Framework Fatigue: Why NIST Rebuilt the Cybersecurity Framework
Failed to add items
Add to cart failed.
Add to wishlist failed.
Remove from wishlist failed.
Follow podcast failed
Unfollow podcast failed
-
Narrated by:
-
Written by:
Ten years after its first release, the NIST Cybersecurity Framework got a full rebuild. Not because it failed, but because everyone started using it, and it was never built for everyone.
In this episode, host Lieuwe Jan Koning talks with Amy Mahn, IT Standards Advisor at NIST, and Daniel Eliot, Lead for Small Business Engagement at NIST’s Applied Cybersecurity Division, about what CSF 2.0 actually changes and why it took a multi-year public process to get there.
The original framework was written with critical infrastructure operators in mind. A decade later, hospitals, school districts, and small businesses were all using it too, often without the staff or budget the framework quietly assumed they had. NIST collected more than 4,000 comments from organizations across over 100 countries to find out what was missing.
The result includes a new Govern function that puts cybersecurity risk decisions in front of leadership and the board, a deliberately technology agnostic and vendor agnostic design that keeps the framework useful no matter which tools an organization runs, a Quick Start Guide aimed at organizations without a dedicated security team, and a sharper focus on supply chain risk.
Amy and Daniel also explain why “vendor agnostic” is a feature, not a gap: it’s what lets an organization decide for itself who or what is best suited to close a given risk, instead of a framework quietly picking winners.
Part 2, “CSF 2.0: Beyond the Framework,” continues the conversation and covers implementation in practice.
Threat Talks is a podcast by ON2IT cybersecurity and AMS-IX. New episode every Tuesday. Follow Threat Talks to stay up to date on the topic of cybersecurity.
Chapters:
00:00 Framework fatigue, the problem NIST heard
01:12 Welcome to Threat Talks
02:05 Meet Amy Mahn and Daniel Eliot (NIST)
03:40 What the original CSF got right, and where it broke down
07:15 Four thousand comments, one framework
10:30 The new Govern function
14:05 Why CSF 2.0 is technology agnostic and vendor agnostic
17:20 The Quick Start Guide for teams without a security team
20:10 Supply chain risk gets its own seat at the table
22:45 What Part 2 will cover
24:48 Closing thoughts