Eleven Hundred Agency

Cybersecurity Framework to get a refresh

By Irina Meier

For the first time since its release in 2014, the world’s leading cybersecurity guidance – the Cybersecurity Framework (CSF) – is being updated. What’s more, the body behind the framework is asking the public to provide comment. The eagerly anticipated CSF 2.0 aims to reflect recent seismic changes in the cybersecurity landscape so should be better suited to organisations' current and future security needs.

Developed by the US-based National Institute of Standards and Technology (NIST), initially for critical infrastructure providers such as those operating in the financial and energy sectors, the original cybersecurity guidance has proved useful to organisations of all sizes and from various industries, including those located beyond the US borders. With this new update, NIST is expanding its focus, so it can help all organisations bolster their cybersecurity defences.


Deadline for comments looming

The public has until 4th November 2023 to provide input into NIST’s draft of the updated framework, plus there will also an opportunity to provide feedback at a workshop due to take place in the Autumn. NIST does not plan to release another draft, and we can expect to see the final CSF 2.0 guidance in early 2024.

While CSF is largely recognised as the benchmark of cybersecurity practice, the UK has also introduced several corresponding legislations. These include:

  • Cyber Essentials is a UK government scheme that helps organisations protect themselves against the most common cyberattacks by showing them how to implement basic security controls.
  • Minimum Cyber Security Standard (MCSS) sets out a series of mandatory cyber resilience outcomes that all government departments must achieve to meet their obligations under the Security Policy Framework and National Cyber Security Strategy. In addition to government bodies, it can be utilised by organisations from any sector as a point of reference for their cyber resilience efforts.
  • 10 Steps to Cyber Security guidance published by the National Cyber Security Centre (NCSC). Designed as a summary of NCSC advice for security professionals and technical staff, this guidance offers a top-level understanding of cybersecurity issues as well as the controls organisations can adopt.


As with CSF in the US, the UK government's goal is to provide organisations with guidance on how to manage cybersecurity risks, as well as on strategies to beef up their defences. While, in general, legislators are playing catch-up when it comes to cyberattacks, following these established frameworks is an excellent starting point for organisations which are eager to stay on the front foot.