NIST Drafts Major Update to Its Widely Used Cybersecurity Framework

Author: Lucas Baiocchi

In the first major update since its inception, the National Institute of Standards and Technology (NIST) will be launching the Cybersecurity Framework (CSF) 2.0 in January 2024.[1] 

In addition to the traditional pillars of identify, protect, detect, respond, and recover, NIST CSF v2.0 will include a sixth pillar, governance. This new pillar emphasizes cybersecurity risk management strategy, expectations, and policy for senior leadership.  

NIST is also expanding the scope of the CSF from protecting critical infrastructure to all organizations, regardless of type or size.  

The new Govern pillar will include the following categories:  

  • Organizational Context (GV.OC): The circumstances - mission, stakeholder expectations, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood (formerly ID.BE) 
  • Risk Management Strategy (GV.RM): The organization's priorities, constraints, risk tolerance, and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions (formerly ID.RM) 
  • Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders (formerly ID.SC). 
  • Roles, Responsibilities, and Authorities (GV.RR): Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated (formerly ID.GV-02). 
  • Policies, Processes, and Procedures (GV.PO): Organizational cybersecurity policies, processes, and procedures are established, communicated, and enforced (formerly ID.GV-01). 
  • Oversight (GV.OV): Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy. 

You can view a full list of the proposed changes on an interactive website provided by NIST.[2] 

If you want to participate in the public review, you can provide feedback up until November 4, 2023.[3]  

Meditology is updating its NIST CSF Security Risk Assessment (SRA) in anticipation of the January 2.0 release. We are here to support you on your NIST CSF 2.0 journey. 







Most Recent Posts
SOC 2 + CIS Controls Read More
A Cybersecurity Professional's Guide to HIPAA-Compliant Online Tracking Read More
SOC 2 + HIPAA Examination Read More