NIST Cybersecurity Framework 2.0 – A Canadian Perspective

In August 2023, the U.S. National Institute of Standards and Technology released a public draft of an updated Cybersecurity Framework with significant changes, including an emphasis on governance and supply chain risk management that align with Canadian legal requirements and regulatory guidance. The updated Framework will be an important benchmark resource for Canadian organizations of all kinds and sizes.


The National Institute of Standards and Technology (NIST) is a U.S. Department of Commerce agency whose mission is to promote American innovation and industrial competitiveness. The NIST Cybersecurity Framework (the “CSF”) provides guidance for managing cybersecurity risks by helping organizations understand, assess, prioritize, and communicate about those risks and the actions that will reduce them. The first version of the CSF, designed for use by critical infrastructure operators, was published in 2014. The current version, CSF 1.1, was published in 2018. In addition, in 2016, NIST published simplified cybersecurity guidance titled Small Business Information Security: The Fundamentals based on the CSF. See BLG bulletin Cybersecurity Guidance for Small and Medium Size Enterprises.

The CSF, particularly its “Framework Core”, has been endorsed as a foundational cybersecurity resource by regulators and industry associations around the world, including in Canada. For example, the CSF Framework Core is reflected in the Investment Industry Regulatory Organization of Canada’s Cybersecurity Best Practices Guide and Cyber Security Self Assessment, the BC Financial Services Authority’s Information Security Guideline, the Mutual Fund Dealers Association of Canada’s Cybersecurity bulletin, the Ontario Energy Board’s Ontario Cyber Security Framework, and the Chartered Professional Accountants Canada’s 20 questions directors should ask about cybersecurity.

Cybersecurity Framework 2.0

In August 2023, NIST announced a public draft of an updated Cybersecurity Framework 2.0 (CSF 2.0), a Discussion Draft of Implementation Examples, and a CSF 2.0 Reference Tool. NIST is accepting public comment on draft CSF 2.0 until November 2023, and plans to publish the final version of CSF 2.0 in early 2024.

Read Bradley Freedman’s article on this topic.

This content has been updated on February 7, 2024 at 15 h 47 min.