NIST’s planned update of the cybersecurity framework in a “CSF 2.0” process will compel companies in the U.S. and across the globe to review and revise their cyber plans, said Cyberspace Solarium Commission leader Mark Montgomery, a beneficial if demanding process that has stirred some trepidation among stakeholders.
“I suspect the benefits will outweigh the costs,” Montgomery told Inside Cybersecurity. He said companies ultimately will go through an internal process to adopt the CSF 2.0 update, which will also create an opportunity to perform any needed NIST 800 series updates and to implement other sector-specific guidances.
“You upgrade your tech every 12-18 months, you should re-train your people every 18 months, why not upgrade your policies/processes more frequently,” Montgomery said.
Montgomery is senior director at the Foundation for Defense of Democracies and former executive director of the Cyberspace Solarium Commission. FDD has taken over as the home of the Solarium Commission’s recommendations and work products since the expiration of the body’s congressional charter.
“I think the NIST CSF is functioning well, but an update would be useful, and having frequent public workshops is warranted,” Montgomery said. “The CSF is a key document used by critical infrastructures to develop recommended guidelines or standards for cybersecurity compliance, so any improvements to this will eventually spur improvements in critical infrastructure protection.”
He noted though: “One caution is that a new CSF will invariably mean a lot of follow-on work across multiple sectors updating documents, so it does need to be meaningful.”
NIST on June 3 released an “initial summary analysis” of stakeholder responses to the agency’s request for information on launching CSF 2.0 and said it will move forward with a process that includes release of a draft version within months and “multiple public workshops.”
Among the 134 sets of comments submitted to NIST, many stakeholders noted the challenge of ensuring the updated framework is compatible and maps with the CSF-based programs implemented by companies throughout the world.
“[I]t will be important to minimize structural changes to preserve backward compatibility and ensure organizations across the world can continue to implement and map to the CSF successfully," Paul Eisler, senior director for cybersecurity at USTelecom – The Broadband Association, told Inside Cybersecurity.
NIST’s CSF program manager Cheri Pascoe in a recent blog said “we do not envision significant changes to the CSF structure – the Tiers, the Core, and the Profiles – but you can expect to see modifications throughout the Framework.” – Charlie Mitchell (cmitchell@iwpnews.com)