NIST Cybersecurity Framework 2.0

October 09, 2023

What is the NIST Cybersecurity Framework 2.0?

On 8 August 2023, NIST¹ released a public draft of the NIST Cybersecurity Framework (CSF) 2.0 and the NIST Cybersecurity 2.0 Reference Tool which provides Implementation Examples. The NIST Framework is one of the most widely used cybersecurity frameworks globally. In Australia, organisations from small and medium enterprises to critical infrastructure operators and large financial institutions apply the framework to inform their management of cybersecurity risks.

This is a significant update to the Framework, released in 2014, and updated in 2018. The draft updates the CSF to recognise current and future cybersecurity challenges, and provides greater guidance on how to apply the framework and leverage other NIST supporting publications.

Organisations can provide feedback on this CSF 2.0 Public Draft, as well as the related Implementation Examples Draft. Now is also the time to communicate to your stakeholders that maturity scores might change due to updates in the number of Functions (from 5 to 6), Categories (from 23 to 22) and Sub-categories (from 108 to 106).

What has changed?

Three key changes to highlight in the draft CSF are:

Title, scope, implementation examples and references
The title has changed to the commonly used name, “Cybersecurity Framework” from the original “Framework for Improving Critical Infrastructure Cybersecurity.” The scope of the framework has been updated to reflect its applicability to all organisations across the world. The previous framework emphasised securing United States’ critical infrastructure. Updates to the CSF include Implementation Examples at the Sub-category level, to help organisations achieve outcomes, as well as references to standards, guidelines, regulations, and other resources to help inform how an organisation achieves the Functions, Categories, and Sub-categories.
New governance function
In order to respond to challenges of enterprise, financial and legal risks, the CSF introduces a new "Govern" function in addition to the previous existing functions of “Identify”, “Protect”, “Detect”, “Respond”, and “Recover”.

The new “Govern” function highlights the role of the business and the importance of the alignment between security and the organisation's strategic objectives. "Govern" also provides additional guidance on Enterprise Risk Management.
Changes to Functions, Categories and Sub-categories

As mentioned, the substantial update has resulted in a change to the number of Functions, Categories and Sub-categories in the Framework.

	CSF 1.1	CSF 2.0
Functions	5	6
Categories	23	22
Sub-catgories	108	106

NIST's key timeline for CSF 2.0

August 2023

Draft 2.0

September 2023

Workshop #3

November 2023

Comments due

Early 2024

Release date

NIST have stated that v 2.0 will be released in early 2024: any comments or feedback must be provided to NIST by November 2023.

CSF 2.0 is a voluntary framework. Organisations can determine their own timeline to update profiles or maturity assessments developed with reference to the previous iteration of the Framework.

For those organisations seeking to use CSF 2.0 for the first time, the draft CSF 2.0 can be reviewed now to consider its applicability and utility.

Considerations for action

Move now, get ahead

Have you considered what the publication of NIST CSF 2.0 may mean for your organisation?

Will you need to update existing profiles or maturity assessments developed with reference to NIST CSF version 1.1? Will changes to CSF Functions and Categories impact your current and target state? Will weighting changes within Functions have an impact?

Executive readiness

Do your executives have strategic oversight of cybersecurity risk management and supply chain management?

The new Govern function sets out a framework for organisations to establish and monitor their cybersecurity risk management strategy and risk appetite, including supply chain risk management.

Integration with privacy and risk management

How does your existing management of cybersecurity risk intersect with other risk areas?

CSF 2.0 provides guidance on how the Framework overlaps with or intersects with other areas including privacy risks, operational and physical security risks.

Measurement and improvement

How do you identify and evaluate improvements to cybersecurity risk management processes? Are lessons learned used to identify improvements?

The new Improvement category within the Identify Function emphasises the importance of continuous improvement.

^{1 National Institute of Standards and Technology, US Department of Commerce}

Follow PwC Australia

© 2017 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Liability limited by a scheme approved under Professional Standards Legislation.