NIST’s Updates to Cybersecurity Standards
Cybersecurity is top-of-mind among professionals across nearly every industry, with cyberthreats and attacks becoming more common as the globe increases its use of technology. Check Point research reported a 38 percent increase in cyberattacks from 2021 to 2022 thanks to “smaller, more agile hacker and ransomware gangs, who focused on exploiting collaboration tools used in work-from-home environments, targeting of education institutions that shifted to e-learning post COVID-19” according to the website. Attacks are likely to only get more sophisticated as time goes on. In response, a major update to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) is set to be unveiled later in the summer of 2023. Today, we’ll detail what the NIST and its Cybersecurity Framework are, plus outline some of the planned updates under consideration for what’s being called CSF 2.0.
What is the NIST and CSF?
Founded in 1901, the NIST is part of the U.S. Department of Commerce and is among the country’s oldest physical science labs. It was created to increase America’s competitiveness in the industrial space, which was falling behind that of the United Kingdom and Germany among others. The NIST website notes that “Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations — from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair up to earthquake-resistant skyscrapers and global communication networks.” The NIST also outlines cybersecurity standards and best practices for U.S. industries and federal agencies. Its Cybersecurity Framework (CSF) was released in 2014 and designed as an outline that can help small and large businesses understand, manage, and minimize cybersecurity risks as a means to protect their data. It’s mandatory for government agencies but voluntary for those in the private sector, and consists of 5 key areas: Identify, Protect, Detect, Respond, and Recover. You can download a PDF of the Framework here, which provides helpful guidelines on how to keep your business safe from cyberattacks.
What About CSF 2.0?
The CSF has not been updated since 2018, and since that time there have been many advances made to cyberattacks—much in part due to the pandemic’s role in pushing more of our jobs online. With the CSF’s role in helping businesses develop their own cybersecurity programs, it was important that this Framework be updated with new details on governance, supply chain risks, and more. A request for information was carried out in February 2022 so the NIST could get a better understanding of needs from industry partners and government agencies. In January 2023 a concept paper was released outlining some of the initial proposed updates to the CSF.
As outlined on the NIST website, the CSF 2.0 draft is “intended to increase clarity, ensure a consistent level of abstraction, address changes in technologies and risks, and improve alignment with national and international cybersecurity standards and practices.” While the CSF was originally created for national infrastructure purposes, Congress told the NIST to consider small businesses and higher education facilities within the updated Framework—making it usable for the businesses and institutions most impacted by growing cyber threats.
Included in the CSF 2.0 draft are the following changes:
- The name and text of the document is updated to reflect its new use for all organizations, regardless of sector, type, or size
- Increased collaboration and engagement with international entities
- Additional references to guide users on how to implement the CSF at their business
- A CSF Profile template
- Enhancements to the CSF website, emphasizing resources for implementation
- Greater emphasis on the importance of cybersecurity governance
- Broadened coverage of the supply chain
- Examples of steps an organization can take to implement Subcategories
- Addition of a 6th Function, called “Govern”
- Addition of 4 new Subcategories
The NIST released the CSF 2.0 draft in April 2023, with the final version expected to be available early in 2024.
We’ll be sure to keep up with the latest when the CSF 2.0 final version is released. Until then, stick with ARF Financial for information and news on the things that matter most to small businesses like yours. The Financial Pantry is always stocked with great content!