Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Other (Initial Preliminary Draft)

Discussion Draft of the NIST Cybersecurity Framework 2.0 Core

Date Published: April 24, 2023
No Comments Solicited
Email Questions to:


National Institute of Standards and Technology


This discussion draft identifies the potential Functions, Categories, and Subcategories (also called cybersecurity outcomes) of the NIST Cybersecurity Framework (CSF) 2.0 Core. NIST is releasing this document for discussion to inform the development of the complete NIST CSF 2.0 Draft.

This early draft of the NIST CSF 2.0 Core is preliminary—it is intended to increase transparency of the update process and promote discussion to generate concrete suggestions for improving the Framework. The draft covers cybersecurity outcomes across 6 Functions, 21 Categories, and 112 Subcategories (Tables 1 and 3). It also includes a sampling of the potential new CSF 2.0 Informative Examples column, to provide notional actions that interpret the CSF Subcategories (Table 2). The draft does not yet identify all Implementation Examples, Informative References, or other information that may be included in the CSF 2.0 Core. In addition to PDF and Excel formats, the final CSF 2.0 Core will be showcased through the online Cybersecurity and Privacy Reference Tool (CPRT) to provide a machine-readable format and updates to crosswalk and mappings to other resources.

The modifications from CSF 1.1 are intended to increase clarity, ensure a consistent level of abstraction, address changes in technologies and risks, and improve alignment with national and international cybersecurity standards and practices. While many organizations have told NIST the CSF 1.1 is still effective in addressing cybersecurity risks, NIST believes these changes are warranted to make it easier for organizations to address their current and future cybersecurity challenges more effectively. The NIST CSF has been widely used to reduce cybersecurity risks since initial publication in 2014; NIST is working with the community to ensure the CSF 2.0 is effective for the next decade.

Feedback on this discussion draft may be submitted to at any time. Feedback will inform the complete NIST CSF 2.0 draft anticipated to be released for public comment this summer.

NIST seeks feedback as to whether the cybersecurity outcomes address current cybersecurity challenges faced by organizations, are aligned with existing practices and resources, and are responsive to the comments. NIST seeks concrete suggestions about improvements to the draft, including revisions to Functions, Categories, and Subcategories, and submissions of omitted cybersecurity outcomes. NIST also requests feedback on the format, content, and scope of Implementation Examples; suggestions of possible Examples; and the appropriate level of abstraction between Subcategories and Examples. In addition, NIST requests feedback on the best way to showcase final modifications from CSF 1.1 to CSF 2.0 to ease transition.

All relevant comments, including attachments and other supporting material, will be made publicly available on the NIST CSF 2.0 website. Personal, sensitive, or confidential business information should not be included. Comments with inappropriate language will not be considered.

Cherilyn Pascoe
NIST Cybersecurity Framework Program Lead

Control Families

None selected


Discussion Draft NIST CSF 2.0 Core (pdf)

Supplemental Material:
CSF 2.0 Project homepage

Document History:
04/25/23: Other (Draft)
08/08/23: Other (Draft)


Security and Privacy

risk management


cybersecurity framework