What's New in the NIST Cybersecurity Framework 2.0

For the first time since 2014, the world’s leading cybersecurity guidance is getting a complete makeover. The NIST Cybersecurity Framework (CSF) 2.0 released its initial public draft in August 2023 and is approaching its final stages before implementation in early 2024. 

CSF 2.0, in alignment with the National Cybersecurity Strategy set by the Biden Administration, will expand the use of the CSF, emphasize supply chain risk management, increase implementation guidance, clarify cybersecurity measurement and assessment, and even add an entirely new function.

Changes in NSF 2.0 are evident in both its title and scope. Its original title, "Framework for Improving Critical Infrastructure Cybersecurity," has been changed to the commonly used name, "Cybersecurity Framework." Its scope has modified from its original emphasis on U.S. critical infrastructure to a focus on all organizations around the world.

The original five framework core functions —  identify, protect, detect, respond, and recover — will also gain a new function in the CSF 2.0 updates. Govern (moved to its own subcategory from the identify function) will be added as a sixth function to establish and monitor organizational cybersecurity risk management strategy, expectations, and policy. Govern is cross-cutting and informs how organizations will achieve and prioritize the outcomes of the other five functions in the context of its mission and stakeholder expectations.

NIST is accepting public comment on the draft framework until Nov. 4, 2023, and does not plan to release another draft. 

Find out more about what to expect from NIST CSF 2.0 here.