← Back Published on

Building a Cybersecurity Concept System with CSF 2.0

I’ve been supporting the development of the NIST Cybersecurity Framework (CSF) version 2.0 for the past year. Reviewing and addressing thousands of suggestions while ensuring that CSF 2.0 works for everyone not only today, but for years to come, has been one of the greatest challenges I’ve ever tackled.

I’m thrilled with the final result: a high-level cybersecurity taxonomy without copyright that everyone is free to use. Soon there will be many other cybersecurity standards, guidance, and frameworks mapping to CSF 2.0 through OLIR. Together, these resources will enable all of us to collectively create a cybersecurity concept system that links together all these concepts and characterizes how they relate to each other.

We all know that there’s a staggering amount of cyber content out there, with more being produced every day. Even so, the most common request I hear from people is, “Tell me what to do.” The problem with that is that no two people want or need to be told the same thing. Every person is dealing with a unique subset of the constantly changing cybersecurity universe, and every person is drawing on a unique combination of knowledge and skills.

What we need is a better way to use the wealth of information out there—to get each person rapid access to the trustworthy information they need at the level of abstraction and detail they want. CSF 2.0 is an important step in that direction, but there’s more work to do. If you’re involved in creating cybersecurity standards, guidance, or frameworks, consider mapping your requirements, recommendations, and other concepts to those from the NIST CSF, RMF, PF, SSDF, AI RMF, and other foundational NIST framework and guidance. See NIST's new mapping guidance for more info.

This is not a new idea. It leverages existing disciplines like the field of terminology science, as documented in the ISO 704 and 1087 standards for over 30 years. And the incredible Matthew Smith of Seemless Transition has long been a pioneer in applying crosswalk and mapping techniques to the cybersecurity domain.

What's new is that NIST has just released the CSF 2.0, updated its OLIR and CPRT capabilities, and published its new mapping guidance. All the pieces are now in place so that we as a community can work together to create a concept system that benefits us all. 

Let's do it.