The US National Institute of Standards and Technology (NIST) is gearing up for the biggest reform yet of its Cybersecurity Framework (CSF) in five years. This framework, first released in 2014 and updated to version 1.1 in 2018, is a set of guidelines and best practices used by organizations and government agencies worldwide to manage cybersecurity risks.

After a lengthy consultation, NIST has published a concept paper (pdf) for CSF 2.0, which is now open for further review. This feedback will be used to develop the final version of the revised framework, which is expected to be available by summer 2023. With cybersecurity risks increasing, this updated framework will provide better guidance to organizations as they navigate the ever-evolving cybersecurity landscape.

Proposed Changes

  • Broaden framework reach: One of the notable changes in the latest version of the NIST Cybersecurity Framework (CSF) is the expanded target audience. Previously, the framework was aimed mainly at critical national infrastructure organizations, such as those in the utilities, telecoms, transport, and banking sectors. However, since the publication of CSF 1.1, NIST has been directed by the US Congress to consider the needs of small businesses and higher education institutions. This move is intended to broaden the framework’s applicability to all organizations, making it more accessible and easier to use.
  • Examine additional risk: The new framework will prioritize supply chain risk management, encompassing third-party risks such as cloud computing, software, networking equipment, and non-tech supply chains. While there is general agreement that this issue is critical, feedback has been mixed, prompting further consideration on how to approach it. Given the regulatory requirements already in place for their industry, financial professionals are advocating for increased third-party responsibilities within the framework.
  • Assessment guidance: Despite having adopted the framework for over a decade, many organizations still wonder how they can determine if their cybersecurity posture is improving. In response, CSF 2.0 will offer further guidance on how to assess security maturity levels and assess the effectiveness of risk reduction efforts.
  • Vendor neutrality: NIST’s proposal to maintain the technology- and vendor-neutral nature of the framework is still under discussion, with some advocating for specific guidance on topics, technologies, and applications. Organizations are seeking more guidance when using the cloud and other operational technologies, which presents a challenge in remaining tech-neutral without excluding any particular systems.

Why NIST Matters

NIST, or the National Institute of Standards and Technology, is a vital organization that plays a critical role in shaping technology and cybersecurity practices across various industries. Its cybersecurity framework, or CSF, provides a comprehensive set of guidelines that organizations can use to protect themselves against cyber threats. NIST’s standards and guidelines are widely accepted across industries, and they are continuously updated to address emerging threats and technological advancements.

Compliance with NIST guidelines is often a requirement for organizations in regulated industries, such as finance and healthcare. By following NIST’s recommendations, organizations can better protect themselves against cyber attacks, reduce the risk of data breaches, and ensure that they are compliant with relevant regulations. NIST’s impact on the technology and cybersecurity landscape is significant, and its continued efforts to promote security and innovation are critical to protecting businesses and consumers alike.

Achieve NIST Compliance with BigID

For DoD contractors looking to achieve NIST compliance and adhere to CMMC— BigID has them covered. Certification requirements can be overwhelming but organizations can get started by evaluating their security programs, including things like access controls, risk management, and incident response plans.

BigID gives organizations complete data visibility and control to meet compliance mandates involving CMMC, NIST, and beyond. BigID’s data-centric approach to security combines deep data discovery, next-gen data classification, and risk management. Know where this data is located, how sensitive it is, and who’s accessing it to understand overexposure and meet zero trust.

These insights enable security teams to proactively carry out actionable measures on their data such as deletion, encryption, anonymization, and more. Enforce rigid policies around sensitive data and trigger automated remediation to mitigate unwanted exposure and use – throughout the data lifecycle.

Bring your security programs up to speed and achieve compliance for NIST 2.0 — schedule a 1:1 demo today.