The National Institute for Standards and Technology (NIST) released an upgrade to its Cybersecurity Framework (CSF), which is aimed at organizations of all sizes. This update comes almost a decade after CSF was first introduced as technical cybersecurity guidance for critical infrastructure interests including energy, banking, and hospitals among other entities.

NIST reviewed more than a year’s worth of community feedback, and last week, released the draft of the NIST Cybersecurity Framework 2.0 for public comment. It was meant to reflect changes in the cybersecurity landscape and to make it easier to put CSF into practice.

Several Major Changes

The draft of CSF 2.0 reflects several significant changes, including an expanded scope, the addition of a sixth function, Govern, and improved and expanded guidance on implementing the CSF – notably for creating profiles.

In addition, NIST released a separate Discussion Draft of the Implementation Examples included in the CSF 2.0 Draft Core for public comment. NIST has said it will also soon share a new CSF 2.0 Reference Tool, which will allow users of the CSF 2.0 to download and search the CSF 2.0 Draft Core.

“As the newest draft of the NIST CSF, version 2.0 will hit the streets in November 2023. This is a major update since CSF version 1.1 was published in April 2018, and will now include new standards, guidelines, and best practices that align with both National and International standards,” explained Al Martinek, customer threat analyst at security solutions provider

“This means industries that span around the globe will now allow for easier implementation across organizations while helping to ensure that they are adhering to the latest best practices in cybersecurity,” Martinek told ClearanceJobs.

With the addition of a new governance component and supply chain risk management enhancements, organizations will now have to reevaluate their cybersecurity policies and practices put in place from the previous CSF v1.1.

“The expansion of NIST is a pivotal step towards securing all industries across the U.S.,” added Eduardo Azanza, CEO of digital identity verification firm Veridas.

“This forward-looking initiative demonstrates NIST’s recognition of the universal relevance of cybersecurity and takes into consideration the unique challenges faced by various sectors. This inclusive approach will set in motion the path to a safer digital landscape and leaves no one behind,” Azanza told ClearanceJobs via an email.

Beyond Basic Cybersecurity

CSF 2.0 is also meant to expand the scope of the NIST framework to all forms of organizations and isn’t limited to critical infrastructure.

“NIST’s addition of the ‘govern’ pillar to the Cybersecurity Framework reinforces the idea that cybersecurity should not just be a reactive procedure for organizations, but rather needs to be aligned with overarching business decisions on a daily basis. This shift in perspective will empower organizations to make informed choices and contribute to their long-term success,” suggested Azanza.

“With a new comprehensive approach, NIST is leading the way in strengthening cybersecurity resilience,” he noted. “By implementing unified and inclusive strategies, the U.S. can establish a digital world that is safe for all.”

A Reminder to Stay Current

Just as individual users need to patch their software, and keep all their devices, current; the same will very much hold true with NIST CSF 2.0.

“Any organization already implementing CSF v1.1 should stay up-to-date with the current draft version of CSF v2.0 so they are ready to adapt their current cybersecurity practices and policies,” Martinek continued. “Additionally,

staying ‘in the know’ is paramount in ensuring an organization is protecting against the constantly changing and ever-evolving cyber threat landscape.”

NIST further announced that public comments will be accepted on both of its drafts via until Friday, November 4. The feedback received will inform the development of the final CSF 2.0, which will be published in early 2024.

Related News

Peter Suciu is a freelance writer who covers business technology and cyber security. He currently lives in Michigan and can be reached at You can follow him on Twitter: @PeterSuciu.