Date published: August 8, 2023
Send your comments by email to:
This is the public release of the NIST Cybersecurity Framework (CSF or Framework) 2.0.
The framework has been widely used to reduce cybersecurity risks since its initial release in 2014. Many organizations told NIST that CSF 1.1 remains an effective framework for addressing cybersecurity risks. There is also broad consensus that changes are needed to address current and future cybersecurity challenges and to make it easier for organizations to use the framework. NIST is working with the community to ensure that CSF 2.0 is effective for the future while meeting the original goals and objectives of the CSF.
NIST is seeking feedback on whether this draft revision addresses organizations’ current and future cybersecurity challenges, is aligned with leading practices and guidance resources, and reflects comments received to date. Additionally, NIST is requesting ideas on how best to present changes from CSF 1.1 to CSF 2.0 to support the transition. NIST encourages concrete suggestions for improving the project, including revisions to the story and core.
This project includes an updated version of the CSF Core, reflecting feedback on the April Discussion Project. This publication does not contain implementation examples or informative references of the CSF 2.0 kernel, given the need to update them frequently. Draft initial implementation examples have been released under separate cover for public comment. NIST is seeking feedback on the types of examples that would be most useful to users of the framework, as well as existing sources of implementation guidance that could be readily adopted as sources of examples (such as the NICE framework Tasks, For example). NIST is also seeking feedback on how often implementation examples should be updated and whether and how to accept community-developed implementation examples.
As CSF 2.0 is finalized, updated implementation examples and informative references will be maintained online on the NIST Cybersecurity Framework website, leveraging NIST. Cybersecurity and Privacy Reference Tool (CPRT). Resource owners and authors who wish to map their resources to the final CSF 2.0 to create informative references should contact NIST.
Comments on this public version of CSF 2.0, as well as the associated draft implementation examples, can be submitted to firstname.lastname@example.org by November 4, 2023.
All relevant comments, including attachments and other supporting documentation, will be made public on the NIST CSF 2.0 website. Personal, sensitive, confidential or promotional business information should not be included. Comments containing inappropriate language will not be considered.
This draft will be discussed during the third CSF workshop, which will take place this fall. NIST does not plan to release another version of CSF 2.0 for comment. Comments on this preliminary version will inform the development of the final version of CSF 2.0 which will be published in early 2024.
Changes between version 1.1 and this release are based on community feedback via:
See the full note to reviewers at the beginning of the draft for more details summarizing the changes between CSF 1.1 and this draft.
cyber security; Cybersecurity framework; cybersecurity risk governance; cybersecurity risk management; cybersecurity supply chain risk management; enterprise risk management; Privacy framework; Profiles