NIST announces rare overhaul of security framework, focusing on organizational leadership

NIST framework: A CGI render of a chain, formed from blue lines, moving from the top right half of the frame to the bottom left against a dark background. As it extends to the left, it breaks apart into individual blue strands to represent a supply chain.
(Image credit: Getty Images)

A draft update to the National Institute of Standards and Technology (NIST) cyber security framework has been released, highlighting the importance of senior leadership in a cyber security strategy.

The update also expands the scope of the framework from critical infrastructure, such as hospitals or the banking system, to encompass all organizations regardless of type or size. It has also been formally renamed 'The Cybersecurity Framework' from 'Framework for Improving Critical Infrastructure Cybersecurity' in light of the scope change.

As well as the change of scope, NIST has added a sixth pillar titled ‘govern’ to the existing five main functions of the holistic cyber security program. Currently, these include: identify, protect, detect, respond, and recover.

The new govern function reflects the fact that cyber security should be a priority for organizations’ leadership teams. The function covers how internal decisions can be made and executed within an organization to support its cyber security strategy.

In its announcement, NIST said the new framework “emphasizes that cyber security is a major source of enterprise risk, ranking alongside legal, financial, and other risks as considerations for senior leadership”.

Other changes in the draft include improved guidance on tailoring the framework for specific situations in response to requests from the community.

Andrew Rose, resident CISO at Proofpoint, said the announcement was a positive one, particularly NIST’s decision to expand the governance coverage into its own function.

He also criticized the new framework for not adequately addressing the significant role individuals play in an organization’s exposure to cyber incidents.

“I’m personally disappointed that the opportunity was not taken to extend the people-centric coverage. In fact, they’ve merged 5 Awareness & Training controls into just 2”.  


IBM whitepaper Definitive guide to ransomware 2023

(Image credit: IBM)

Definitive Guide to Ransomware 2023

Protect your IT systems and get guidance on what your organizations should do before, during, and after a ransomware attack. 


Rose cited World Economic Forum research pointing to human error as the underlying cause of the vast majority of security incidents - 95% of cyber security issues were traced to human error in the organization’s 2022 Global Risks Report.  

Rose also stated that 78% of UK CISOs regarded human error as their organization’s most significant cyber vulnerability.

He said: “This is an area ripe for expansion and wider coverage, not consolidation”.

The framework was originally issued in 2014, and the latest version - 1.1 - was published in April 2018. In February 2022, a request for information (RFI) was issued, and responses indicated that while the framework remained a useful tool, an update was needed in light of the rapidly evolving threat landscape.

A summary analysis of RFI responses was published in June 2022, and comments on the draft framework will be accepted until 4 November. NIST plans to publish the final version 2 of the cyber security framework in 2024.

What is the cyber security framework, and is it still relevant?

The cyber security framework provides high-level guidance for managing cyber security risk across an organization. It includes common terms and aims to improve communication between technical and non-technical staff.

Organizations utilizing the framework select the activities and guidance that fit their needs. Although initially aimed at critical infrastructure, it has proved a helpful tool for many organizations, from governments to schools and small businesses.

Since 2014 it has been downloaded more than 2 million times and translated into at least nine languages.

Rose described it as a global standard, “loved by security professionals due to its simplicity and broad coverage”.

He added that the framework lent itself well to creating models that could be understood by executive leadership.

As for its relevance, Rose accepted that it was impossible for the standards, which are the result of consultation and consideration, to be as agile as the CISOs who rely on them. As such, a level of adaptation would always be needed to compensate for any shortfalls.

The framework’s relevance can therefore be seen in its use as a baseline, adapted or augmented to meet the needs of industry and threat mitigation.

Richard Speed
Staff Writer

Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITProCloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.

Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.