• NIST is publishing the concept paper to seek additional input on the structure and direction of the Cybersecurity Framework (CSF or Framework) before crafting a draft of CSF 2.0. This concept paper outlines more significant potential changes that NIST is considering in developing CSF 2.0.
• Some of the proposed changes outlined are larger structural changes that may impact compatibility with CSF 1.1, thus warranting additional attention and discussion.
• The paper does not cover all potential changes that may be made to the Framework structure, format, and content, especially specific changes to Categories and Subcategories of the CSF Core.

Furthermore, per NIST, “With this update, NIST is open to making more substantial changes than in the previous update”...thus “The ‘CSF 2.0’ version reflects the evolving cybersecurity landscape—but community needs will drive the extent and content of the changes.”

In terms of the specific “Potential Significant” Changes, they are as follows:

• Change the CSF’s title and text to reflect its intended use by all organizations
• Scope the CSF to ensure it benefits organizations regardless of sector, type, or size
• Increase international collaboration and engagement
• Retain CSF’s current level of detail
• Relate the CSF clearly to other NIST frameworks
• Leverage Cybersecurity and Privacy Reference Tool for online CSF 2.0 Core
• Use updatable, online Informative References
• Use Informative References to provide more guidance to implement the CSF
• Remain technology- and vendor-neutral, but reflect changes in cybersecurity practices
• Add implementation examples for CSF Subcategories
• Develop a CSF Profile template
• Improve the CSF website to highlight implementation resources
• Add a new Govern Function
• Improve discussion of relationship to risk management
• Expand coverage of supply chain
• Clarify how leveraging the CSF can support the measurement and assessment of cybersecurity programs
• Provide examples of measurement and assessment using the CSF
• Update the NIST Performance Measurement Guide for Information Security
• Provide additional guidance on Framework Implementation Tiers

After almost a half-decade of working with CSF 1.1, updates should be expected, and welcomed, as the cybersecurity threat landscape continues to change and evolve.

A workshop is being hosted by NIST on February 15, 2023, with comments due by March 03, 2023.

About Arlington

We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®.  Learn more at arlingtonintel.com.