Resources Articles What’s New in the NIST CSF 2.0 Draft?

What’s New in the NIST CSF 2.0 Draft?

What's New in the NIST CSF 20. Draft


The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) is undergoing a major update. The NIST CSF is one of the most widely used frameworks to help organizations understand and manage their cybersecurity risks. The NIST CSF was released as version 1.0 in 2014, updated to version 1.1 in 2018, and will be updated to version 2.0 early next year. NIST recently released a draft of CSF version 2.0. This article covers what’s in the draft and the differences between CSF versions 1.1 and 2.0.

Big Picture Changes

NIST says the intent of CSF version 2.0 is to “increase clarity, ensure a consistent level of abstraction, address changes in technologies and risks, and improve alignment with national and international cybersecurity standards and practices.” Version 2.0 will bring numerous additions, removals, or modifications of Functions, Categories, and Subcategories across the framework, which are explored in the sections below. The new NIST CSF will also include “Implementation Examples” for each Subcategory. These examples will suggest clear actions an organization can take to meet the intent of the Subcategory. For example, if a Subcategory reads that an organization identifies vulnerabilities then an Implementation Example might read that the organization regularly conducts vulnerability scans to identify unpatched or misconfigured software. Version 2.0 will also update its Informative References so that each Subcategory is mapped to the latest versions of other popular frameworks, such as NIST 800-53 and ISO/IEC 27001.

Changes to the Framework Core

The “Core” of the NIST CSF is its Functions, Categories, and Subcategories, many of which are undergoing significant changes in version 2.0. In NIST CSF version 1.1, there are 5 Functions, 23 Categories, and 108 Subcategories. In NIST CSF version 2.0, there are 6 Functions, 21 Categories, and 112 Subcategories.

Changes to Functions

Since its inception the NIST CSF has had 5 Functions: Identify (ID), Protect (PR), Detect (DE), Respond (RE), and Recover (RC). Version 2.0 will add a 6th Function: Govern (GV). NIST says outcomes focused on preventing cybersecurity incidents will be communicated through the first three Functions—Govern, Identify, and Protect—while outcomes focused on the detection and response to cybersecurity incidents will be communicated through Detect, Respond, and Recover.

Changes to Categories

NIST CSF version 2.0 will have two less Categories than its predecessor; however, it’s not as simple as version 2.0 simply removing two Categories from version 1.1. Instead, most Categories are undergoing a change: some entirely new Categories are created while a few undergo a cosmetic name change. The following Categories are new to version 2.0:

  • GV.OC – Organizational Context
  • GV.RM – Risk Management Strategy
  • GV.RR – Roles and Responsibilities
  • GV.PO – Policies and Procedures
  • ID.IM – Improvement
  • PR.AA – Identity, Management, Authentication, and Access Control
  • PR.PS – Platform Security
  • PR.IR – Technology Infrastructure Resilience
  • DE.AE – Adverse Event Analysis
  • RS.MA – Incident Management
  • RS.CO – Incident Response Reporting and Communication
  • RC.RP – Incident Response Recovery Plan Execution

Changes to Subcategories

Just like the tip of an iceberg, the addition of four more total Subcategories to version 2.0 belies how many subtle changes there are to Subcategory wording and their mapping to a Category. The following is the full list of proposed Subcategories in version 2.0:

Govern (GV)

Organizational Context (GV.OC)

  • GV.OC-01: Organizational mission is understood in order to prioritize cybersecurity risk management (formerly ID.BE-2 and ID.BE-3)
  • GV.OC-02: Internal and external stakeholders, and their expectations regarding cybersecurity risk management, are determined
  • GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed (formerly ID.GV-3)
  • GV.OC-04: Critical objectives, capabilities, and services that stakeholders expect are determined and communicated (formerly ID.BE-4 and ID.BE-5)
  • GV.OC-05: Critical outcomes, capabilities, and services that the organization relies on are determined and communicated (formerly ID.BE-1 and ID.BE-4)

Risk Management Strategy (GV.RM)

