[2/27/24, 11:00 AM EST] CSRC has been experiencing technical issues. If you are unable to access a CSRC page or resource, or get a 503 error, please try reloading the page several times--it may help to wait a few minutes before trying again. We apologize for the inconvenience, and hope to have a solution in place next week.
Date Published: August 8, 2023
Comments Due: November 6, 2023 (public comment period is CLOSED)
Email Questions to: email@example.com
This is the public draft of the NIST Cybersecurity Framework (CSF or Framework) 2.0.
The Framework has been used widely to reduce cybersecurity risks since its initial publication in 2014. Many organizations have told NIST that CSF 1.1 remains an effective framework for addressing cybersecurity risks. There is also widespread agreement that changes are warranted to address current and future cybersecurity challenges and to make it easier for organizations to use the Framework. NIST is working with the community to ensure that CSF 2.0 is effective for the future while fulfilling the CSF’s original goals and objectives.
NIST seeks feedback on whether this draft revision addresses organizations’ current and anticipated future cybersecurity challenges, is aligned with leading practices and guidance resources, and reflects comments received so far. In addition, NIST requests ideas on the best way to present the modifications from CSF 1.1 to CSF 2.0 to support transition. NIST encourages concrete suggestions for improvements to the draft, including revisions to the narrative and Core.
This draft includes an updated version of the CSF Core, reflecting feedback on the April discussion draft. This publication does not contain Implementation Examples or Informative References of the CSF 2.0 Core, given the need to frequently update them. Draft, initial Implementation Examples have been released under separate cover for public comment. NIST seeks feedback on what types of Examples would be most beneficial to Framework users, as well as what existing sources of implementation guidance might be readily adopted as sources of Examples (such as the NICE Framework Tasks, for example). NIST also seeks feedback on how often Implementation Examples should be updated and whether and how to accept Implementation Examples developed by the community.
As the CSF 2.0 is finalized, the updated Implementation Examples and Informative References will be maintained online on the NIST Cybersecurity Framework website, leveraging the NIST Cybersecurity and Privacy Reference Tool (CPRT). Resource owners and authors who are interested in mapping their resources to the final CSF 2.0 to create Informative References should reach out to NIST.
Feedback on this CSF 2.0 Public Draft, as well as the related Implementation Examples draft, may be submitted to firstname.lastname@example.org
by November 4, 2023 by 11:59 pm ET Monday, November 6, 2023.
All relevant comments, including attachments and other supporting material, will be made publicly available on the NIST CSF 2.0 website. Personal, sensitive, confidential, or promotional business information should not be included. Comments with inappropriate language will not be considered.
This draft will be discussed at the third CSF workshop, which will be held this fall. NIST does not plan to release another draft of CSF 2.0 for comment. Feedback on this draft will inform development of the final CSF 2.0 to be published in early 2024.
The modifications between Version 1.1 and this version are based on community input through:
See the full Note to Reviewers at the beginning of the draft for more details summarizing changes between CSF 1.1 and this draft.
NIST CSF 2.0 Website
Public comments received
Implementation Examples Discussion Draft (pdf)
CSF 2.0 Reference Tool
NIST News Announcement: NIST Drafts Major Update to Its Widely Used Cybersecurity Framework
Related NIST Publications:
02/26/24: CSWP 29 (Final)
advanced persistent threats, botnets, categorization, continuous monitoring, controls assessment, information sharing, intrusion detection & prevention, malware, privacy controls, risk assessment, roots of trust, security controls, system authorization, vulnerability managementApplications