NIST publishes expanded draft of key cybersecurity framework

The latest draft widens the document’s scope to provide guidance for organizations of all sizes as well as for critical infrastructure.
(NIST photo)

The National Institute of Standards and Technology has issued an expanded draft of its core cybersecurity framework document, which provides guidance for public and private sector organizations working to quantify and manage cybersecurity risk.

An updated version of NIST’s Cybersecurity Framework 2.0 incorporates recently submitted industry feedback and expands the document’s scope to provide guidance for organizations of all sizes, instead of focusing primarily on guidance for critical infrastructure.

The cybersecurity framework — along with NIST’s Risk Management Framework — is used by federal agencies to plan for and mitigate cybersecurity risks. The latest draft comes as the Biden administration ramps up its focus on addressing cyber-supply chain risk, including through the use of attestation forms and software bills of material.

In addition to expanding its scope, the latest draft has added a sixth function — govern — in addition to the document’s five existing functions: identify, protect, detect, respond and recover. It also provides additional specific guidance on how small firms should best implement the framework.


In January, NIST teased forthcoming updates to the framework and published a concept paper intended to spur feedback from industry.

The Commerce Department bureau will hold a workshop in the fall to discuss the draft and accept public comment until Nov. 4, although it does not intend to issue another draft version of the framework.

Commenting on the updated document, the framework’s lead developer Cherilyn Pascoe said: “With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well.”

“The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical,” she added.

Latest Podcasts