Feb 27, 2024 - Technology

Biden administration issues new cyber road map

Illustration of a computer mouse surrounded by traffic cones

Illustration: Sarah Grillo/Axios

The Commerce Department's National Institute of Standards and Technology (NIST) debuted a highly anticipated revamp of its cybersecurity framework Monday.

Why it matters: The agency framework has long provided a baseline for federal cybersecurity regulations and informed how private companies build and regulate their own cybersecurity practices.

What's inside: NIST's Cybersecurity Framework 2.0 details how companies can best structure their organizations to address various security issues, such as supply chain security and identity management.

  • The framework is organized around six functions: governing internal cyber programs, identifying potential weaknesses and threats, protecting against those threats, detecting abnormal activity on a network, responding to a cyberattack, and recovering from one.
  • NIST has published a reference tool, user guides and examples of ways to implement the framework to help organizations digest the material.

Catch up quick: NIST first published its framework in 2014, and this week's update was two years in the making.

  • The first version of the framework focused on advice for critical infrastructure organizations. Now, the framework explicitly provides advice for all organizations, NIST said.

The big picture: Cybercriminals and nation-state hackers have become stealthier and more sophisticated in the decade since NIST first published its framework.

What's next: The NIST framework is voluntary for most companies but could be a basis for government requirements that contractors face.

  • The agency expects that it will take the "pulse of industry" every couple of years to assess when another update is needed, Adam Sedgewick, NIST's acting associate director for IT standardization, said during an Aspen Institute event Monday.
Go deeper