In early August, the National Institute of Standards and Technology released the initial public draft of its Cybersecurity Framework 2.0. The draft is a long-awaited update to a framework that’s been in place for almost 10 years: The Framework for Improving Critical Infrastructure Cybersecurity, first released in 2014 and updated in 2018. 

The life cycle of a data security incident begins and ends with preparation.

Unfortunately, there is no such thing as a network or system with “zero vulnerabilities.” There are jokes about absolute network security, including that the only secure network is one without users or one with no access. There is no perfect code, no perfect software, no perfect hardware, and even the most well-intentioned user can be socially engineered. Consequently, preparation at all levels of information security is critical to protect businesses from catastrophic attacks.

An updated version of the NIST Cybersecurity Framework is on the way.

In 2013, President Barack Obama directed the National Institute of Standards and Technology (“NIST”) to lead the development of a cybersecurity framework to “reduce cyber risks to critical infrastructure.” The result was the NIST Cybersecurity Framework (formally, the “Framework for Improving Critical Infrastructure Cybersecurity”), a comprehensive, flexible, and scalable approach that provides a structure that can be used by entities to create, guide, assess, or improve their cybersecurity programs. The first version, v1.0, of the CSF was released in February 2014. NIST subsequently released v1.1 of the CSF in April 2018 to clarify, refine, and enhance the framework. Since its release, the CSF has been widely adopted across a range of industries within the United States and internationally.