← Back to all briefings
Cybersecurity 5 min read Published Updated Credibility 90/100

Cybersecurity Briefing — NIST Releases Cybersecurity Framework 2.0 Public Draft

On 8 August 2023, NIST released the first full public draft of the Cybersecurity Framework 2.0 for public comment, expanding the framework beyond critical infrastructure, introducing a Govern function for roles and accountability, strengthening supply chain risk management, and providing updated guidance and profiles ahead of the final release.

Zeph Tech Research Lead

Research lead, Zeph Tech

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Executive summary. On 8 August 2023 the National Institute of Standards and Technology (NIST) published the initial public draft of its Cybersecurity Framework 2.0 (CSF 2.0) for comment. The draft extends the framework’s scope beyond critical infrastructure to all organizations, introduces a new Govern function that calls for executive accountability and risk management, and emphasizes cybersecurity supply‑chain due diligence【461681059074537†L169-L232】【372224854766946†L45-L67】. The public draft invites feedback until November 2023 and lays groundwork for the final release, expected in 2024. Risk and compliance leaders should review the draft to anticipate changes to governance, measurement and supplier oversight.

Overview of the draft

Since its debut in 2014, the NIST Cybersecurity Framework has provided a flexible, outcome‑based approach to managing cyber risks across five core functions: Identify, Protect, Detect, Respond and Recover. The August 2023 public draft of version 2.0 represents the first major update since 2018. NIST notes that CSF 2.0 aims to help all organizations — not just critical infrastructure achieve better cybersecurity【461681059074537†L169-L232】. It retains the outcome‑oriented structure while revising categories and subcategories, adding implementation examples and updating guidance for emerging threats and technologies.

Key proposals in CSF 2.0 draft

  • Introduce a new Govern function. The draft adds a sixth function that emphasizes understanding organizational context, developing cyber risk strategies, establishing policies and roles, and overseeing supply‑chain risk management【372224854766946†L45-L67】【167678079972972†L139-L160】. This function elevates cybersecurity governance to senior leadership and board levels.
  • Enhance supply‑chain risk management. Within the govern function, the draft highlights the need for supplier tiering, risk assessments, contractual requirements and continuous monitoring of third‑ and fourth‑party vendors【167678079972972†L139-L160】. It aligns with NIST SP 800‑161 Rev. 1 and encourages organizations to integrate supply‑chain controls into their risk programs.
  • Expand scope and profiles. CSF 2.0 broadens its applicability to small businesses, education institutions, state and local governments and international organizations【461681059074537†L169-L232】. The draft offers updated community profiles and encourages sectors to develop their own templates to align with regulators and insurers.
  • Introduce draft quick‑start guides and measurement concepts. To aid adoption, NIST released companion resources such as quick‑start guides for small businesses and enterprise risk offices, as well as a concept paper on using metrics and measures to gauge framework implementation【167678079972972†L139-L160】.
  • Prepare for a digital reference tool. Although the reference tool launched with the final release, the draft lays groundwork for a searchable database that will link CSF outcomes to controls in other frameworks (ISO/IEC 27001, CIS Controls, etc.)【461681059074537†L248-L256】.
  • Address emerging technologies. The draft calls for evaluating risks associated with artificial intelligence, quantum computing and other emerging technologies and integrating appropriate controls【167678079972972†L164-L186】.

Implications for organizations

Organizations should study the public draft and assess how proposed changes will impact existing cyber programs. Boards and executives may need to formalize cyber governance charters, define risk tolerances and delineate responsibilities under the new govern function. Supply‑chain management teams should enhance vendor intake processes, due‑diligence questionnaires, monitoring and contractual clauses to meet the strengthened supplier expectations. Compliance teams should prepare to map categories and subcategories to sector regulations using forthcoming reference tools and update policies once CSF 2.0 is finalized. Participating in the public comment process allows organizations to influence final guidance.

Zeph Tech analysis

The CSF 2.0 public draft demonstrates NIST’s commitment to modernizing the framework for a wider audience and shifting accountability to the top of organizations. The draft’s govern function and supply‑chain provisions foreshadow more stringent due‑diligence expectations across sectors. By aligning draft outcomes with metrics and preparing for cross‑framework mapping, NIST signals that measurement and transparency will be central to future audits. Zeph Tech recommends stakeholders review the draft, provide feedback and begin adapting governance structures to stay ahead of the final release.

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • NIST CSF
  • Governance
  • Risk Management
  • Supply chain risk
  • United States
Back to curated briefings