Understanding the NIST Cybersecurity 2.0 in Detail

Cybersecurity and information security are crucial elements of corporate and federal governance systems. The NIST Cybersecurity Framework helps businesses of all sizes and sectors create successful CMMC cybersecurity programs without starting from scratch, which is required for federal agencies.

The transition to NIST CSF 2.0 started in February 2022, driven by several goals, including keeping up with changing security threats and technologies, incorporating lessons learned, making sure the Framework is straightforward and adaptable enough to participate in smaller organizations, and offering implementation advice for new adopters.

The process of upgrading will be dynamic and collaborative, and it might take a year or longer to finish. NIST advises enterprises to move on with CSF 1.1 implementation until CSF 2.0 is accessible in late 2023 or early 2024 because cybersecurity is crucial for everyone.

Reasons for the CSF Update

The NIST Cybersecurity Framework was intended to be a dynamic, living document from the beginning. It is a framework designed to advance and change over time to:

  1. Keep up with advancements in security technology and threat trends.
  2. Incorporate lessons learned.
  3. Move from a best practice to common practice.

The first version of the Framework, also referred to as the NIST Framework for Enhancing Key Infrastructure Information security, the NIST Cybersecurity Framework, Guidelines, or CSF, was published in February 2014, following extensive engagement and collaboration by the public and private sectors.

In April 2018, four years after the Framework’s initial release, NIST released CSF 1.1.

Since that version was released in 2014, a lot has changed, including new security threats, technology, and bad actors. NIST has the following goals for the upcoming update:

Create new frameworks that are interactive and readable by machines for the Framework, which is often obtained from the NIST website.

Make sure the structure is straightforward and adaptable, especially for smaller firms whose resources and needs for CMMC regulation cybersecurity can be less substantial.

Provide implementation advice to make the Framework easier for enterprises to adopt, particularly those just starting to create cybersecurity programs.

More clearly describe how the CSF framework can be mapped to other NIST and non-NIST cybersecurity frameworks using the National Online Information References Program (OLIR).

NIST also stated that as they move forward with this update, they will “significantly emphasize whether and how to add supply chain cybersecurity or 3rd risk into the framework.”

Interim Guidance and the CSF 2.0 Update Schedule

For several months, comments can still be made on the online request for information. NIST anticipates CSF 2.0 to be accessible near the end of 2023 or early in 2024, anticipating that the upgrade procedure will take a year or longer.

NIST has said that it will consider backward compatibility as part of the revision process to respect the investment companies have made in adopting the Framework as it now stands.

NIST CSF 1.1 is still a current, useful, and frequently used framework in the interim. NIST advises companies to adopt CSF 1.1 for the duration of the more than year-long update process rather than postponing adoption to wait for the next version.