As its name indicates, the original Framework helped organizations mitigate risks to U.S. critical infrastructure. “Critical infrastructure” as used by NIST and defined in law, means the systems and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on U.S. security, economic security, public health or safety, or any combination thereof. Critical infrastructure covers sectors such as healthcare and public health, communications, transportation, and financial services. However, NIST discovered that the concepts in this original Framework transcended critical infrastructure—creating a foundation for security practices across a multitude of other business sectors. The Cybersecurity Framework 2.0 works to capture this broad applicability, ultimately updating the use case and restructuring the scope of the original Framework.
Substantively, the Cybersecurity Framework 2.0 attempts to better reference and relate to other applicable NIST frameworks and initiatives, such as its Privacy Framework, the NICE (formerly known as the National Initiative for Cybersecurity Education) Workforce Framework, and the Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, among others.
Moreover—and very helpfully—the Cybersecurity Framework 2.0 provides implementation examples for NIST processes, adds guidance on how companies can describe and categorize current and target cybersecurity postures, and adds a new governance category (referred to as a “Function”) for organizing cybersecurity outcomes: “Govern.”
Cybersecurity governance was always an element of the original Framework, but providing the additional “Govern” function helps organizations to better manage their cybersecurity efforts by providing express guidance regarding the creation of cybersecurity governance programs. This is especially helpful as the need for improved cybersecurity has grown as we become more dependent on connected technologies.
Further recognizing the increasing interconnectedness (and accompanying complexity) of these technologies, the Cybersecurity Framework 2.0 specifically addresses cybersecurity supply chain risk management. It also places additional focus on the people, processes, and technology involved in cybersecurity, as each is an essential part of improving an organization’s cybersecurity practices. Finally, the Cybersecurity Framework 2.0 places an emphasis on continuous improvement.
While NIST’s guidance—including the Cybersecurity Framework 2.0—is largely voluntary, the guidance is regularly used as a foundation by federal and state departments and agencies for mandatory regulations and is often referenced in contractual agreements as a required industry standard. Thus, organizations should consider how these practices align with their current and anticipated future cybersecurity challenges and needs. Comments on the draft are due November 5 and can be emailed to cyberframework@nist.gov.