• United States



Contributing Writer

NIST releases Cybersecurity Framework 2.0 draft

News Analysis
Sep 12, 20237 mins
ComplianceCritical InfrastructureRisk Management

NIST seeks comments ahead of the 2024 release of CSF 2.0, which aims to appeal to a broader range of organizations while elevating the importance of corporate governance and more fully addressing supply chain security.

On February 12, 2014, the US National Institute of Standards and Technology (NIST) issued a landmark document, the Framework for Improving Critical Infrastructure Cybersecurity (CSF). Four years later, NIST issued the CSF 1.1, which included updates on supply chain risk management, vulnerability disclosure, and other rapidly developing issues.

Now, NIST is preparing to release another overhaul of the CSF following the early August release of a draft 2.0 version, developed after NIST issued a request for information (RFI), held two workshops, and requested comments on a core draft.

What is the Framework for Improving Critical Infrastructure Security?

Following an executive order (EO) by President Obama, NIST developed the CSF to provide a common language and structure to help organizations systematically better manage and communicate how they tackle cybersecurity risk management. The CSF has been adopted worldwide by private and public sector organizations. Many US government civilian and military procurement and guidance documents have incorporated the CSF to manage risk, including federal government agency contractor and subcontractor requirements for protecting unclassified information and the implementation guidance for President Biden’s National Cybersecurity Strategy.

NIST has designed the 2.0 draft to expand the use of the CSF, more fully embrace supply chain risk management, update other frameworks and resources, supply implementation guidance, address cybersecurity measurement and assessment, while adding an entirely new function. The following sections highlights some of these proposed changes to the CSF.

Broader use of the framework

President Obama’s initial EO focused on critical infrastructure, given the emerging significant cybersecurity threats to the nation’s energy and transportation systems and other critical assets without which essential activities could not function. To convey a broader focus more strongly in the US and internationally, NIST is changing the CSF name to its commonly used term, “Cybersecurity Framework,” removing the emphasis on critical infrastructure. The original framework” has proved useful everywhere from schools and small businesses to local and foreign governments,” NIST said in announcing the 2.0 version. “We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”

The new Govern function crosscuts everything

The current NIST CSF “core” consists of five functions: Identify, Protect, Detect, Respond, and Recover. Around those are clustered 23 categories and 108 subcategories of desired cybersecurity outcomes, and hundreds of informative references, mostly other frameworks, and industry standards.

In its 2.0 draft, NIST has added a sixth function, Govern, which covers how organizations make and execute decisions around cybersecurity. This new function crosscuts all the five other functions, emphasizing the people, processes, and technology needed to adequately govern cybersecurity functions within organizations.

CSF 2.0

National Institute of Standards and Technology

In announcing the framework, NIST explains the Govern function “covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial, and other risks as considerations for senior leadership.” The draft also offers guidance integrating the Framework with the NIST Privacy Framework and enterprise risk management, as discussed in NIST IR 8286.

Emphasis on supply chain risk management

Under the Govern function, the CSF 2.0 offers a new category highlighting the importance of supply chain risk management, noting that a desired outcome is for organizations to identify, establish, manage, and monitor cyber supply chain risk management processes. NIST breaks these actions into ten subcategories of supply chain risk management efforts.

The categories and subcategories within the other functions also “provide a source for the organization to consider as a basis for supplier cybersecurity requirements, both for direct suppliers and as flow-down requirements for lower-tier suppliers,” the CSF 2.0 states.

The draft further encourages organizations to use the Framework Profiles that are part of the CSF “to delineate cybersecurity standards and practices to incorporate into contracts with suppliers and provide a common language to communicate those requirements to suppliers.” NIST notes that suppliers can also use profiles to express their cybersecurity posture and related standards and practices involving supply chain risks.

Finally, the 2.0 draft points to the Target Profiles, also part of the CSF, to address supply chain risk management, saying they “can be used to inform decisions about buying products and services based on requirements to address gaps.”

Making it easier to adopt the CSF

To address a chronic problem that hinders the adoption of the CSF, NIST plans to include in the final 2.0 draft examples of implementation guidance that offer more concrete, real-world examples of how organizations can implement the framework.

Although the current 2.0 draft doesn’t contain these examples, NIST has issued for public comment under separate cover examples of the types of guidance the final version might include. It encourages interested parties to provide input by Friday, November 4, 2023, on whether these examples are appropriately specific, what other types of models might be useful, how often NIST should update them, and what other sources of implementation guidance might be sources for the examples.

Taking a stab at measuring cybersecurity performance

One frequent complaint about the current CSF is that it lacks clear guidance on measuring cybersecurity performance following the framework’s adoption, making it harder to gauge the success or failure of implementing the many practices and techniques needed to achieve the desired outcomes.

Although not extending this kind of guidance, the 2.0 draft does discuss metrics and encourages organizations “to innovate and customize how they incorporate measurement into their application of the framework.” It also suggests that organizations play around with how they might measure performance. “The framework offers an opportunity to explore or adjust methodologies for measurement and assessment,” the draft states.

In addition, the 2.0 draft introduces a new category under the Identify function that contemplates how organizations will identify improvements to organizational cybersecurity risk management processes, procedures, and activities as a means of measuring performance.

Updated cybersecurity references and resources

The 2.0 draft updates the resources and informative references used in the previous CSF versions, including:

  • The NIST Privacy Framework
  • The NICE Workforce Framework for Cybersecurity (SP 800-181)
  • The Secure Software Development Framework (SP 800-218)
  • Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161r1)
  • The Performance Measurement Guide for Information Security (SP 800-55)
  • Integrating Cybersecurity and Enterprise Risk Management (NIST IR 8286) series
  • The Artificial Intelligence Risk Management Framework (AI 100-1)

NIST plans to post an online tool with human- and machine-readable formats to allow organizations to see the relationships online between the CSF core and updatable resources.

Timeline for CSF 2.0 completion

On September 19 and 20, NIST plans to host its third and final workshop ahead of a planned early 2024 release of the final CSF 2.0. NIST stresses that it does not intend to release another draft of CSF 2.0 for comment. Feedback on the 2.0 draft and related implementation examples are due November 4.

Contributing Writer

Cynthia Brumfield is a veteran communications and technology analyst who is currently focused on cybersecurity. She runs a cybersecurity news destination site,, consults with companies through her firm DCT-Associates, and is the author of the book published by Wiley, Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework.

More from this author