NIST issued a call for comments on proposed revisions to its Cybersecurity Framework back in January. They're now coming due.
Comments on NIST's Cybersecurity Framework 2.0 are due March 3rd.
The proposed changes to US National Institute of Standards and Technology's (NIST) guidance, found in NIST Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework are open for public comment through this Friday, March 3rd, 2023. Comments on Framework 2.0 should be emailed to firstname.lastname@example.org.
Impact of changes to NIST Cybersecurity Framework 2.0.
Among other goals, the changes are intended to expand the scope of the Framework to organizations of all sizes, in all sectors. They also reflect an increased emphasis on international cooperation, and a more extensive treatment of cybersecurity as an exercise in risk management. NIST wants to show how the framework is tied to other related standards, and it seeks to bring more attention to governance, implementation, and supply-chain issues.
What's NIST looking for in the way of comments on Cybersecurity Framework 2.0?
NIST would like the comments to address six questions:
- "Do the proposed changes reflect the current cybersecurity landscape (standards, risks, and technologies)?"
- "Are the proposed changes sufficient and appropriate? Are there other elements that should be considered under each area?"
- "Do the proposed changes support different use cases in various sectors, types, and sizes of organizations (and with varied capabilities, resources, and technologies)?"
- "Are there additional changes not covered here that should be considered?"
- "For those using CSF 1.1, would the proposed changes affect continued adoption of the Framework, and how so?"
- "For those not using the Framework, would the proposed changes affect the potential use of the Framework?"
Industry comment on NIST Cybersecurity Framework 2.0.
We received some comments from security industry leaders on the proposed changes to the Framwork. Chloe Messdaghi, Managing Director at Impactive Partners, hopes to see closer attention to the security team, to the human element in the security equation. “It's great to hear that there will be a significant reform to the framework," Messdaghi wrote. "It is important to recognize that security team wellness determines how successful the use of the framework is. We cannot continue to ignore the human element part that cybersecurity plays when we are protecting from attacks. When a team has poor leadership and management, it places the greatest risks for creating a revolving door environment, mental health issues, lack of inclusion, and a continuing overstretched security team, which in return, leads to an increased cybersecurity risk for an organization.”
Bryson Bort, Founder and CEO of SCYTHE, welcomes the attention devoted to much-attacked but often overlooked organizations. “Small business and education have been out in the cold for years as cyber poor, but target rich," Bort said. "Ransomware has moved the threat from expert jargon to preying on your local community. We’re seeing the government work collaboratively beyond pushing paper (NIST CSF) to rolling up their sleeves to help them directly with CISA’s announcement on these same priorities last month.”
And Tanium's CISO, Americas, Christopher Hallenbeck, CISO, approves of what he sees as more attention to usability. “Practical guidance has long been missing. NIST publications tend to be dense reads filled with jargon that make them less approachable to less resourced organizations. I'm glad to see an emphasis on addressing the underrepresented community of small businesses in this process.”