The National Institute of Standards and Technology released a long-anticipated draft version of the Cybersecurity Framework 2.0 Tuesday,  the first major update of the agency’s risk guidance since 2014. 

After originally focusing risk guidance on critical infrastructure, the updated framework includes a wider array of organizations, including small- and medium-sized businesses, local schools and other entities. 

The revised framework also addresses the role of corporate governance and the growing risks to digital networks via third-party relationships. 

“NIST is updating the Framework to account for the changes in the cybersecurity landscape, including changes in threats, technologies and standards,” Cherilyn Pascoe, lead developer of the framework, said via email. “Some of the changes to the Framework – such as the expanded focus on cybersecurity governance and supply chain cybersecurity – are in response to those changes in the cybersecurity landscape over the past decade.”

Organizations across the globe have used the original CSF over the past decade, and the framework has been downloaded more than 2 million times, according to NIST. 

The CSF 2.0 follows more than a year of feedback from various stakeholders, reflecting major changes in the digital threat landscape. 

NIST issued a request for information in February 2022 about how to revise the framework and improve supply chain risk management. It received more than 130 responses from a range of companies and other organizations, including Microsoft, American Airlines, Carnegie Mellon University and a joint response of more than two dozen cybersecurity organizations led by Rapid 7.

The guidance breaks down along five main functions: How to identify, protect, detect, respond and recover from cyberattacks or data breaches. 

The guidance is intended to help organizations, particularly small- and medium-sized firms that lack internal resources, develop robust security programs and measure results. 

The guidance is not designed to be prescriptive, but outcome driven, according to Mike Hamilton, the CISO at Critical Insight. 

“So remote access is managed,” Hamilton cites as an example. “It doesn’t matter how you do that. It matters that you do it.”

The new guidance includes a sixth function regarding governance within an organization, which industry analysts consider a critical change to the framework, particularly in light of new emphasis on rapid disclosure and intelligence sharing.

“Security teams live and breathe technical controls, but management-led controls are often harder to implement,” Cody Scott, senior analyst, security and risk at Forrester, said via email. “The govern step in CSF 2.0 gives security teams an opening with business leadership to show their role in enabling effective business management.”

NIST will release a CSF 2.0 reference tool in a few weeks to help users browse, search and export data in a format that is machine readable. It will also hold a workshop in the fall for additional public comments. 

The deadline for public comments is Nov. 4 and NIST plans to publish a final version of CSF 2.0 in early 2024.