NIST has released its CSF 2.0 Draft.  2.0 represents a major update to the CSF—a resource first released in 2014 to help organizations reduce cybersecurity risk. The draft update reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice for all organizations. The CSF 2.0 draft reflects several major changes, including an expanded scope, the addition of a sixth function, Governance, and improved and expanded guidance on implementing the CSF—especially for creating profiles.

Below is a summary of selected Framework changes from version 1.1 to 2.0:

Emphasize cybersecurity governance:

• New Function, Govern, added to cover organizational context; risk management strategy; cybersecurity supply chain risk management; roles, responsibilities, and authorities; policies, processes, and procedures; and oversight.
• New guidance is offered on integrating the Framework with the NIST Privacy Framework and with enterprise risk management as discussed in NIST IR 8286.
• The focus on people, processes, and technology expanded throughout the implementation of the Framework.

Emphasize cybersecurity supply chain risk management:

• A new Category in Govern focused on cybersecurity supply chain risk management. 
• Content updated to reflect the latest NIST guidance and Framework practices related to cybersecurity supply chain risk management and secure software development.

Clarify understanding of cybersecurity measurement and assessment:

• Information on cybersecurity assessment updated, with new pointers to NIST SP 800-55. 
• Tiers clarified to focus on cybersecurity governance, risk management, and third-party considerations. 
• The importance of continuous improvement is emphasized through a new Improvement Category in the Identify Function, as well as improvements in guidance on developing and updating Profiles and action plans.

Recognize the broad use of the Framework:

• The title changed to the commonly used name, “Cybersecurity Framework”.
• The scope of the Framework has been updated to reflect use by all organizations, not just Critical Infrastructure.
• The original emphasis on securing U.S. critical infrastructure has been modified to focus on organizations all around the world to reflect the broad and international use of the Framework.

Relate CSF to other Frameworks and resources:

• NIST reviewed updates to resources published in recent years to identify changes to the narrative and Core; this includes new references to the NIST Privacy Framework, NICE Workforce Framework for Cybersecurity (SP 800-181), Secure Software Development Framework (SP 800-218), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP800-161r1), Performance Measurement Guide for Information Security (SP 800-55), Integrating Cybersecurity and Enterprise Risk Management (NIST IR 8286) series, and the Artificial Intelligence Risk Management Framework (AI 100-1).
• In the future NIST will release an online tool on the NIST CSF website to host the CSF 2.0 Core, with human- and machine-readable formats. This new tool will allow organizations to see the relationships online between the Core and updatable Informative References.

Increase guidance on CSF implementation:

• Implementation Examples are added to provide notional examples of action-oriented processes to achieve CSF Subcategories. 
• Framework Profiles guidance was revised significantly and expanded to provide guidance on the steps for using Profiles and to illustrate several purposes for Profiles. 
• Notional templates developed that organizations can use or adapt for creating their Profiles and action plans

Clarify understanding of cybersecurity measurement and assessment:

• Information on cybersecurity assessment updated, with new pointers to NIST SP 800-55. 
• Tiers clarified to focus on cybersecurity governance, risk management, and third-party considerations. 
• The importance of continuous improvement is emphasized through a new Improvement Category in the Identify Function, as well as improvements in guidance on developing and updating Profiles and action plans.