On August 8, 2023, the National Institute of Standards and Technology (“NIST”) released a draft of The NIST Cybersecurity Framework (CSF) 2.0,1 (the “CSF” or “Framework”) along with a Discussion Draft of the Implementation Examples.2 This draft makes the most significant changes to the Framework since its initial release in 2014. It follows more than a year’s worth of community feedback, with NIST issuing the first request for information on the CSF in February 2022 and a concept paper regarding potential changes in January 2023.3 Both drafts are open for public comment until November 4, 2023. NIST announced that it plans to publish the final version in early 2024, without releasing another version for public comment.
Version 1.0 and Version 1.1 (2018) of the CSF were intended to provide critical infrastructure entities a standardized tool for managing cybersecurity risk. Version 2.0 broadens the scope of the CSF by focusing on all organizations, not just those operating in critical sectors. Indeed, “Critical Infrastructure” is dropped from the title of Version 2.0, consistent with the existing use of the CSF by companies and other entities across sectors. This updated version is designed instead to be used by organizations of all sizes, sectors, and geographical locations to help guide their cybersecurity-related decisions, “everywhere from schools and small businesses to local and foreign governments.”4 To support this broad use, the CSF 2.0 introduces “Implementation Examples” to provide “concise, action-oriented steps” to help achieve particular outcomes in light of its guidance.5 These Implementation Examples set out sample situations that could help an entity achieve the CSF 2.0 objectives. Under the various functions, the Implementation Examples list actions that an organization can take and concrete methods of implementation for each of those actions.
In addition, the CSF 2.0 emphasizes the role of governance in a cybersecurity program by elevating it to one of the six main “pillars” of the Framework. (The original five pillars, or core functions, to help direct cybersecurity outcomes, were (1) identify, (2) protect, (3) detect, (4) respond, and (5) recover.) Although CSF 1.1 contained guidance on governance, CSF 2.0 goes into further depth on processes for establishing, communicating, and evaluating the organization’s cyber risk management strategy, including identifying roles and responsibilities as well as maintaining appropriate policies, processes, and procedures for managing cybersecurity risk.
As part of the “govern” function, the CSF 2.0 highlights the importance of supply chain risk management. The CSF 2.0 recommends that organizations establish a comprehensive supply chain risk management program that includes supplier due diligence, prioritization by criticality, considerations in the organization’s overall risk assessment and management strategies, and other steps to evaluate and monitor third-party risk.
CSF 2.0 also includes additional implementation guidance on the creation and use of “Framework Profiles” to help tailor cybersecurity priorities for specific sectors and use cases. An organization can develop or leverage NIST’s example Framework Profiles, which map the Framework to particular concerns in an industry or functional area and identify opportunities to improve an organization’s cybersecurity posture based on these key issues. The CSF 2.0 lists a step-by-step process for organizations to create and use Framework Profiles to help inform their cybersecurity strategy.
Contractors and subcontractors performing work for the federal government generally must be compliant with the CSF and other NIST cybersecurity standards, as those standards are routinely incorporated into federal contracts and grants.6 Others in the private sector have been encouraged or required to adopt the NIST Framework to meet regulatory expectations or satisfy contractual obligations. Even though it is only voluntary for many in the private sector, the Framework has effectively become an industry standard for evaluating a cybersecurity program. Accordingly, companies across sectors would be wise to compare their current cyber risk management program against CSF 2.0—and they may wish to get ahead of the curve now, by beginning a comparison with this draft version. Interested stakeholders may also consider submitting comments before the November 4, 2023 deadline.
1 National Institute of Standards and Technology, Public Draft: The NIST Cybersecurity Framework 2.0 (August 8, 2023).
2 National Institute of Standards and Technology, Public Draft: Implementation Examples for the NIST Cybersecurity Framework 2.0 (August 8, 2023).
5 National Institute of Standards and Technology, Public Draft: The NIST Cybersecurity Framework 2.0 (August 8, 2023).
6 See also NIST Special Publication 800-171 rev. 2 (Feb. 2020) (“The security requirements apply to the components of nonfederal systems that process, store, or transmit [Controlled Unclassified Information], or that provide security protection for such components.”)