The National Institute for Standards and Technology (NIST) released their Cybersecurity Framework (CSF) 2.0 public draft that will be open for comment until November 5, 2023.

While the CSF 1.1 remains an effective framework for reducing cybersecurity risks, stakeholders agreed that changes could be made to address the evolving threat landscape and future cybersecurity challenges. The latest version recognizes the broad use of the framework, demonstrated by its name change from, “Framework for Improving Critical Infrastructure Cybersecurity” to “The Cybersecurity Framework.” What was initially a framework for securing critical infrastructure, has become widely used by small and medium size entities (SMEs) as well as internationally.

Another addition to the CSF centered on increased guidance for implementation of the framework. Implementation examples will provide action-oriented steps to help organizations achieve the outcomes of the CSF subcategories. These informative references will be available via an online tool on the CSF 2.0 website and will be updated regularly by NIST. The importance of continuous cybersecurity measurement and assessment is also emphasized through a new “improvement” category in the Identify function, providing guidance on developing and updating plans of action.

One of the most noteworthy changes is the addition of the “Govern” function and its focus on cybersecurity supply chain risk management (C-SCRM). The Govern function works across the other five functions as governance activities are crucial for incorporating cybersecurity into an organization’s wider enterprise risk management strategy. The Govern function has six categories:

• Organizational context
•  Risk management strategy
•  C-SCRM
•  Roles, responsibilities, and authorities
•  Policies, processes, and procedures
• Oversight

Within the new Govern function, the supply chain risk management category and subcategories provide outcomes for establishing, managing, monitoring, and improving cybersecurity supply chain risk management programs. One of the subcategories is specific to C-SCRM and refers to the processes, roles, and responsibilities that need to be maintained. Additionally, the categories and subcategories of the other five functions enable organizations to consider baseline cybersecurity requirements for direct suppliers and lower-tier suppliers to be included in contractual requirements depending on supplier criticality and risk assessments.

This CSF update also provides more guidance on how to develop profiles for how organizations will implement the framework. The profiles can be used in communication with suppliers to enable them to make informed decisions on buying products and services based on their level of cybersecurity. The profiles can be used to track any residual risk associated with the product or service through periodic review and testing, enhancing cybersecurity outcomes throughout the supply chain. Profiles can also be developed to cover an entire enterprise, specific business units, or for specific technologies.

NIST has informed stakeholders they are not planning to release another draft of the CSF 2.0 for comment. Any feedback on this draft will inform the final publication expected in early 2024.