  • GV.RM-01: Cybersecurity risk management objectives are established and agreed to by organizational stakeholders (formerly ID.RM-1)
  • GV.RM-02: Cybersecurity supply chain risk management strategy is established, agreed to by organizational stakeholders, and managed (formerly ID.SC-1)
  • GV.RM-03: Risk appetite and risk tolerance statements are determined and communicated based on the organization’s business environment (formerly ID.RM-2 and ID.RM-3)
  • GV.RM-04: Cybersecurity risk management is considered part of enterprise risk management (formerly ID.GV-4)
  • GV.RM-05: Strategic direction describing appropriate risk response options, including cybersecurity risk transfer mechanisms (e.g., insurance, outsourcing), investment in mitigations, and risk acceptance is established and communicated
  • GV.RM-06: Responsibility and accountability are determined and communicated for ensuring that the risk management strategy and program are resourced, implemented, assessed, and maintained
  • GV.RM-07: Risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
  • GV.RM-08: Effectiveness and adequacy of cybersecurity risk management strategy and results are assessed and reviewed by organizational leaders

Roles and Responsibilities (GV.RR)

  • GV.RR-01: Organizational leadership takes responsibility for decisions associated with cybersecurity risks and establishes a culture that is risk-aware, behaves in an ethical manner, and promotes continuous improvement
  • GV.RR-02: Roles and responsibilities related to cybersecurity risk management are established and communicated (formerly ID.GV-2, ID.AM-6, and DE.DP-1)
  • GV.RR-03: Roles and responsibilities for customers, partners, and other third-party stakeholders are established and communicated (formerly ID.AM-6)
  • GV.RR-04: Roles and responsibilities for suppliers are established, documented in contractual language, and communicated (formerly ID.AM-6)
  • GV.RR-05: Lines of communication across the organization are established for cybersecurity risks, including supply chain risks
  • GV.RR-06: Resourcing and authorities for cybersecurity are decided commensurate with risk strategy, roles, and policies
  • GV.RR-07: Cybersecurity is included in human resources practices (e.g., training, deprovisioning, personnel screening) (formerly PR.IP-11)

Policies and Procedures (GV.PO)

  • GV.PO-01: Policies, processes, and procedures for managing cybersecurity risks are established based on organizational context, risk management strategy, and priorities and are communicated (formerly ID.GV-1)
  • GV.PO-02: The same policies used internally are applied to suppliers
  • GV.PO-03: Policies and procedures are reviewed, updated, and communicated to reflect changes in requirements, threats, technology, and organizational mission

Identify (ID)

Asset Management (ID.AM)

  • ID.AM-01: Inventories of physical devices managed by the organization are maintained
  • ID.AM-02: Inventories of software and services managed by the organization are maintained
  • ID.AM-03: Representations of the organization’s authorized network communication and network data flows are maintained (formerly ID.AM-3 and DE.AE-
  • ID.AM-04: Inventories of external assets and suppliers are maintained
  • ID.AM-05: Assets are prioritized based on classification, criticality, resources, and organizational value
  • ID.AM-06: Sensitive data and corresponding metadata are inventoried and tracked
  • ID.AM-07: Systems, devices, and software are managed throughout their life cycle, including pre-deployment checks, preventive maintenance, transfers, end-of life, and disposition (formerly PR.DS-3, PR.IP-2, PR.MA-1, and PR.MA-2)

Risk Assessment (ID.RA)

  • ID.RA-01: Vulnerabilities in first-party and third-party assets are identified, validated, and recorded (formerly ID.RA-1 and DE.CM-8)
  • ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources
  • ID.RA-03: Threats, both internal and external, are identified and recorded
  • ID.RA-04: Potential business impacts and likelihoods are identified and recorded
  • ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to determine exposure and inform risk prioritization
  • ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated (formerly ID.RA-6 and RS.MI-3)
  • ID.RA-07: Changes are managed, assessed for risk impact, and recorded (formerly part of PR.IP-3)
  • ID.RA-08: Risks associated with technology suppliers and their supplied products and services are identified, recorded, prioritized, and monitored (formerly ID.SC-2 and PR.DS-8)
  • ID.RA-09: Processes for receiving, analyzing, and responding to vulnerability disclosures are established (formerly RS.AN-5)
  • ID.RA-10: Exceptions to security measures are reviewed, tracked, and compensated for

Supply Chain Risk Management (ID.SC)

  • ID.SC-01: Cybersecurity requirements are integrated into contracts with suppliers and third-party partners
  • ID.SC-02: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations
  • ID.SC-03: Supplier termination and transition processes include security considerations

Improvements (ID.IM)

