Monday, July 22 2024

The National Institute of Standards and Technology updated their cybersecurity framework for the third time in a new draft. The new framework offers guidance to organizations about reducing cybersecurity risks. It contains a set of outcomes so that any organization can evaluate, prioritize, grasp, and communicate its cybersecurity measures in an effective way.

The draft comes five years after its second update to the framework, released in April 2018. New challenges and the need to make it simpler to use merit an update, according to the press release. In crafting the new draft, NIST considered over a year’s worth of public input spread across 283 written responses, three workshops, and more.

ISACA, a global association focused on IT governance, sent an email providing feedback on the draft. The author pushed for more direct language and explanations of why categories and subcategories were added, realigned, dropped, or renamed. Meanwhile, an email from a cybersecurity official at JPMorgan Chase & Co. flagged two subcategories which he believed conflated disparate objectives. The official also recommended that NIST delete discussions of public relations and reputation repairs from the draft.

One major change seen in the new draft is its name and scope. While the previous framework only applied to critical infrastructure, the new one can be used for all organizations, regardless of type, size, or location. It also provides guidance on how organizations can carry out internal decisions in support of their cybersecurity goals, noting that cybersecurity is a substantial form of business risk that leadership should consider alongside legal or financial risks.

Other updates include additional information to clarify understanding of cybersecurity measurement and assessment; a new category about supply chain risk management; and added examples of how to achieve certain outcomes discussed in subcategory sections.

A pivotal objective of the framework will be to show organizations how they can implement it by using more guidance from NIST and other sources. Accordingly, NIST will release a reference tool in the coming weeks.

The final version of the framework is expected to be released by early 2024. NIST seeks email feedback on the draft until November 4, 2023. Individuals are encouraged to convey whether the draft addresses current and future cybersecurity challenges, is aligned with best practices and related resources, and considers existing feedback. The draft will be examined in a workshop which will be held this fall.  

Cherilyn Pascoe, the lead developer of the framework at NIST, noted that most organizations find the current framework helpful, but the update will assist in mitigating new risks. “The CSF was intended to be a living document that is refined, improved, and evolves over time to keep pace with technology and threat trends, integrate lessons learned, and move best practice to common practice,” she said

Previous

N.Y. Gov. Debuts Premier State Cybersecurity Strategy

Next

Healthcare IoT Security: Risks, Policy, and the Path Forward 

Check Also

Widget

Don’t Miss

Sevco Security Platform Product Review

Ellie Buscemi

What is the Sevco Security Platform? The Sevco Security Platform is a cyber asset attack service management (CAASM) product that focuses on aggregating and correlating data from across a company’s cybersecurity infrastructure to give cybersecurity professionals a better sense of what the company’s infrastructure looks like as a whole. The platform’s sources include a company’s […]

Cyber Deals: Huntress, Cyberhaven, and SpyCloud

CISOstack

Cybersecurity Surge: Top Funding Rounds and Strategic Acquisitions Fuel Growth in AI, Cloud Security, and Threat Prevention Solutions

Fidelis Elevate: A Deep Dive

Ellie Buscemi

What is Fidelis Elevate? Fidelis Elevate is an open extended detection and response (open XDR) solution focusing on network protection, endpoint security, and cyber attacker deception. The platform aims to protect various elements of a company’s infrastructure, such as devices and servers while tracking suspicious behavior and preventing access to cyber criminals. What features does […]

Partially closed laptop screen

Best Extended Detection and Response (XDR) Solutions

Lara Oporto

What is Extended Detection and Response and how does it work? Extended Detection and Response (XDR) is a cybersecurity system that gathers information from different places like computers, networks and emails. Unlike other security tools that focus on one area like computers or networks, XDR looks at everything together. The comprehensive approach helps to find […]

Close up of computer chip

Best Managed Detection and Response (MDR) Solutions

Lara Oporto

What is Managed Detection and Response? Managed Detection and Response (MDR) is a cybersecurity service that provides continuous monitoring, threat detection and incident response capabilities. MDR achieves these capabilities through the deployment of advanced technologies such as machine learning and behavioral analytics as well as analysis from security professionals. MDR is a cybersecurity service that […]

Best Hyperconverged Infrastructure Software

Ellie Buscemi

What is Hyperconverged Infrastructure and how does it work? Hyperconverged infrastructure (HCI) is a software that provides computing, storage and network operations for a company from a single point on a company’s hardware. Originally, computing, storage and network operations were divided in a company’s hardware infrastructure and potentially provided by separate vendors with different management […]