CybersecurityNIST Releases Cybersecurity Framework 2.0 Public Draft
On 8 August 2023, NIST released the first full public draft of the Cybersecurity Framework 2.0 for public comment, expanding the framework beyond critical infrastructure, introducing a Govern function for roles and accountability, strengthening supply chain risk management, and providing updated guidance and profiles ahead of the final release.
Reviewed for accuracy by Kodi C.
Executive summary. On 8 August 2023 the National Institute of Standards and Technology (NIST) published the initial public draft of its Cybersecurity Framework 2.0 (CSF 2.0) for comment. The draft extends the framework’s scope beyond critical infrastructure to all organizations, introduces a new Govern function that calls for executive accountability and risk management, and emphasizes cybersecurity supply‑chain due diligence. The public draft invites feedback until November 2023 and lays groundwork for the final release, expected in 2024. Risk and compliance leaders should review the draft to anticipate changes to governance, measurement and supplier oversight.
Overview of the draft
Since its debut in 2014, the NIST Cybersecurity Framework has provided a flexible, outcome‑based approach to managing cyber risks across five core functions: Identify, Protect, Detect, Respond and Recover. The August 2023 public draft of version 2.0 represents the first major update since 2018. NIST notes that CSF 2.0 aims to help all organizations — not just critical infrastructure
achieve better cybersecurity. It retains the outcome‑oriented structure while revising categories and subcategories, adding setup examples and updating guidance for emerging threats and technologies.
Key proposals in CSF 2.0 draft
- Introduce a new Govern function. The draft adds a sixth function that emphasizes understanding organizational context, developing cyber risk strategies, establishing policies and roles, and overseeing supply‑chain risk management. This function elevates cybersecurity governance to senior leadership and board levels.
- Enhance supply‑chain risk management. Within the govern function, the draft highlights the need for supplier tiering, risk assessments, contractual requirements and continuous monitoring of third‑ and fourth‑party vendors. It aligns with NIST SP 800‑161 Rev. 1 and encourages organizations to integrate supply‑chain controls into their risk programs.
- Expand scope and profiles. CSF 2.0 broadens its applicability to small businesses, education institutions, state and local governments and international organizations. The draft offers updated community profiles and encourages sectors to develop their own templates to align with regulators and insurers.
- Introduce draft quick‑start guides and measurement concepts. To aid adoption, NIST released companion resources such as quick‑start guides for small businesses and enterprise risk offices, as well as a concept paper on using metrics and measures to gauge framework setup.
- Prepare for a digital reference tool. Although the reference tool launched with the final release, the draft lays groundwork for a searchable database that will link CSF outcomes to controls in other frameworks (ISO/IEC 27001, CIS Controls, and other related items).
- Address emerging technologies. The draft calls for evaluating risks associated with artificial intelligence, quantum computing and other emerging technologies and integrating appropriate controls.
Implications for organizations
If you are affected, study the public draft and assess how proposed changes will impact existing cyber programs. Boards and executives may need to formalize cyber governance charters, define risk tolerances and outline responsibilities under the new govern function.
Supply‑chain management teams should improve vendor intake processes, due‑diligence questionnaires, monitoring and contractual clauses to meet the strengthened supplier expectations. Your compliance team should prepare to map categories and subcategories to sector regulations using forthcoming reference tools and update policies once CSF 2.0 is finalized. Participating in the public comment process allows organizations to influence final guidance.
Key takeaways
The CSF 2.0 public draft shows NIST’s commitment to modernizing the framework for a wider audience and shifting accountability to the top of organizations. The draft’s govern function and supply‑chain provisions foreshadow more stringent due‑diligence expectations across sectors. By aligning draft outcomes with metrics and preparing for cross‑framework mapping, NIST signals that measurement and transparency will be central to future audits. Recommended: teams review the draft, provide feedback and begin adapting governance structures to stay ahead of the final release.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook
Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.
-
Network Security Fundamentals Explained Practically
A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…
-
Small Business Cybersecurity Survival Checklist
A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…
Coverage intelligence
- Published
- Coverage pillar
- Cybersecurity
- Source credibility
- 90/100 — high confidence
- Topics
- NIST CSF · Governance · Risk Management · Supply chain risk · United States
- Sources cited
- 3 sources (nist.gov, insideprivacy.com, acaglobal.com)
- Reading time
- 5 min
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.