  • ID.IM-01: Continuous evaluation, including through reviews, audits, and assessments (including self-assessments), is applied to identify opportunities for improvement across all Framework Functions
  • ID.IM-02: Security tests and exercises, including in coordination with suppliers and third-party providers, are carried out to identify improvements (formerly ID.SC-5, PR.IP-10, and DE.DP-3)
  • ID.IM-03: Improvements for processes and activities across all Framework Functions are identified based on lessons learned (formerly PR.IP-7, PR.IP-8, DE.DP-5, RS.IM-1, RS.IM-2, and RC.IM-2)

Protect (PR)

Identity Management, Authentication, and Access Control (PR.AA)

  • PR.AA-01: Identities and credentials for authorized users, processes, and devices are managed by the organization (formerly PR.AC-1)
  • PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions (formerly PR.AC-6)
  • PR.AA-03: Users, processes, and devices are authenticated (formerly PR.AC-3 and PR.AC-7)
  • PR.AA-04: Federated assertions are generated, protected, conveyed, and verified
  • PR.AA-05: Access permissions, entitlements, and authorizations are managed and enforced, incorporating the principles of least privilege and separation of duties (formerly PR.AC-3 and PR.AC-4)
  • PR.AA-06: Account activities and access events are audited and monitored to enforce authorized access (formerly PR.AC-1 and PR.AC-3)
  • PR.AA-07: Physical access to assets is managed, monitored, and enforced (formerly PR.AC-2 and PR.PT-4)

Awareness and Training (PR.AT)

  • PR.AT-01: Awareness and training are provided for users so they possess the knowledge and skills to perform relevant tasks (formerly PR.AT-1 and RS.CO-1)
  • PR.AT-02: Awareness and training are provided for users with elevated privileges so they possess the knowledge and skills to perform relevant tasks (formerly PR.AT-2 and PR.AT-5)
  • PR.AT-03: Awareness and training are provided for third parties with cybersecurity responsibilities (e.g., suppliers, partners, customers) so they possess the knowledge and skills to perform relevant tasks
  • PR.AT-04: Awareness and training are provided to senior leaders so they possess the knowledge and skills to govern and lead a cybersecurity risk-aware culture

Data Security (PR.DS)

  • PR.DS-01: The confidentiality, integrity, and availability of data-at-rest is protected (formerly PR.DS-1, PR-DS.5, PR.DS-6, and PR.PT-2)
  • PR.DS-02: The confidentiality, integrity, and availability of data-in-transit is protected (formerly PR.DS-2, PR.DS-5)
  • PR.DS-03: Data is managed throughout its life cycle, including discovery, maintenance, and destruction (formerly PR.IP-6)
  • PR.DS-4: The confidentiality, integrity, and availability of data-in-use is protected (formerly PR.DS-5)
  • PR.DS-5: Backups of data are conducted, protected, maintained, and tested (formerly PR.IP-4)

Platform Security (PR.PS)

  • PR.PS-01: Configuration management practices are applied (e.g., least functionality, least privilege) (formerly PR.IP-1, PR.IP-3, PR.PT-2, and PR.PT-3)
  • PR.PS-02: Software is patched, updated, replaced, and removed commensurate with risk (formerly PR.IP-12)
  • PR.PS-03: Hardware is maintained, replaced, and removed commensurate with risk
  • PR.PS-04: Log records are generated for cybersecurity events and made available for continuous monitoring (formerly PR.PT-1)
  • PR.PS-05: Protective technologies are executed on or within platforms to stop unauthorized software execution
  • PR.PS-06: Backups of platform software are conducted, protected, maintained, and tested
  • PR.PS-07: Secure software development practices are integrated and their performance is monitored throughout the software development life cycle
  • PR.PS-08: Supply chain security practices are integrated and their performance is monitored throughout the technology product and service life cycle

Technology Infrastructure Resilience (PR.IR)

  • PR.IR-01: Response and recovery plans (e.g., incident response plan, business continuity plan, disaster recovery plan, contingency plan) are communicated and maintained (formerly PR.IP-9)
  • PR.IR-02: The organization’s networks and environments are protected from unauthorized logical access and usage (formerly PR.AC-3, PR.AC-5, PR.DS-7, and PR.PT-4)
  • PR.IR-03: The organization’s computing assets are protected from environmental threats (formerly PR.IP-5)
  • PR.IR-04: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations (formerly PR.PT-5)
  • PR.IR-05: Adequate resource capacity (e.g., storage, power, network bandwidth, computing) to ensure availability is maintained (formerly PR.DS-4)

Detect (DE)

