NIST CSF 2.0 Draft Released

The widely used NIST Cybersecurity Framework (CSF) is getting its first major upgrade in nearly a decade. Following more than a year of community input, the National Institute of Standards and Technology (NIST) has released a draft version of CSF 2.0.

NIST CSF was first released in 2014 to help organizations understand and mitigate cybersecurity risks. It provides high-level guidance, including a common language and a systematic methodology for managing cybersecurity risk across sectors and aiding communication between technical and non-technical staff. CSF includes activities that can be incorporated into cybersecurity programs and customized for an organization’s specific needs. The draft update was designed to reflect changes in the cybersecurity landscape and make it easier for all organizations to put the CSF into practice.

What’s New in NIST CSF 2.0

Some of the major changes in the NIST CSF 2.0 draft are:

New Function: Govern has been added as a sixth function, joining identify, protect, detect, respond, and recover. The govern function covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial, and other risks as considerations for senior leadership.

Expanded Scope: The framework’s scope has expanded from protecting critical infrastructure, such as hospitals and power plants, to providing cybersecurity for all organizations regardless of type or size. This difference is reflected in changing the name to “The Cybersecurity Framework,” from “Framework for Improving Critical Infrastructure Cybersecurity.”

“It (CSF) has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical,” said Cherilyn Pascoe, the framework’s lead developer.

Expanded Implementation Guidance: The draft provides improved and expanded guidance on implementing the CSF, especially for creating profiles, which tailor the CSF for particular situations. This is in response to requested assistance in using it for specific economic sectors and use cases, where profiles can help. Importantly, the draft now includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, to use the framework effectively.

NIST is accepting public comment on the draft framework until Nov. 4, 2023. There are no plans to release another draft. A workshop in the fall will serve as another opportunity for the public to provide feedback and comments on the draft. The developers plan to publish the final version of CSF 2.0 in early 2024.

Available Resources

A major goal of CSF 2.0 is to explain how organizations can leverage other technology frameworks, standards, and guidelines to implement the CSF. The help with this effort, NIST released the CSF 2.0 reference tool. This online resource allows users to browse, search, and export the CSF Core data in human-consumable and machine-readable formats. In the future, this tool will provide “Informative References” to show the relationships between the CSF and other resources to make it easier to use the framework together with other guidance to manage cybersecurity risk.

CompliancePoint has a team of cybersecurity experts that can help your organization achieve compliance with a  multitude of standards, including NIST CSF, NIST 800-53, NIST 800-171, CMMC, and more. Contact us at connect@compliancepoint.com to get started.