NIST working on ‘potential significant updates’ to cybersecurity framework

The framework is a voluntary guide to help organizations in all sectors to better manage cybersecurity risks.
(NIST photo)

The National Institutes of Standards and Technology intends to release version 2.0 of its Cybersecurity Framework in the coming years, and this week, the agency teased some of the “potential significant updates” that may land in that new framework.

On Thursday, NIST published a concept paper outlining significant changes to the Cybersecurity Framework and opening them to public feedback over the next several weeks.

The framework is a voluntary guide to help organizations in all sectors to better understand, manage, reduce, and communicate cybersecurity risks. It is used widely, along with NIST’s Risk Management Framework, by federal agencies to plan their own cybersecurity approaches.

Of the proposed changes in the concept paper, the most notable are broadening the scope of the framework beyond critical infrastructure use cases to better include other organizations like small businesses and higher education institutions; including more guidance for implementation; and emphasizing the importance of cybersecurity governance and cybersecurity supply chain risk management, among others.


These updates come directly from responses to NIST’s cybersecurity request for information opened last February.

Largely, NIST says, that RFI showed that “the CSF remains effective in addressing cybersecurity risks by facilitating governance and risk management programs and enhancing communication within and across organizations,” it writes in the new concept paper.

“The CSF has been adopted voluntarily and in governmental policies and mandates at all levels around the world, reflecting its enduring and flexible nature to transcend risks, sectors, technologies, and national borders. The CSF is intended to be a living document that is refined and improved over time,” the paper reads. “The ‘CSF 2.0’ version reflects the evolving cybersecurity landscape — but community needs will drive the extent and content of the changes.”

NIST’s Cybersecurity Framework 1.0 was released in 2014 and updated in 2018 with version 1.1. Per its timeline, NIST hopes to publish a draft of version 2.0 this summer and the final framework in the winter of 2024.

Public responses to the concept paper are due by March 3.

Billy Mitchell

Written by Billy Mitchell

Billy Mitchell is Senior Vice President and Executive Editor of Scoop News Group's editorial brands. He oversees operations, strategy and growth of SNG's award-winning tech publications, FedScoop, StateScoop, CyberScoop, EdScoop and DefenseScoop. After earning his journalism degree at Virginia Tech and winning the school's Excellence in Print Journalism award, Billy received his master's degree from New York University in magazine writing while interning at publications like Rolling Stone.

Latest Podcasts