The NIST cybersecurity framework is the de facto standard for building and structuring cybersecurity strategies and activities – but that’s not how it started out, and not what it’s really called. The document in question is the Framework for Improving Critical Infrastructure Cybersecurity, currently at version 1.1. In August 2023, NIST published a draft version of its proposed successor, now simply called The Cybersecurity Framework (CSF) – and unlike the current version, the draft comes with a variety of practical implementation examples.
A framework driven by executive orders
Back in 2013, an executive order from the Obama administration was issued calling for a standardized cybersecurity framework to describe and structure activities and methodologies related to securing critical infrastructure. In response, the National Institute of Standards and Technology (NIST) developed its Framework for Improving Critical Infrastructure Cybersecurity. While originally intended for organizations managing critical infrastructure services in the US private sector, it became widely used by public and private organizations of all sizes and is commonly known as just the NIST cybersecurity framework.
Nearly a decade later and hot on the heels of the SolarWinds and Colonial Pipeline attacks, the Biden administration issued its own executive order on cybersecurity in 2021. Now concerned with the security of all federal systems and their software supply chains, the order (among other things) obligated NIST to prepare and issue suitable guidance. Based on this order and related activities, NIST has revisited its existing framework specifically to make it easier to apply regardless of industry or size of organization.
According to NIST, the stated purpose of the revision is to “reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well.” As part of this effort, the official name is being changed and the language simplified and refocused on practical usability. Most importantly, implementation examples have been added to the previously dry and theoretical document to illustrate how the framework items could translate into real actions.
Governance leads the list of changes
Looking at the CSF v2.0 public draft, the most prominent change is that we now have six core cybersecurity functions, with the Govern function joining the existing quintet of Identify, Protect, Detect, Respond, and Recover. This is in line with the shift away from protecting critical infrastructure and towards wider applicability, where each organization needs to start by understanding its unique operating context and defining risk management expectations and strategies. Specifically, the Govern function breaks out into the following categories:
- Organizational Context
- Risk Management Strategy
- Cybersecurity Supply Chain Risk Management
- Roles, Responsibilities, and Authorities
- Policies, Processes, and Procedures
Note that while the Govern function itself is new in v2.0, it mostly incorporates existing outcomes (subcategories) that have been moved out of other functions (mainly Identify) and into a new home that highlights the importance of top-down planning and oversight.
Examples at last
The existing NIST CSF is famously dry and theoretical, being originally intended as an aid for creating and managing highly formalized strategies and processes related to securing critical infrastructure. Its popularity as a general-purpose framework saw organizations picking, mixing, and interpreting the abstract outcomes to arrive at actual controls and actions to implement. Based on community feedback and in line with its expanded usage, CSF v2.0 provides implementation examples for each outcome.
The new examples make it much easier not only to implement outcomes but also just to read the document, helping you understand each outcome and see how it could apply in your specific situation. To illustrate, here’s one of the subcategories in the CSF draft under the new Govern function, category Organizational Context (GV.OC):
GV.OC-05: Outcomes, capabilities, and services that the organization depends on are determined and communicated
When read on its own, this is a very generic statement that could be interpreted (and misinterpreted) in many ways. Helpfully, there are now two examples of specific actions that fall under this subcategory:
Ex1: Create an inventory of the organization’s dependencies on external resources (e.g., facilities, cloud-based hosting providers) and their relationships to organizational assets and business functions
Ex2: Identify and document external dependencies that are potential points of failure for the organization’s critical capabilities and services
While they only scratch the surface, the examples do make it much easier to start thinking along the right lines to map out your external dependencies and understand their security implications for your specific organization.
Getting familiar with the NIST CSF v2.0 draft
The current document is still a public draft and open for community feedback, so there may be more changes before the final version lands in early 2024. Seeing as the implementation examples are both the biggest and the most subjective addition, it’s likely they will see modifications or additions compared to the draft. We will cover the official v2.0 on the blog once it is released, so watch this space for a deeper dive into applying the cybersecurity framework to web application security.
Compared to the current framework, the upcoming NIST CSF v2.0 promises to be much more practical and easier to apply in any organization. Considering its great value for building and maintaining a cybersecurity program, this can only be good news for federal agencies and commercial organizations alike.
For anyone who wants to get familiar with the new framework without digging through the full document, NIST has prepared a helpful reference tool as an interactive way to browse the updated functions, categories, subcategories, and examples.