The U.S. NIST recently released an update of a tool of its own design, the Cybersecurity Framework.This upgrade comes as the rate of growth in the field of cybersecurity is increasing, in terms of both legislation and norms, and cyberthreats. The important role played by the NIST means that this upgraded version has major implications for the entire cybersecurity sector.
On 8 August, 2023, the U.S. National Institute of Standards and Technology (NIST) released a proposal for a new version (2.0) of the Cybersecurity Framework (CSF), to provide organizations with a framework for cybersecurity measures. Since it was first released in 2014, the CSF has become a fundamental tool used by firms around the world to enhance their resilience to cyberthreats.
The Cybersecurity Framework is a high-quality tool that defines a general framework to help organizations identify, assess, and manage cybersecurity risk. The Cybersecurity Framework is intended to provide an organized and coherent set of best practices, guidelines, and standards to be aligned with the particular needs of the various sectors and organizations. For this reason, it contains references to norms and specific guidelines drawn up by the NIST, but also by the International Organization for Standardization (ISO).
The main changes in the upgraded version of the framework:
-
- the scope has been revised and expanded – the new CSF expands the framework to include new and current norms and guidelines, making it more relevant and complete;
- aids for those implementing it – the tips for using CSF 2.0 in practice have also been improved, which is intended to make it significantly easier to implement.
Importantly, development of cybersecurity tools, norms, and guidelines has major implications for commercial practice. This is because they are key as a means of soft law – they play a truly complementary role in relation to the enacted laws, as these are laws that have to account for the rapid rate of development of technology and lengthy legislative processes. Legislators realize this, and legislation often does in fact make general reference to technical norms and guidelines. NIS 2 is just one example. With regard to cybersecurity risk management measures, references are made for instance to the ‘state of the art’ and “European and international norms”.
For this reason, both private and public entities need to take measures to implement cybersecurity norms and standards, to ensure greater cyberthreat resilience, but also legal compliance. In practice, this will usually be in fact the standards devised by the NIST and ISO, and therefore it would be advisable to review the procedures and policies in place in an organization, and determine whether they need to be updated, now that a new version of the NIST framework has been released.
Author: Marcin Ręgorowicz, Konrad Basaj