Adverse Event Analysis (DE.AE)

  • DE.AE-01: Adverse events are analyzed to find possible attacks and compromises
  • DE.AE-02: Information on adverse events is correlated from multiple sources
  • DE.AE-03: The estimated impact and scope of adverse events is determined
  • DE.AE-04: Incident alert thresholds are established
  • DE.AE-05: Information on adverse events is provided to cybersecurity and incident response tools and staff (formerly DE.DP-4)
  • DE.AE-06: Contextual information (e.g., cyber threat intelligence, inventories, security advisories) is integrated into the adverse event analysis
  • DE.AE-07: Adverse cybersecurity events are categorized and potential incidents are escalated for triage

Continuous Monitoring (DE.CM)

  • DE.CM-01: Networks and network services are monitored to find adverse cybersecurity events (formerly DE.CM-1, DE.CM-4, DE.CM-5, and DE.CM-7)
  • DE.CM-02: The physical environment is monitored to find adverse cybersecurity events
  • DE.CM-03: Personnel activity and technology usage are monitored to find adverse cybersecurity events (formerly DE.CM-3 and DE.CM-7)
  • DE.CM-04: External service providers and the services they provide are monitored to find adverse cybersecurity events (formerly DE.CM-6 and DE.CM-7)
  • DE.CM-05: Computing hardware and software and their data are monitored to find adverse cybersecurity events (formerly PR.DS-6, PR.DS-8, DE.CM-4, DE.CM-5, and DE.CM-7)

Respond (RS)

Incident Management (RS.MA)

  • DE.MA-01: The incident response plan is executed (formerly RS.RP-1)
  • DE.MA-02: Incident reports are triaged and validated (formerly RS.AN-1 and RS.AN-2)
  • DE.MA-03: Incidents are categorized and prioritized (formerly RS.AN-4 and RS.AN2)
  • DE.MA-04: Incidents are escalated or elevated as needed (formerly RS.AN-2)
  • DE.MA-05: Criteria for initiating incident recovery defined and applied

Incident Analysis (RS.AN)

  • RS.AN-01: Analysis is performed to determine what has taken place during an incident and the root cause of the incident
  • RS.AN-02: Actions performed during an investigation are recorded and the record’s integrity and provenance are preserved (formerly part of RS.AN-3)
  • RS.AN-03: Incident data and metadata are collected and their integrity and provenance are preserved
  • RS.AN-04: Incident magnitude is estimated and validated
  • RS.AN-05: Incident status is tracked and validated

Incident Response Reporting and Communication (RS.CO)

  • RS.CO-01: Internal and external stakeholders are notified of incidents, as required by law, regulation, or policy
  • RS.CO-02: Information is shared with designated internal and external stakeholders, as required by law, regulation, or policy
  • RS.CO-03: Escalation is coordinated with designated internal and external stakeholders, as required by law, regulation, or policy
  • RS.CO-04: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness

Incident Mitigation (RS.MI)

  • RS.MI-01: Incidents are contained
  • RS.MI-02: Incidents are eradicated

Recover (RC)

Incident Recovery Plan Execution (RC.RP)

  • RC.RP-01: The incident recovery plan is executed
  • RC.RP-02: Recovery actions are determined, scoped, prioritized, and performed
  • RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration
  • RC.RP-04: Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms
  • RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed
  • RC.RP-06: Criteria for determining the end of incident recovery are defined and applied, and incident-related documentation is completed

Incident Recovery Communication (RC.CO)

  • RC.CO-01: Public relations are managed
  • RC.CO-02: Reputation is repaired after an incident
  • RC.CO-03: Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders

Looking Ahead

The final version of the NIST CSF 2.0 is not expected until early 2024. NIST is clear that the draft may undergo changes based on community input, which NIST is currently seeking. In the meantime, Sedara is staying up to date on proposed changes to the NIST CSF while helping organizations improve their cybersecurity posture respective to industry best practices and regulatory requirements.

More Reading on This Topic

  • NIST CSF 2.0 Draft –
  • NIST CSF Website –

How Can Sedara Help?

Sedara’s Cybersecurity Development Program can assist your organization in demonstrating compliance with different cybersecurity frameworks. Trained vCISO’s and Cybersecurity Program Analysts can help you discover gaps in your cybersecurity program and create a plan of action to close those gaps and ultimately reduce your risk.


Accomplish your security & compliance goals.

Get a Demo