Note to Reviewers NIST is publishing this concept paper to seek additional input on the structure and direction of the Cybersecurity Framework (CSF or Framework) before crafting a draft of CSF 2.0.
This concept paper outlines more significant potential changes that NIST is considering in developing CSF 2.0. These potential changes are informed by the extensive feedback received to date, including in response to the NIST Cybersecurity Request for Information (RFI) and the first workshop on CSF 2.0.
Some of the proposed changes outlined here are larger structural changes that may impact compatibility with CSF 1.1, thus warranting additional attention and discussion. This paper also outlines potential major changes to CSF resources, including the CSF website, Profiles, mappings, and guidance.
This paper does not cover all potential changes that may be made to the Framework structure, format, and content, especially specific changes to Categories and Subcategories of the CSF Core. NIST continues to welcome input on specific changes, including redlines, to the CSF narrative and Core, as well as to related CSF resources.
NIST seeks feedback on this paper to inform further development of CSF 2.0, including, for each numbered section.
(e.g., Section 1.1. ‘Change the CSF’s title…’):
1. Do the proposed changes reflect the current cybersecurity landscape (standards, risks, and technologies)?
2. Are the proposed changes sufficient and appropriate? Are there other elements that should be considered under each area?
3. Do the proposed changes support different use cases in various sectors, types, and sizes of organizations (and with varied capabilities, resources, and technologies)?
4. Are there additional changes not covered here that should be considered?
5. For those using CSF 1.1, would the proposed changes affect continued adoption of the Framework, and how so?
6. For those not using the Framework, would the proposed changes affect the potential use of the Framework?
Feedback and comments should be directed to [email protected] by March 3, 2023. All relevant comments, including attachments and other supporting material, will be made publicly available on the NIST CSF 2.0 website.
Personal, sensitive, or confidential business information should not be included. Comments with inappropriate language will not be considered.
The changes proposed in this paper will also be discussed at the upcoming second CSF 2.0 virtual workshop on February 15, 2023, and during CSF 2.0 in-person working sessions on February 22-23, 2023.
Contact [email protected] if you would like NIST to consider participating at a conference, webinar, or informal roundtable to discuss the CSF update and this paper.
After reviewing feedback on this concept paper and considering insights gained through the workshops, NIST intends to publish the draft Cybersecurity Framework 2.0 in the coming months for a 90-day public review.
To see the full paper go https://www.nist.gov/system/files/documents/2023/01/19/CSF_2.0_Concept_Paper_01-18-23.pdfre