Understanding and Accepting CSF 2.0: Changes Coming to the Cybersecurity Framework

Daniel Emeruem
Systems Administrator   Emerald Technical Solutions

Lauren Beward
Senior Cybersecurity Specialist/ Business Development Manager   ArCybr

In January 2023, the National Institute of Standards and Technology (NIST) released its concept paper outlining proposed changes to the Cybersecurity Framework (CSF). Before publishing a formal draft, NIST is socializing these ideas to obtain feedback and refine updates.

Clarifying Potential Applications

The first change involves broadening CSF’s application and scope to cover more use areas, benefit more organizations, and encourage collaboration with international entities. CSF was originally specific to critical infrastructure. The rebranded CSF 2.0 will reflect its intended application across all government, industry, and academia – not just critical infrastructure. The scope will be reviewed to consider the cybersecurity needs of small businesses and academia, recognizing that CSF is a model framework to address security challenges across organizations of every sector and size.

CSF 2.0 will focus on international collaboration and information exchanges. CSF 2.0 will provide guidelines for standardized effective risk management that can be used worldwide. NIST is seeking information on translations, adaptations, and resources for CSF to enable international engagement.

Retaining Framework for Context

Despite a changing cyber landscape, CSF remains a valuable resource for organizations. NIST will retain CSF’s level of detail and status as a global-use framework, but have planned updates to connect to existing standards. CSF 2.0 will relate to commonly known NIST frameworks, including Risk Management, referencing these as guidance. NIST will highlight CSF 2.0 using the Cybersecurity and Privacy Reference Tool (CPRT), which includes a user interface for accessing reference data, standards, and tools through an online database.

NIST is mapping to additional cybersecurity standards, guidelines, and frameworks, and they are seeking submissions for additional guidance on cloud computing, zero trust, and Internet of Things (IoT). NIST is moving toward an environment of online, updatable references through CPRT, enabling easy access and updates. They are committed to remaining technology- and vendor-neutral while reflecting evolutions in cybersecurity practices. CSF 2.0 will include recent changes in technology, including Zero Trust, Respond and Recover Functions, and Identity Management. These updates will provide organizations with additional guidance on changing areas while avoiding tie-ins to specific vendors or technologies.

Guidance on Implementation

Industry has requested guidance on how to properly implement CSF. CSF 2.0 will include examples of implementation as part of the subcategories. These examples will showcase short, action-oriented activities that organizations can undertake to implement CSF. The intent is to clarify guidance and provide ideas to develop internal plans for implementation of processes and technologies. NIST will release a template for the creation of CSF profiles, demonstrating a basic structure that can be used, and they are asking for sample profile submissions as a foundation.

NIST is changing the CSF website to provide additional resources, tools, case studies, success stories, and publications. They are refreshing content and seeking feedback on additional resources. NIST is urging the community to share success stories on implementation, which will be published as use cases through the website.

Cybersecurity Governance

CSF 2.0 will emphasize the importance of cybersecurity governance, the framework that defines how to manage and control cybersecurity activities. Governance provides policies, procedures, and standards to ensure a cybersecurity program is effective and aligns with an organization’s mission, goals, and objectives. Key governance components highlighted by changes include:

  • Risk Management: Policies, procedures, and mitigations to identify, assess, and prioritize risks based on potential impacts.

  • Policies and Procedures: Defined approaches, including access control, data protection, incident response, and security awareness/training.

  • Organizational Structure: Structure to manage a cybersecurity program, including defined roles and relationships and established reporting structure.

  • Compliance and Oversight: Mechanisms to ensure alignment with applicable laws, regulations, and standards.

Effective governance is essential to ensuring security and resilience of assets and infrastructure. By implementing a governance program that aligns with CSF 2.0, organizations can better manage risks, comply with regulations, and improve overall cybersecurity posture.

Cybersecurity Supply Chain Risk Management (C-SCRM)

CSF 2.0 further emphasizes the importance of C-SCRM, the method for identifying and reducing risks associated with the distributed nature of supply chains. Cybersecurity hygiene should be mission-critical for C-SCRM. C-SCRM combats vulnerabilities by investigating technology, hardware, open-source, and proprietary software. When acquiring items through supply chain, it is crucial for purchasing parties to be aware of such items as manufacture and company location, foreign involvement, legal issues or past breaches through the vendor, and common vulnerabilities and exposures. Continuous monitoring must be adapted in vendor relations. Never assume that items purchased from the same supplier in the past cannot be exploited.

Cybersecurity Measurement and Assessment

CSF 2.0 will advance understanding of measurement and assessment as essential steps in guaranteeing the efficacy of a cybersecurity plan. Keep the following in mind:

  • Create a Framework: Frameworks for measurement/evaluation are vital to understand cybersecurity posture.

  • Identify Key Performance Indicators (KPIs): Selection/monitoring of KPIs should be part of comprehensive measurement and assessment.

  • Collect Accurate Data: Fund methods/technologies that enable collection of precise data and guarantee reliability and consistency.

  • Conduct Regular Assessments: Regular program assessments (both internal and external) must be performed to combat changing risks.

  • Concentrate on Continuous Improvement: Prioritize continual improvement and implement changes to maintain effectiveness.

  • Exchange Best Practices: Knowledge exchange is crucial for expanding understanding of measurement and assessment.

By implementing these areas, organizations can ensure their cybersecurity program remains effective in the face of evolving threats.

What Does This Mean for Industry?

The changes to CSF can be viewed as positive for Industry and Academia. With a broader scope, access to more resources, and greater focus on more entities, CSF 2.0 will better reflect the changing cybersecurity landscape and increase collaboration with the community. Expect a formal draft of CSF 2.0 by Summer 2023, followed by workshops in Fall 2023. CSF 2.0 is formally anticipated by Winter 2024.

While change may seem daunting, organizations like ArCybr and Emerald Technical Solutions can help you navigate changes and advise on how to implement the right solutions to improve processes. These changes may impact how CMMC 2.0 is applied. We will monitor progress and approval and provide guidance for CSF and CMMC 2.0. Reach out today to schedule your consultation!