NIST Issues Cybersecurity Framework 2.0 for public comment

In early August, the National Institute of Standards and Technology released the initial public draft of its Cybersecurity Framework 2.0. The draft is a long-awaited update to a framework that’s been in place for almost 10 years: The Framework for Improving Critical Infrastructure Cybersecurity, first released in 2014 and updated in 2018. 

As its name indicates, the original Framework helped organizations mitigate risks to U.S. critical infrastructure. “Critical infrastructure” as used by NIST and defined in law, means the systems and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on U.S. security, economic security, public health or safety, or any combination thereof.  Critical infrastructure covers sectors such as healthcare and public health, communications, transportation, and financial services. However, NIST discovered that the concepts in this original Framework transcended critical infrastructure—creating a foundation for security practices across a multitude of other business sectors. The Cybersecurity Framework 2.0 works to capture this broad applicability, ultimately updating the use case and restructuring the scope of the original Framework.

Substantively, the Cybersecurity Framework 2.0 attempts to better reference and relate to other applicable NIST frameworks and initiatives, such as its Privacy Framework, the NICE (formerly known as the National Initiative for Cybersecurity Education) Workforce Framework, and the Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, among others.

Moreover—and very helpfully—the Cybersecurity Framework 2.0 provides implementation examples for NIST processes, adds guidance on how companies can describe and categorize current and target cybersecurity postures, and adds a new governance category (referred to as a “Function”) for organizing cybersecurity outcomes: “Govern.”

Cybersecurity governance was always an element of the original Framework, but providing the additional “Govern” function helps organizations to better manage their cybersecurity efforts by providing express guidance regarding the creation of cybersecurity governance programs. This is especially helpful as the need for improved cybersecurity has grown as we become more dependent on connected technologies. 

Further recognizing the increasing interconnectedness (and accompanying complexity) of these technologies, the Cybersecurity Framework 2.0 specifically addresses cybersecurity supply chain risk management. It also places additional focus on the people, processes, and technology involved in cybersecurity, as each is an essential part of improving an organization’s cybersecurity practices. Finally, the Cybersecurity Framework 2.0 places an emphasis on continuous improvement.

While NIST’s guidance—including the Cybersecurity Framework 2.0—is largely voluntary, the guidance is regularly used as a foundation by federal and state departments and agencies for mandatory regulations and is often referenced in contractual agreements as a required industry standard. Thus, organizations should consider how these practices align with their current and anticipated future cybersecurity challenges and needs. Comments on the draft are due November 5 and can be emailed to

The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address complex and evolving information security developments.  If you would like additional information on how to prepare your organization, including how NIST’s Cybersecurity Framework 2.0 may affect you, please contact us at

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 


* indicates required
Back to Page