On January 19, 2023, the National Institute of Standards and Technology (“NIST”) published a Concept Paper setting out “Potential Significant Updates to the Cybersecurity Framework” and requesting public feedback and comments on the proposed revisions by March 3, 2023. Originally released in 2014 and previously updated in 2018, the NIST CSF is a framework designed to assist organizations with developing, aligning, and prioritizing “cybersecurity activities with [] business/mission requirements, risk tolerances, and resources.” Globally, organizations, industries, and government agencies have increasingly relied upon the Framework to establish cybersecurity programs and measure their maturity. As the name suggests, the Concept Paper outlines potential significant updates to the Framework, and NIST previews that some of the proposed changes are “larger structural changes that may impact compatibility” with the current version of the Framework. For example, NIST proposes expanding the Framework’s five functions (Identify, Protect, Detect, Respond, and Recover) to add a new function on cybersecurity governance (“Govern”).
A new post on Covington’s Inside Privacy blog discusses the potential significant updates to the NIST Cybersecurity Framework.