Information Security Standards: Potential significant updates to NIST Cybersecurity Framework

An updated version of the NIST Cybersecurity Framework is on the way.

In 2013, President Barack Obama directed the National Institute of Standards and Technology (“NIST”) to lead the development of a cybersecurity framework to “reduce cyber risks to critical infrastructure.” The result was the NIST Cybersecurity Framework (formally, the “Framework for Improving Critical Infrastructure Cybersecurity”), a comprehensive, flexible, and scalable approach that provides a structure that can be used by entities to create, guide, assess, or improve their cybersecurity programs. The first version, v1.0, of the CSF was released in February 2014. NIST subsequently released v1.1 of the CSF in April 2018 to clarify, refine, and enhance the framework. Since its release, the CSF has been widely adopted across a range of industries within the United States and internationally.

NIST makes the CSF, and other valuable cybersecurity resources, available at no cost as a resource for entities of all sizes and industries. The CSF currently includes five Functions (basic cybersecurity activities) that are critical to organizational cybersecurity: Identify, Protect, Detect, Respond, and Recover. Each Function includes subdivisions, known as Categories, reflecting cybersecurity outcome-focused objectives.

In February 2022, NIST announced its intention to again revise the CSF in accordance with the ever-evolving cybersecurity landscape and to keep pace with trends in technology and cyber threats. NIST sought public comment and arranged a series of workshops throughout 2022 in anticipation of developing and issuing CSF v2.0, reflecting more significant changes than those issued between v1.0 and v1.1. NIST anticipates releasing a final draft of CSF v2.0 in February 2024.  

On January 19 of this year, NIST released a Cybersecurity Framework 2.0 Concept Paper. The Concept Paper reflects a series of “significant potential changes” that are being considered for CSF v2.0. These potential changes are summarized below:

  • CSF 2.0 will explicitly recognize the CSF’s broad use to clarify its potential applications. Because the scope of CSF 2.0 will cover a wide range of organizations, NIST has proposed formally updating the name of the framework from “Framework for Improving Critical Infrastructure Cybersecurity” to the commonly-used name, “Cybersecurity Framework.” The text will be similarly updated to broaden its applicability, though references to critical infrastructure may remain as examples. NIST will further increase its efforts to ensure the broad scope of the framework and its applicability to all organizations, regardless of sector, type, or size, and will prioritize international collaboration, engagement, and encourage translations of CSF v2.0.
  • CSF 2.0 will remain a framework, providing context and connections to existing standards and resources. A focus of CSF v2.0 will be maintaining the Framework’s level of detail and specificity, as well as its simple, flexible, and easy-to-use nature, while also endeavoring to relate the CSF to other frameworks, standards, tools, and references.
  • CSF 2.0 (and companion resources) will include updated and expanded guidance on Framework implementation. NIST will include in CSF v2.0 additional illustrative guidance, including examples of actions that could be taken by an organization to accomplish CSF outcomes, developing a template to assist organizations in developing framework profiles, and adjusting NIST website to better highlight resources available to assist with implementation.
  • CSF 2.0 will emphasize the importance of cybersecurity governance. One of the most substantial deviations from CSF v1.1 set forth in the Concept Paper is the implementation of a sixth Function, “Govern.” Like many other recent regulatory and statutory changes, NIST recognizes the importance of cybersecurity governance for managing and reducing cyber risk. By elevating governance-related activities to a standalone Govern Function, NIST hopes to encourage an increased alignment of cyber activities, risk management, and other legal requirements.
  • CSF 2.0 will emphasize the importance of cybersecurity supply chain risk management (C-SCRM). In CSF v2.0, NIST intends to expand on guidance related to supply chain and third-party risk. The means for doing so, however, remains an item for discussion. NIST has invited comments on how to best incorporate C-SCRM in CSF v2.0, given the importance of identifying, assessing, and managing supply chain and third-party cyber risks.
  • CSF 2.0 will advance understanding of cybersecurity measurement and assessment. NIST wants all organizations to consider benchmarks that can be used to gauge how well they are managing cyber risk. Key to this effort is using standardized terms across the cybersecurity field to maintain the CSF’s flexibility and applicability across all organizations. As an accompanying resource, NIST will also update its flagship measurement document, the Performance Measurement Guide for Information Security. The revised CSF will also try to provide examples of measurement and assessment under the Guide, as well as clarify the CSF components that apply to measurement. CSF v2.0 is not geared toward defining a single approach to measure “success” but to provide resources needed to guide organizations to a better understanding of the effectiveness and maturity of their cybersecurity programs.

Like many other regulatory bodies and entities, the proposed changes to the CSF reflect an increasing focus on cyber governance, accountability, and a holistic approach to cybersecurity. NIST is seeking feedback and comments on the Concept Paper by March 3, and has a series of workshops planned to address potential changes to the CSF throughout this year.

  • Amir  Goodarzi

    Amir is a member of the Constangy Cyber Team and is based in the Philadelphia office. Prior to joining Constangy, Amir worked for the Camden County Prosecutor's Office, where he skillfully managed a diverse array of cases, honing ...

  • Aubrey  Weaver

    Aubrey, a partner and member of the Constangy Cyber Team, is a Certified Information Privacy Professional (CIPP/US). Aubrey obtained a Master of Science in Digital Forensics in 2020 and leverages her legal background and technical ...

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 


* indicates required
Back to Page