The Cybersecurity Coalition submitted comments in response to the National Institute for Standards and Technology (NIST) Discussion Draft of the Cybersecurity Framework (CSF) 2.0 Core with Implementation Examples.

The Coalition is broadly supportive of the proposed changes to the CSF Core and was pleased to see:

  • Addition of the Governance function.
  • Reorganizing of categories and subcategories to follow a pre-incident and post-incident chronology.
  • Removal of references to critical infrastructure.
  • Inclusion of a traceability matrix and implementation examples.
  • Increased engagement with international partners.

Our comments provided recommendations on the following topic areas:

  1. Consistency between CSF and Privacy Framework
  2. Practical Guidance on Utilizing Multiple NIST Risk Management Frameworks
  3. Simplify Online Tools for Informative References

Consistency between CSF and Privacy Framework

The Coalition’s comments emphasize the need for alignment between the CSF 2.0 Core and the NIST Privacy Framework. Many organizations use or plan to use both frameworks together to address privacy and cybersecurity risks. To ensure alignment, the Privacy Framework should reflect changes in the CSF, such as structural alignment and maintaining consistent phrasing for controls that are shared by both frameworks. 

To help facilitate these updates, we provided a mapping between the Privacy Framework, the CSF v1.1, and CSF 2.0 Core. We recommend a tandem update schedule for both frameworks to minimize unnecessary inconsistencies between them.

Practical Guidance on Utilizing Multiple NIST Risk Management Frameworks

The Coalition recommends that NIST provide more resources explaining how different NIST risk management frameworks align and how organizations can use them together effectively. NIST offers multiple frameworks – such as CSF 2.0, Privacy Framework, Risk Management Framework, Cybersecurity Supply Chain Risk Management, and Artificial Intelligence Risk Management. The Coalition suggests utilizing the National Cybersecurity Center of Excellence (NCCOE) to create guidance on how to combine NIST publications, highlighting commonalities, and practical implementation. 

Simplify Online Tools for Informative References

Finally, the Coalition urges NIST to enhance usability and simplify its CSF online tools. The current mechanisms – such as the Cybersecurity and Privacy Reference Tool and the National Online Informative Reference Program -- are considerably more complex than NIST’s previous approach to informative references, and these tools may be challenging for newcomers or organizations with limited resources. The addition of the Cybersecurity Framework Reference Tool also complicates navigation, and it is unclear how this fits in with NIST’s existing library.

NIST should prioritize usability of the tools, clarify the purpose and use cases of available resources, and explain how they work together. The Coalition’s comments requested a feedback period for the new Cybersecurity Framework Reference Tool and inquired whether NIST is engaging with a variety of users during the tool’s development. The Coalition urges NIST to ensure tools will enable mapping a single function to a standard/framework, as well as the ability to crosswalk multiple standards or frameworks.

The Coalition appreciates that NIST continually listens to the private sector and thanks NIST for allowing us to contribute our thoughts and recommendations to the dialog. As the conversation around this topic continues to evolve, we would welcome the opportunity to further serve as a resource on both technical and policy questions to ensure that the Cybersecurity Framework continues to be successful in driving consistent, effective cyber risk management practices globally.

The Coalition’s full comments can be found here

Alexis Steffaro

Read Next

Hacking Policy Council Comments to New York State Department of Health on Proposed Hospital Cybersecurity Requirements

The Hacking Policy Council (“HPC”) submits the following comments in response to the New York Department of Health’s proposed addition to Section 405.46 to Title 10 NYCRR (“Hospital Cybersecurity Requirements).

Vulnerability Management Under The Cyber Resilience Act

Companies should begin preparing now for the EU’s Cyber Resilience Act, a significant development in product security regulation and will apply to software and connected device manufacturers in and outside EU borders.

Cybersecurity Predictions for 2024

The Center for Cybersecurity Policy & Law staff offer their predictions on what's to come in 2024 and the season finale of the Distilling Cyber Policy podcast offers some additional commentary on what's ahead.