The National Institute of Standards and Technology has released an initial public draft of a new quick-start guide for using the Cybersecurity Framework 2.0. NIST said the document provides organizations with practical steps to improve their management of emerging cybersecurity risks.
NIST’s New Quick-Start Resource
The draft guide, NIST Special Publication 1331 ipd, is the latest in a series of quick-start resources developed to make the updated cybersecurity framework more accessible to different audiences and actionable. NIST said the guide explains how organizations’ existing enterprise risk management can be paired with CSF 2.0 to help organizations prepare for risks that are either not yet well understood or entirely unknown.
Defining Emerging Risks
According to the publication, emerging risks fall into two categories: those that are already known to some organizations but not others and those that are unknown to all. The guide notes that while traditional threats such as ransomware and distributed denial-of-service attacks fall into the first category, the second involves novel risks with no existing mitigation strategies.
Preparing Through Resilience and Governance
Besides integrating the cybersecurity practices under CSF 2.0 with enterprise risk management programs, the guide recommends adopting multidisciplinary approaches when facing emerging risks, emphasizing that preparation should focus on resilience, governance structures and organizational adaptability, allowing enterprises to maintain or restore operations when unexpected risks materialize.
Organizing Management of Risks
The draft organizes management of emerging risks into proactive and reactive phases aligned with CSF 2.0’s functions. The Govern, Identify and Protect functions are primarily used before risks are realized, while Detect, Respond and Recover support actions after risks occur. NIST highlights the importance of continuous improvement across all phases, stressing that lessons learned must be analyzed, prioritized and used to inform all functions.
Public Feedback Sought
Authors of the draft are NIST’s Stephen Quinn, Matthew Barrett of CyberESI Consulting Group, Robert Gardner of New World Technology Partners, Kelly Hood of Optic Cyber Solutions and Matthew Smith of Seemless Transition.
NIST is accepting public comments on the draft until Sept. 21. Feedback must be sent to csf@nist.gov.
