What's new in the National Institute of Standards and Technology's brand new CMF framework

The US National Institute of Standards and Technology (NIST) recently released a draft of the Cybersecurity Framework 2.0 (CSF). This new release aims to engage a broad range of organizations, not just those key to critical infrastructure, and elevate the importance of corporate governance and supply chain security. Ahead of its planned release in 2024, NIST is seeking comments and input from the public.

Framework for improving the security of critical infrastructures

The CSF was created by NIST initially in response to an executive order from President Obama, with the goal of providing a common language and structure to help organizations systematically manage and communicate how they approach risk management of cybersecurity. The CSF has been adopted by public and private organizations around the world, and many U.S. government civil and military procurement guidance documents and requirements have incorporated the CSF.

Proposed updates for CMF 2.0

The new draft of CMF 2.0 proposes a series of updates and changes. First, the framework's name will be changed from “Critical Infrastructure Security Enhancement Framework” to “Cybersecurity Framework,” to reflect its applicability to all organizations, not just those designated as critical. Another important innovation is the introduction of a sixth function called "Govern", which crosses all the other functions and focuses on the decision-making and management aspect of cybersecurity within organizations. CMF 2.0 will also pay greater attention to supply chain risk management and provide examples of concrete implementation guidelines to facilitate adoption of the framework.

Measuring cybersecurity performance

One of the criticisms of the current CMF is the lack of clear guidance on measuring cybersecurity performance. The draft CMF 2.0 highlights the importance of measuring performance and encourages organizations to innovate and customize their measurement and evaluation methods. CMF 2.0 also introduces a new category in the "Identification" function dedicated to identifying improvements in organizations' cybersecurity risk management processes, procedures and activities.

Updated resources and roadmap

Finally, the draft CMF 2.0 includes an update to resources and references used in the previous version, such as the NIST Privacy Framework and the Cybersecurity Workforce Framework. NIST plans to publish an online tool that will allow organizations to see relationships between the CMF core and external resources in human- and machine-readable format. NIST expects to release the final version of CMF 2.0 in early 2024, after gaining input and comments on earlier drafts.