NIST Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework

 Note to Reviewers
NIST is publishing this concept paper to seek additional input on the structure and direction of the
Cybersecurity Framework (CSF or Framework) before crafting a draft of CSF 2.0. 

This concept paper outlines
more significant potential changes that NIST is considering in developing CSF 2.0. These potential changes are
informed by the extensive feedback received to date, including in response to the NIST Cybersecurity Request
for Information (RFI) and the first workshop on CSF 2.0. 

Some of the proposed changes outlined here are larger structural changes that may impact compatibility with
CSF 1.1, thus warranting additional attention and discussion. This paper also outlines potential major changes to
CSF resources, including the CSF website, Profiles, mappings, and guidance. 

 This paper does not cover all potential changes that may be made to the Framework structure, format, and
content, especially specific changes to Categories and Subcategories of the CSF Core. NIST continues to
welcome input on specific changes, including redlines, to the CSF narrative and Core, as well as to related CSF

NIST seeks feedback on this paper to inform further development of CSF 2.0, including, for each
numbered section.

 (e.g., Section 1.1. ‘Change the CSF’s title…’): 

 1. Do the proposed changes reflect the current cybersecurity landscape (standards, risks, and

 2. Are the proposed changes sufficient and appropriate? Are there other elements that should
be considered under each area? 

 3. Do the proposed changes support different use cases in various sectors, types, and sizes of
organizations (and with varied capabilities, resources, and technologies)? 

 4. Are there additional changes not covered here that should be considered? 

 5. For those using CSF 1.1, would the proposed changes affect continued adoption of the
Framework, and how so? 

 6. For those not using the Framework, would the proposed changes affect the potential use of
the Framework? 

 Feedback and comments should be directed to by March 3, 2023. All relevant
comments, including attachments and other supporting material, will be made publicly available on the NIST
CSF 2.0 website. 

Personal, sensitive, or confidential business information should not be included. Comments
with inappropriate language will not be considered. 

The changes proposed in this paper will also be discussed at
the upcoming second CSF 2.0 virtual workshop on February 15, 2023, and during CSF 2.0 in-person working
sessions on February 22-23, 2023. 

Contact if you would like NIST to consider
participating at a conference, webinar, or informal roundtable to discuss the CSF update and this paper. 

After reviewing feedback on this concept paper and considering insights gained through the workshops, NIST
intends to publish the draft Cybersecurity Framework 2.0 in the coming months for a 90-day public review.

To see the full paper go