concept Paper” published on January 19, 2023.

We hope you found this brief explanation useful and look forward to the publication of the final model in 2024.

References and additional resources

About the author

Jose Monteagudo (LinkedinTwitter) is the Editor-in-Chief of the Cyber Startup Observatory, a project he founded in 2018 after more than 20 years in product, consulting and leadership roles in technology companies in the US, UK, France, Japan, Singapore and Spain. He holds a Bsc in Aeronautical Engineering specialized in avionics from the Polytechnic University of Madrid and an MBA from ESIC Business & Marketing School.

Follow Us