The National Institute of Standards and Technology's Cyber Security Framework (NIST CSF) is a widely used standard for organizations of all sizes, sectors, and maturities. The NIST CSF is flexible because the framework focuses on cybersecurity outcomes. The NIST CSF doesn't provide guidance on how to achieve those outcomes. The amount of jargon and lack of actionable steps are some of the top complaints about the NIST CSF among less-resourced – yet more targeted – SMEs. NIST proposed a significant reform to its CSF, with plans to open the public comment period soon. Among the potential changes would be to "explicitly recognize CSF's broad use to clarify its potential applications." The NIST CSF is a good starting point for creating a security strategy, but it is not enough on its own. SMEs need to be aware of the latest threats and have a plan for how to defend against them.