New Cybersecurity Framework Underscores Governance, Expands to All Organizations

‘Things have evolved. Very quickly, it was realized that this could be used for many sectors, many organizations large and small,’ —NIST director.
New Cybersecurity Framework Underscores Governance, Expands to All Organizations
U.S. Air Force Capt. Shannon Bender reviews computer information during a cyber-warfare training event in Michigan on March 8, 2022. Master Sgt. David Eichaker/U.S. Air National Guard
Andrew Thornebrooke
Updated:
0:00

WASHINGTON—The United States’ leading industrial agency is unveiling a new version of its pioneering cybersecurity guidance for the first time in 10 years.

The National Institute for Standards and Technology (NIST) released the new version of its Cybersecurity Framework (CSF) on Feb. 26, providing the first major update to the document since it was released in 2014.

The new version of the CSF is designed to provide security frameworks for organizations of all types and sizes, whereas the original was meant to serve critical infrastructure only.

NIST Director Laurie Locascio said that the evolution had been in the works for many years following the reception of the first version and a lengthy comment period from thousands of stakeholders.

“Things have evolved,” Ms. Locascio said Monday at the Aspen Institute think tank in Washington.

“Very quickly, it was realized that this could be used for many sectors, many organizations large and small.”

Similar in scope to extending the framework to all organizations, the new CSF also introduces a sixth “function,” the highest type of abstract principle extracted from the framework.

That new function is “govern” and outlines the need for organizations to prepare for supply chain risks, regulatory oversight, and other related issues.

Likewise, Ms. Locascio said she hoped the document would help various sectors adapt their needs to a “common language around cybersecurity.”

“It’s all about building trust in technology,” she said.

The CSF is also designed to support the “implementation” of the “2023 National Cybersecurity Strategy,” which defined communist China as “the broadest, most active, and most persistent threat to both government and private sector networks.”
Relatedly, the publication of the new CSF closely follows the publication of a guidance document by the Cybersecurity and Infrastructure Security Agency (CISA), which warned that China’s attempts to infiltrate, disrupt, and destroy vital U.S. facilities could endanger American lives.

“[Chinese] state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States,” the advisory said.

The malware, it said, was devised “to launch destructive cyber-attacks that would jeopardize the physical safety of Americans and impede military readiness.”

That warning followed Congressional testimony by senior intelligence leaders, which revealed the U.S. intelligence community had eradicated a Chinese botnet from more than 600 routers associated with critical U.S. infrastructure. That infrastructure included water, gas, energy, rail, air, and port traffic control systems.
Rep. Mike Gallagher (R-Wis.) described the malware as “the cyberspace equivalent of placing bombs on American bridges, water treatment facilities, and power plants.”

“There is no economic benefit for these actions. There is no intelligence-gathering rationale,” he said.

“The sole purpose is to be ready to destroy American infrastructure, which will inevitably result in mass American casualties.”

Andrew Thornebrooke
Andrew Thornebrooke
National Security Correspondent
Andrew Thornebrooke is a national security correspondent for The Epoch Times covering China-related issues with a focus on defense, military affairs, and national security. He holds a master's in military history from Norwich University.
twitter
Related Topics