Due to heightened risks and to keep pace with the constantly evolving cybersecurity landscape, the National Institute of Standards and Technology (NIST) plans to revise its widely adopted NIST Cybersecurity Framework (CSF). As a result, NIST has requested a notice to obtain public comments on several key areas by April 25, 2022.
As many security professionals can attest, this framework is used across multiple industries and implemented by companies large and small. The Cybersecurity Framework was last updated in April 2018. Much has changed in the cybersecurity landscape in terms of threats, capabilities, technologies, education, and workforce.
The request for comments is focused on three major areas and provides some initial insight into potential changes in the next CSF version. NIST may make the following changes:
- Use of the NIST Cybersecurity Framework
- Change features of the CSF (e.g., functions, guidance, references) to improve the usability
- Reduce challenges that many organizations have from fully implementing the CSF
- Improve the assessment, management, monitoring of risks in the CSF
- Relationship of the NIST Cybersecurity Framework to Other Risk Management Resources
- Improve alignment and integration with other NIST risk management resources, trustworthy technology resources, and workforce management resources
- Improve alignment and integration with non-NIST frameworks, such as the ISO/IEC 2700-series
- Improve alignment and integration with international adaptations of the CSF to increase global use of the CSF
- Cybersecurity Supply Chain Risk Management
- Align and integrate the NIST National Initiative for Improving Cybersecurity in Supply Chains (NIICS) into the CSF
- Improve the identification and prioritization of supply chain-related cybersecurity needs across sectors
- Identify tools and guidance to achieve greater assurance throughout the software supply chain, including open-source software
What Do the Changes Mean for Your Company?
- The potential changes may reduce some existing challenges to fully implementing the CSF.
- The risk management area of the NIST may be significantly enhanced and allow for better alignment with these other risk frameworks, e.g., Enterprise Risk Management, in your company.
- The updated framework can expand coverage and assurance into cybersecurity risks related to supply chain components, including embedded software.
How MorganFranklin Can Help
We work with our clients to provide a comprehensive and robust approach to solving your most critical cybersecurity needs. From consulting and implementation to managed services and project resourcing, we work to safeguard resources by identifying risks, developing and maturing cybersecurity programs, and implementing solutions that support and meet your organization’s business goals. We do this using a hands-on approach, providing the right blend of experience and expertise to successfully deliver, execute, and manage your end-to-end cybersecurity needs.