On February 12, 2014, the US National Institute of Standards and Technology (NIST) issued a landmark document, the Framework for Improving Critical Infrastructure Cybersecurity (CSF). Four years later, NIST issued the CSF 1.1, which included updates on supply chain risk management, vulnerability disclosure, and other rapidly developing issues.\n\nNow, NIST is preparing to release another overhaul of the CSF following the early August release of a draft 2.0 version, developed after NIST issued a request for information (RFI), held two workshops, and requested comments on a core draft.\n\nWhat is the Framework for Improving Critical Infrastructure Security?\n\nFollowing an executive order (EO) by President Obama, NIST developed the CSF to provide a common language and structure to help organizations systematically better manage and communicate how they tackle cybersecurity risk management. The CSF has been adopted worldwide by private and public sector organizations. Many US government civilian and military procurement and guidance documents have incorporated the CSF to manage risk, including federal government agency contractor and subcontractor requirements for protecting unclassified information and the implementation guidance for President Biden's National Cybersecurity Strategy.\n\nNIST has designed the 2.0 draft to expand the use of the CSF, more fully embrace supply chain risk management, update other frameworks and resources, supply implementation guidance, address cybersecurity measurement and assessment, while adding an entirely new function. The following sections highlights some of these proposed changes to the CSF.\n\nBroader use of the framework\n\nPresident Obama's initial EO focused on critical infrastructure, given the emerging significant cybersecurity threats to the nation's energy and transportation systems and other critical assets without which essential activities could not function. To convey a broader focus more strongly in the US and internationally, NIST is changing the CSF name to its commonly used term, "Cybersecurity Framework," removing the emphasis on critical infrastructure. The original framework" has proved useful everywhere from schools and small businesses to local and foreign governments," NIST said in announcing the 2.0 version. "We want to make sure that it is a tool that's useful to all sectors, not just those designated as critical."\n\nThe new Govern function crosscuts everything\n\nThe current NIST CSF "core" consists of five functions: Identify, Protect, Detect, Respond, and Recover. Around those are clustered 23 categories and 108 subcategories of desired cybersecurity outcomes, and hundreds of informative references, mostly other frameworks, and industry standards.\n\nIn its 2.0 draft, NIST has added a sixth function, Govern, which covers how organizations make and execute decisions around cybersecurity. This new function crosscuts all the five other functions, emphasizing the people, processes, and technology needed to adequately govern cybersecurity functions within organizations.\n\nIn announcing the framework, NIST explains the Govern function "covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial, and other risks as considerations for senior leadership." The draft also offers guidance integrating the Framework with the NIST Privacy Framework and enterprise risk management, as discussed in NIST IR 8286.\n\nEmphasis on supply chain risk management\n\nUnder the Govern function, the CSF 2.0 offers a new category highlighting the importance of supply chain risk management, noting that a desired outcome is for organizations to identify, establish, manage, and monitor cyber supply chain risk management processes. NIST breaks these actions into ten subcategories of supply chain risk management efforts.\n\nThe categories and subcategories within the other functions also "provide a source for the organization to consider as a basis for supplier cybersecurity requirements, both for direct suppliers and as flow-down requirements for lower-tier suppliers," the CSF 2.0 states.\n\nThe draft further encourages organizations to use the Framework Profiles that are part of the CSF "to delineate cybersecurity standards and practices to incorporate into contracts with suppliers and provide a common language to communicate those requirements to suppliers." NIST notes that suppliers can also use profiles to express their cybersecurity posture and related standards and practices involving supply chain risks.\n\nFinally, the 2.0 draft points to the Target Profiles, also part of the CSF, to address supply chain risk management, saying they "can be used to inform decisions about buying products and services based on requirements to address gaps."\n\nMaking it easier to adopt the CSF\n\nTo address a chronic problem that hinders the adoption of the CSF, NIST plans to include in the final 2.0 draft examples of implementation guidance that offer more concrete, real-world examples of how organizations can implement the framework.\n\nAlthough the current 2.0 draft doesn't contain these examples, NIST has issued for public comment under separate cover examples of the types of guidance the final version might include. It encourages interested parties to provide input by Friday, November 4, 2023, on whether these examples are appropriately specific, what other types of models might be useful, how often NIST should update them, and what other sources of implementation guidance might be sources for the examples.\n\nTaking a stab at measuring cybersecurity performance\n\nOne frequent complaint about the current CSF is that it lacks clear guidance on measuring cybersecurity performance following the framework's adoption, making it harder to gauge the success or failure of implementing the many practices and techniques needed to achieve the desired outcomes.\n\nAlthough not extending this kind of guidance, the 2.0 draft does discuss metrics and encourages organizations "to innovate and customize how they incorporate measurement into their application of the framework." It also suggests that organizations play around with how they might measure performance. "The framework offers an opportunity to explore or adjust methodologies for measurement and assessment," the draft states.\n\nIn addition, the 2.0 draft introduces a new category under the Identify function that contemplates how organizations will identify improvements to organizational cybersecurity risk management processes, procedures, and activities as a means of measuring performance.\n\nUpdated cybersecurity references and resources\n\nThe 2.0 draft updates the resources and informative references used in the previous CSF versions, including:\n\nNIST plans to post an online tool with human- and machine-readable formats to allow organizations to see the relationships online between the CSF core and updatable resources.\n\nTimeline for CSF 2.0 completion\n\nOn September 19 and 20, NIST plans to host its third and final workshop ahead of a planned early 2024 release of the final CSF 2.0. NIST stresses that it does not intend to release another draft of CSF 2.0 for comment. Feedback on the 2.0 draft and related implementation examples are due November 4.