The National Institute of Standards and Technology (NIST) has put together a concept paper with proposed revisions to its Cybersecurity Framework (CSF) and is looking for input on the changes before it crafts a draft of CSF 2.0.
A new version of the framework may be published by this summer, the agency said.
The concept paper, and its proposed changes, were informed by feedback from a cybersecurity request for information (RFI) published in February 2022 and an August 2022 workshop on CSF 2.0. NIST first released its CSF in 2014 before updating it in 2018.
“The CSF is intended to be a living document that is refined and improved over time,” the paper says. “With this update, NIST is open to making more substantial changes than in the previous update. The ‘CSF 2.0’ version reflects the evolving cybersecurity landscape – but community needs will drive the extent and content of the changes.”
While CSF was originally intended to address the cybersecurity risks of critical infrastructure, NIST is proposing that CSF 2.0 address all organizations across government, industry, and academia. Specifically, CSF 2.0 will address the cyber needs of small businesses and higher education institutions.
“Responding to the community’s feedback and Congressional direction, NIST will increase its efforts to ensure the framework is helpful to organizations – regardless of sector, type, or size – in addressing cybersecurity challenges and encourages all interested parties to participate in the process,” the concept paper says.
Another change that may be coming to CSF 2.0 is an increase in international collaboration and engagement. Several countries have adopted the framework, and NIST said it plans to “prioritize exchanges with foreign governments and industry as part of CSF 2.0 development.”
NIST also aims to relate CSF 2.0 clearly to other NIST frameworks and will showcase CSF 2.0 through the recently launched NIST Cybersecurity and Privacy Reference Tool (CPRT).
While these are just some of the proposed changes – and the concept paper does not cover all potential changes to the framework – NIST wants input to help inform the draft CSF 2.0.
Feedback and comments should be sent to cyberframework@nist.gov by March 3, 2023.
NIST is also hosting a second CSF 2.0 virtual workshop on February 15, 2023, to discuss the proposed changes, as well as in-person working sessions on February 22-23, 2023.
While the agency does not have a specific date for when it will release the draft CSF 2.0, an initial timeline in the concept paper pegs the release date as “summer 2023.” The draft will be followed by another workshop, a comment period, and then NIST is aiming for a “winter 2024” CSF 2.0.