With its first major update since 2014, the NIST Cybersecurity Framework 2.0 aims to expand its scope.

A decade can be a long time in any industry, and when it comes to cybersecurity that’s especially true. Each passing year seems to bring with it new threats and changes to the tools that we use to try and combat those threats.

When it comes to our regulatory agencies and their guidance though, things can move just a little bit slower. Such is the case with the National Institute of Standards and Technology (NIST) and their Cybersecurity Framework (CSF), which has recently received its first major update in ten years. With many other organizations basing their guidance in whole or in part on the NIST CSF this new framework is certainly worth paying attention to, so just what has changed?

Some of the larger changes start at the top, literally: NIST has added Governance to its list of cybersecurity pillars, stressing the importance of participation from the Board of Directors and other executive-level positions in cybersecurity decisions. In addition to this new core functionality, the framework’s target audience has been expanded from those critical to the nation’s economy and defense to include all organizations. Continuing the theme of expanded scope greater focus is now placed on third-party vendors and supply chain management, recognizing the increasing reliance being placed on cloud processing and storage since the original CSF was published in 2014.

This new framework will also have an impact on the tools and regulatory guidance issued by other organizations, including the FFIEC and its Cybersecurity Assessment Tool, which could see its own overhaul as soon as next year.