Monday, April 22 2024

The National Institute of Standards and Technology updated their cybersecurity framework for the third time in a new draft. The new framework offers guidance to organizations about reducing cybersecurity risks. It contains a set of outcomes so that any organization can evaluate, prioritize, grasp, and communicate its cybersecurity measures in an effective way.

The draft comes five years after its second update to the framework, released in April 2018. New challenges and the need to make it simpler to use merit an update, according to the press release. In crafting the new draft, NIST considered over a year’s worth of public input spread across 283 written responses, three workshops, and more.

ISACA, a global association focused on IT governance, sent an email providing feedback on the draft. The author pushed for more direct language and explanations of why categories and subcategories were added, realigned, dropped, or renamed. Meanwhile, an email from a cybersecurity official at JPMorgan Chase & Co. flagged two subcategories which he believed conflated disparate objectives. The official also recommended that NIST delete discussions of public relations and reputation repairs from the draft.

One major change seen in the new draft is its name and scope. While the previous framework only applied to critical infrastructure, the new one can be used for all organizations, regardless of type, size, or location. It also provides guidance on how organizations can carry out internal decisions in support of their cybersecurity goals, noting that cybersecurity is a substantial form of business risk that leadership should consider alongside legal or financial risks.

Other updates include additional information to clarify understanding of cybersecurity measurement and assessment; a new category about supply chain risk management; and added examples of how to achieve certain outcomes discussed in subcategory sections.

A pivotal objective of the framework will be to show organizations how they can implement it by using more guidance from NIST and other sources. Accordingly, NIST will release a reference tool in the coming weeks.

The final version of the framework is expected to be released by early 2024. NIST seeks email feedback on the draft until November 4, 2023. Individuals are encouraged to convey whether the draft addresses current and future cybersecurity challenges, is aligned with best practices and related resources, and considers existing feedback. The draft will be examined in a workshop which will be held this fall.  

Cherilyn Pascoe, the lead developer of the framework at NIST, noted that most organizations find the current framework helpful, but the update will assist in mitigating new risks. “The CSF was intended to be a living document that is refined, improved, and evolves over time to keep pace with technology and threat trends, integrate lessons learned, and move best practice to common practice,” she said


N.Y. Gov. Debuts Premier State Cybersecurity Strategy


Healthcare IoT Security: Risks, Policy, and the Path Forward 

Check Also


Don’t Miss

The words Endpoint Detection and Response (EDR) on a green background with lines on the right side of the image

Best Endpoint Detection & Response Platforms

Lara Oporto

Endpoint Detection & Response platforms continuously monitor endpoints for signs of malicious activities, such as unauthorized access or unusual behavior, enabling rapid detection and response to potential cyber threats to safeguard organizational assets. What is Endpoint Detection and Response and how does it work? Endpoint Detection and Response (EDR) is a cornerstone in modern cybersecurity […]

AT&T AlienVault Products Review: OSSIM vs USM

Ellie Buscemi

AlienVault is now the technological basis for AT&T AlienLabs and provides multiple products for different companies’ cybersecurity needs. What AT&T AlienVault Products are Available? In December 2021, CISOstack reported that AT&T intended to acquire AlienVault to expand its cybersecurity offerings to more businesses. Two years later, AlienVault-based offerings make up a large portion of AT&T’s […]

Photo by Simon Kadula on Unsplash.

Navigating Manufacturing IIoT Cybersecurity Challenges

John Powers

Guarding the Gears: Government policy and industry collaboration to mitigate cyberthreats to manufacturers. The smart factory is on the rise. Production lines equipped with advanced sensors can monitor equipment health in real-time and predict potential issues before they disrupt operations. Temperature and humidity sensors can ensure the optimal environment for delicate manufacturing processes. RFID-enabled asset […]

Best Microsegmentation Software

Ellie Buscemi

Microsegmentation allows a company to divide digital assets into smaller, more secure groups, which makes it harder for cybercriminals to take over a company’s data center. What is Microsegmentation? Microsegmentation refers to cyber professionals building layers of cybersecurity protection between groups of digital assets or individual cyber assets. Adding these layers inside instead of only […]

Best Breach and Attack Simulation Platforms

Ellie Buscemi

Breach and attack simulation (BAS) platforms allow companies to see weaknesses in their cyber infrastructures before a malicious hacker can exploit them. What Is BAS – Breach and Attack Simulation? Breach and attack simulation (BAS) is an approach to cybersecurity that uses advanced tools to imitate the attacks used by cybercriminals on companies’ digital infrastructure. […]

Ofer Ben-Noon and Ohad Bobrov

Palo Alto Networks to Acquire Talon

Ellie Buscemi

On Monday, Palo Alto Networks agreed to acquire Israeli startup Talon Cyber Security, an enterprise browser platform. The deal values Talon at between $600 to $700 million, according to The Information. Palo Alto will integrate Talon’s enterprise browser solution into its Prisma SASE product. The acquisition comes among a wave of acquisitions and releases involving […]