The National Institute of Standards and Technologies of the USA (NIST) has released an updated edition of its iconic cybersecurity document – Cybersecurity Framework (CSF), reaching version 2.0. This marks the first major update since the document’s creation in 2014. The updated CSF is tailored for a wide range of audiences, covering organizations of all sizes and sectors – from small schools and non-profit organizations to the largest corporations and state agencies.
In response to feedback received on the draft document, NIST has expanded the basic recommendations of CSF and developed additional resources for users to utilize it more efficiently. The new version aligns with the implementation of the National Cybersecurity Strategy presented by the White House last year, expanding its scope to include management issues related to making informed decisions in cybersecurity strategy.
The updated CSF introduces the new “Govern” function, complementing the existing key functions: identification, protection, detection, response, and recovery. These measures provide a comprehensive view of the cybersecurity risk management lifecycle. New resources and tools, such as the Reference Tool for CSF 2.0, simplify the application of the document by allowing users to view, search, and export data in convenient formats. The informative links catalog helps organizations compare their actions with existing CSF manuals.
NIST also offers a CyberSecurity and Privacy Reference Tool (CPRT), containing a interconnected set of NIST documents to help contextualize resources for both technical specialists and senior management. The organization plans to further enhance its resources to make CSF an even more useful tool with community reviews playing a key role in the process.
CSF versions 1.0 and 1.1 have been translated into 13 languages, with NIST expecting volunteers around the world to translate CSF 2.0. This will enable the adoption of advanced cybersecurity practices globally, enhancing overall digital defense. NIST’s collaboration with the International Standardization Organization (ISO) and the International Electrotechnical Commission (IEC) has contributed to aligning cybersecurity standards internationally, with plans to continue this work for consistency and unification in cybersecurity standards.