The National Institute of Standards and Technology will publish the final version of its cybersecurity framework update in February, according to cyber leader Kevin Stine, who provided a preview to Inside Cybersecurity on rollout plans.
The February release is the culmination of a two-year effort to update the framework, known as “CSF 2.0,” that started with a request for information in early 2022. Since then, NIST has sought feedback from stakeholders through a concept paper, drafts and workshops.
“We’ve been talking about CSF 2.0 for many months not just as a single document or resource but really as a suite of resources and capabilities. When we issue CSF 2.0, it will include the document itself, CSF 2.0, and additional resources around it,” Stine said in an interview with Inside Cybersecurity.
Kevin Stine, Chief of the Applied Cybersecurity Division, NIST’s Information Technology Lab
Additional content will include mappings in NIST’s Cybersecurity and Privacy Reference Tool and “a series of quick start guides,” Stine said. Some of the guides will be released along with CSF 2.0 and others will “trail a little bit,” according to Stine.
Stine said he expects there will be “quick start guides” including a summary of the CSF and a guide that goes through major components of the framework including the tiers, profiles and the core.
There could also be quick start guides for “specific audiences,” Stine said, pointing to “small and medium size businesses” as an example.
Stine is chief of the Applied Cybersecurity Division at NIST’s Information Technology Laboratory. The launch of the CSF 2.0 update was led by Cheri Pascoe, who was appointed in August as the new director of NIST’s National Cybersecurity Center of Excellence.
Pascoe saw through the completion of the full CSF 2.0 draft for public comment before moving over to the NCCoE. Stine is spearheading the effort to finalize CSF 2.0 and the official launch of the updated framework.
Stine noted that NIST has been successful in getting foreign translations published of CSF 1.1 and said the agency will continue to “work on those” with the release of CSF 2.0 and “encourage the community to do the same as well.”
NIST published the full draft of CSF 2.0 in August along with a draft CPRT tool where users can find informative references and implementation examples for each category and subcategory. The agency held its third and final CSF 2.0 workshop in September, which featured a series of panels and in-person breakout sessions on specific aspects of the framework.
Stine said he isn’t “expecting any major changes” in CSF 2.0 from the full draft. There was a “lot of discussion,” Stine said, “not just in the public comments but also through the different workshops and sessions we’ve hosted over the past several months and year around the functions, the profiles and how to relate the framework to other things – NIST and other organization issued resources.”
“I’m not anticipating major changes in any of those areas,” Stine said. “We certainly are adding a ‘Govern’ function. We don’t anticipate adding any functions beyond govern though. We have been clear we are increasing our treatment and discussion of cybersecurity risk management, not through a function but rather through continued enhancements and the category and subcategory level.”
On CPRT, Stine said NIST intends to “push more content online” through the tool. He said, “We think it gives us a very powerful capability to not only share our content but also allows us and for others to use that content and express relationships with other resources not just through mappings tables, spreadsheets and things like that, but through a more automated manner.”
“We’re excited about that capability. We have continued to improve the CPRT, both the content that is out there now and the look and feel of it to try to make it a little more user friendly,” Stine said.
The CPRT features other major NIST publications including the privacy and risk management frameworks and the massive catalog of security and privacy controls in NIST Special Publication 800-53.
Moving the informative references and including CSF 2.0 implementation examples in CPRT “will allow us to be more responsive to updates and changes in a much more agile manner as opposed to when we update CSF 2.0 proper which is on a slower timeline,” Stine said.
The implementation examples are not intended to be an “exhaustive” or a “comprehensive list of actions that organizations need to take,” Stine said, “but rather a starter set of considerations that can help guide organizations as they seek to achieve the specific outcomes that are expressed in the categories and subcategories in the framework.”
He added, “That’s certainly the spirit in which we are intending to provide those as good starter resources for organizations of all shapes and sizes.”
When asked about artificial intelligence, Stine said, “We are looking for opportunities to establish stronger connections between all of our frameworks and resources.”
Stine said NIST has “a lot of active efforts underway right now, both in the broader trustworthy AI research program” and priorities mandated by President Biden’s 2023 AI executive order. Stine pointed to the upcoming companion guide to the NIST Secure Software Development Framework that will focus on generative AI and dual use foundation models as an example.
“There’s some natural relationships and efforts that are underway now to help clarify how these things can be used together to meet the needs of organizations and developers. We will continue that with CSF 2.0,” Stine said.
NIST will hold a workshop on Jan. 17 to launch its work on creating the SSDF companion guide.
Stine said on the workshop, “The SSDF is a stable document most recently updated in response to Executive Order 14028 a couple of years ago. We have a great opportunity right now to share how the SSDF can be leveraged and applied in context of different technology or different technology platform.” -- Sara Friedman (sfriedman@iwpnews.com)