First announced in early June 2022, the road to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) version 2.0 is quickly approaching, with a concept paper released in January 2023 and an initial draft to follow at some point this summer. For those in information security and governance roles, the updated version of the CSF promises to provide changes that will increase the effectiveness and detail of NIST-based Risk Assessments.

To provide some background on the history of the CSF, its initial publication was released in 2014 following a presidential order to provide guidance on key areas of focus for security across all industries and organizations. The goal was to publish a standardized framework that organizations of all sizes could leverage as a starting point to begin the process of maturing their security postures.

In 2018, NIST published version 1.1 which featured moderate changes through the introduction of several new subcategories. This change allowed for the CSF to expand its scope to better encompass more aspects of an organization’s information security program. As with much in the information security field, the CSF has adapted to the ever-changing landscape in which security professionals operate and will continue to do so through this iteration.

New Resources and Expanded Audience

As part of the upcoming CSF v2.0, NIST plans to provide supplemental resources to organizations that will add insight into how the framework can be best implemented and measured. Based on feedback during its open discussion periods, NIST has stated that this additional guidance included in v2.0 will provide theoretical steps that organizations can follow directly or use as reference points to improve their security posture. It should be noted that these implementation examples are not to be viewed as baselines or specific fixes for an organization’s gaps but instead are meant to provide high level guidance for organizations to develop action plans and map out necessary improvements.

Along with the implementation examples, NIST is also attempting to expand their audience for the CSF with the 2.0 framework. The CSF was initially developed for “critical national infrastructure,” but Congress directed NIST to “consider the needs of small businesses and higher education institutions” when developing the 2.0 framework. NIST intends the new framework to be more usable by small and medium-sized entities, without any of the potential legal issues that have arisen in the past. On this topic, Cherilyn Pascoe, senior technology policy advisor at NIST and Cybersecurity Framework Program lead noted: “We don’t want organizations to have to make that determination about whether or not they’re critical infrastructure, which is sometimes a legal issue that comes with additional burdens, and so were proposing to broaden it to all organizations.”

Lastly, a commonly discussed topic during the feedback period has been the addition of resources and references that organizations can leverage while using the framework. To achieve this, NIST plans to further expand and update the available resources and documentation provided through the Online Informative Reference Program (OLIR) which can help organizations map security functions across multiple popular frameworks. With the release of the third iteration of the framework, information security professionals and leaders should expect much of the same concepts, but with new goals and backing materials that will change the way the CSF is applied to many organizations.

New Function and Expanded Categories

Along with the more high-level changes to the NIST CSF, there will also be content changes to the framework itself. One of the more significant changes announced is the introduction of a new function, Governance. This new function will better expand on existing categories within the Identify function such as ID.GV, ID.RM, and ID.RA. These changes convey the priority that is understanding how to manage risks and threats that organizations are facing, in addition to allowing for more detail and measurable data to be generated on these topics.

Similar to v1.1, NIST has identified the need to further expand on the current categories addressing how to manage a supply chain from a secure perspective. Security professionals will be able to look to v2.0 to better address these topics in a market landscape that grows increasingly dependent on external service providers.

As discussed earlier, there will be minor changes in the upcoming version that better suit a variety of business sizes and industries to allow small to mid-sized organizations to leverage the framework more effectively. What this entails is likely nothing more than changes to language that make categories and subcategories more agnostic to organization size and type. Overall, v2.0 should expand on areas of focus that professionals across industries have identified as key areas for improving one’s security posture and should provide greater insight for leaders to manage their organization’s security program.

Preparing for NIST CSF v2.0: Changes, Challenges, and Opportunities

The impact of this release should not be overly complicated for organizations that already leverage the current iteration of the framework as a tool to improve their information security program. The additional resources that NIST is working to produce alongside v2.0’s release should provide leaders and security professionals with the support they need in transitioning to the new CSF.

With the material changes being implemented, organizations may face minor difficulties in conducting year over year analysis of their security programs after the initial release. Most content in the CSF will remain the same, however, and should not drastically change any metrics being tracked over time.

Similarly, organizations should prepare for third-party risk assessment based on NIST 2.0 to look slightly different. The new governance function and supply chain content will bring a higher level of scrutiny to these topics that security program stakeholders should be prepared for. Additionally, it is likely that implementation guidance will become a regular talking point between stakeholders and assessors both to provide reasoning and support of current processes, and to discuss potential projects and improvements in the future. Overall, we expect v2.0 to help more than hinder, but organizations should be prepared in advance to apply a different approach and strategy to the use of this new framework.

NIST Cybersecurity Framework 2.0: Preparing for the Future of Information Security

Following the release of the NIST Cybersecurity Framework 2.0 Concept Paper on January 19, 2023 (NIST CSF 2.0 Concept Paper) the public has been informed that the official release of v2.0 should come in the first quarter of 2024. For a more in-depth view of the timeline and upcoming events, please visit NIST’s update page. This upcoming release signifies the most notable change to the CSF since 2018 and should provide organizations of all industries and sizes an opportunity to reassess their current security program in a new light and identify areas to further strengthen existing methods by which an organization is protecting its environment and customers.

If you’re looking to strengthen your organization’s cybersecurity program and need assistance navigating the upcoming changes to the NIST Cybersecurity Framework, contact LBMC’s team of industry experts today. We can help you assess your current security posture and develop a customized plan for implementing the latest framework to ensure your organization is well-protected against evolving threats. Don’t wait until it’s too late – schedule your consultation now and take the first step towards a more secure future.

Recent Changes of Other Frameworks

For insight into the recent changes of other frameworks and standards, please explore these articles from other LBMC thought leaders.

HITRUST Version 11 – What you need to know! (lbmcstage2.webservice.team)

What to Expect with PCI 4.0 | LBMC

Content provided by LBMC professionals, Kurt Faires and Dennis McGough.

Enjoying the Read?

Don’t miss out on latest security news from our LBMC team.