The U.S. Dept. of Commerce National Institute of Standards and Technology (NIST) is proposing significant reforms to their Cybersecurity Framework (CSF) for the first time in five years, and the final week for stakeholder input begins Feb. 27, 2023. The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. The Framework is voluntary. First published in 2014 and revised in 2018, the CSF provides a set of guidelines and best practices for managing cybersecurity risks.
NIST held two additional stakeholder workshops this week just prior to the public comment period ending March 3rd.
I have three views of this. Starting with Chloe Messdaghi, Managing Director of Impactive Partners:
“It’s great to hear that there will be a significant reform to the framework. It is important to recognize that security team wellness determines how successful the use of the framework is. We cannot continue to ignore the human element part that cybersecurity plays when we are protecting from attacks.
“When a team has poor leadership and management, it places the greatest risks for creating a revolving door environment, mental health issues, lack of inclusion, and a continuing overstretched security team, which in return, leads to an increased cybersecurity risk for an organization.”
Next up is Bryson Bort, Founder and CEO of SCYTHE
“Small business and education have been out in the cold for years as cyber poor, but target rich. Ransomware has moved the threat from expert jargon to preying on your local community. We’re seeing the government work collaboratively beyond pushing paper (NIST CSF) to rolling up their sleeves to help them directly with CISA’s announcement on these same priorities last month.”
Finally I have Christopher Hallenbeck, CISO, Americas for Tanium:
“Practical guidance has long been missing. NIST publications tend to be dense reads filled with jargon that make them less approachable to less resourced organizations. I’m glad to see an emphasis on addressing the underrepresented community of small businesses in this process.”
This reform by NIST is important as this will ensure that the threat landscape is reduced. Which in turn will make it harder for threat actors to do their dirty work.