Framework Fatigue: Why NIST Rebuilt the Cybersecurity Framework

Threat Talks infographic

Find Threat Talks on

NIST added a new Govern function to the Cybersecurity Framework

Ten years after it shipped, NIST tore open its own Cybersecurity Framework and added a function that didn’t exist before: Govern. The original CSF was built in 2014 for critical infrastructure operators. A decade later, hospitals, school districts, and five-person startups with no CISO were running on the same framework, and NIST had to decide what to do about it.

Amy Mahn, IT Standards Advisor at NIST, and Daniel Eliot, Lead for Small Business Engagement at NIST’s Applied Cybersecurity Division, join Lieuwe Jan Koning, Co-founder and CTO at ON2IT, to explain how a multi-year public process, more than 4,000 workshop participants from 100 countries, and over 3,000 individual comments reshaped the framework used by more organizations than any other in cybersecurity.

What you’ll learn

  • A new Govern function. Cybersecurity risk now connects directly to enterprise risk and the board.
  • Technology agnostic, vendor agnostic. NIST calls this the reason CSF is so widely adopted.
  • From PDF to platform. Quick start guides and a searchable CSF 2.0 tool replace the static document.

    Your cybersecurity experts

    Lieuwe Jan Koning

    Co-Founder and CTO
    ON2IT

    Amy Mahn

    Amy Mahn

    IT Standards Advisor NIST Office

    Daniel Eliot

    Daniel Eliot

    Lead for Small Business Engagement NIST

    Episode details

    The Cybersecurity Framework was never written for the audience that ended up using it. NIST built the original 2014 version for critical infrastructure operators under a presidential executive order: power grids, water systems, financial networks. A decade later, the CSF had become the default reference for hospitals, school districts, and small businesses with no CISO and no managed services provider, none of whom were in the room when the framework was designed.

    Rather than patch around that mismatch, NIST reopened the framework in public. A 2022 Request for Information led to a virtual workshop that drew more than 4,000 participants from 100 countries, and a formal comment period brought in 420 submissions containing over 3,000 individual comments, each reviewed and adjudicated by NIST’s team. Three themes came out of that process: make the framework easier to use in practice, put more weight on governance and supply chain, and keep it current with a threat landscape that has moved on since 2014.

    The structural answer to the first two themes is Govern, a sixth function sitting inside the CSF’s core wheel rather than bolted on top of it. It is NIST’s explicit acknowledgment that cybersecurity risk cannot stay an IT silo: it has to connect to enterprise risk management, board accountability, and an organization’s broader mission. The framework also stays deliberately technology agnostic and vendor agnostic, which Daniel Eliot argues is exactly why adoption is so broad: CSF tells you what to decide, not which vendor to buy.

    The practical decision for readers is what to do with a framework that no longer assumes you have a mature security function. NIST’s answer is a suite, not a document: quick start guides, implementation examples, and an exportable CSF 2.0 tool built for teams without a dedicated security team at all. If your organization inherited CSF through a customer questionnaire rather than a deliberate choice, this episode is the fastest way to understand what changed and why it changed for you specifically.

    Threat Talks infographic

    Get your Hacker T-shirt

    Join the treasure hunt!

    Find the code within this episode and receive your own hacker t-shirt for free.

    11 + 6 =

    Christmas Hacker