by Vince Johnson
The National Institute of Standards and Technology (NIST) initially released the Cybersecurity Framework (CSF) in 2014. The Framework’s use is voluntary for industry, but Executive Order 13800 makes it mandatory for U.S. government agencies. The Framework helps organizations develop a common language for understanding, managing and communicating cybersecurity risks within their environments, both inside and outside their organization.
The Framework is intended to be a living document, where content is developed and updated as the technology and cybersecurity landscapes change. The last update occurred in 2018 (CSF 1.1). In February 2022, NIST released a Request for Information (RFI), asking stakeholders to comment on a non-exhaustive list of possible feedback topics and offer recommendations for updating the Framework. NIST also requested information to assist in identifying and prioritizing cybersecurity needs related to supply chains.
The Framework helps organizations develop a common language for understanding, managing and communicating cybersecurity risks within their environments.
The RFI generated over 130 responses. On June 3, 2022, NIST released the RFI Summary Analysis, providing the results of its analysis of each response. NIST identified recurring concepts among the responses and classified them into seven key themes and 25 subthemes. NIST also formulated discrete recommendations for updating the Framework.
As the Journey to CSF 2.0 begins, stay tuned for updates on the development of this important flagship framework!
Cybersecurity Infrastructure Security Agency | Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure | https://www.cisa.gov/executive-order-strengthening-cybersecurity-federal-networks-and-critical-infrastructure
National Institute of Standards and Technology | “Framework for Improving Critical Infrastructure Cybersecurity” version 1.1| https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
National Institute of Standards and Technology | “Initial Summary Analysis of Responses to the Request for Information (RFI) Evaluating and Improving Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management” https://www.nist.gov/system/files/documents/2022/06/03/NIST-Cybersecurity-RFI-Summary- Analysis-Final.pdf