What is the NIST Cybersecurity Framework 2.0?
The NIST Cybersecurity Framework 2.0 is a voluntary guide that helps organizations manage and reduce cybersecurity risks. Specifically, NIST published it in February 2024 as the successor to CSF 1.1. In practice, the framework offers a shared language to understand, assess, prioritize, and communicate cybersecurity risks. Moreover, any organization can use it, regardless of size, sector, or cybersecurity maturity.
As a result, the CSF 2.0 has become a global reference. In fact, it sits alongside ISO 27001, NIST SP 800-53, and the NIST AI RMF as one of the most widely adopted cybersecurity frameworks.
What are the six core functions of the NIST Cybersecurity Framework 2.0?
The CSF 2.0 organizes cybersecurity outcomes around six core functions. Moreover, these functions give leadership a high-level view of the cybersecurity program and operations teams a structure to execute against. In fact, the new Govern function is the flagship addition of version 2.0.
Specifically, the six functions are:
- Govern (GV): establishes cybersecurity governance, strategy, roles, and oversight, and integrates cyber risk into enterprise risk management
- Identify (ID): builds understanding of systems, assets, data, suppliers, and cybersecurity risks
- Protect (PR): puts safeguards in place to deliver critical services and protect assets
- Detect (DE): finds cybersecurity events as they happen
- Respond (RS): takes action once an incident is detected
- Recover (RC): restores capabilities and services impaired by an incident
What are the main components of the CSF 2.0?
The CSF 2.0 includes four main components that work together. Moreover, each component serves a different audience, which is why the framework scales from a small clinic to a Fortune 500 enterprise.
In practice, the components are:
- CSF Core: the set of cybersecurity activities and outcomes organized as Functions, Categories, and Subcategories. In addition, the Core is sector-, country-, and technology-neutral
- Organizational Profiles: describe your current cybersecurity posture (Current Profile) and your target state (Target Profile)
- CSF Tiers: describe the rigor of your cybersecurity risk governance, from Partial (Tier 1) to Adaptive (Tier 4)
- Online resources: Informative References, Implementation Examples, Quick Start Guides, and Community Profiles that translate the framework into practice
What changed in CSF 2.0 compared to CSF 1.1?
CSF 2.0 introduces the most significant update since the framework first launched in 2014. In fact, the changes reflect a decade of lessons learned and the shift toward enterprise-wide cyber risk governance. As a result, organizations still using CSF 1.1 should plan a transition to 2.0, because regulators and auditors increasingly align to the new version.
Specifically, the major changes are:
- A new Govern function that elevates cybersecurity governance and ties it to enterprise risk management
- Expanded coverage of supply chain risk management (C-SCRM), reflecting real-world incidents and the NIST SP 800-161 integration
- Stronger guidance on integrating the CSF with privacy frameworks and the NIST AI Risk Management Framework
- New Implementation Examples and Informative References linked to every subcategory, so organizations see concrete actions rather than outcomes alone
How can my organization use the NIST Cybersecurity Framework 2.0 to improve its cybersecurity posture?
The CSF 2.0 offers a five-step process to move from good intentions to measurable progress. Moreover, the process repeats, so improvements compound over time. In practice, most organizations run a full cycle every 12 to 18 months and update Profiles whenever the business or threat landscape shifts.
Specifically, the five steps are:
- Scope the Organizational Profile: define what the Profile covers based on your business priorities
- Gather information: collect data on existing cybersecurity practices, resources, risks, and requirements
- Create the Organizational Profile: build a Current Profile and a Target Profile
- Analyze gaps and create an action plan: compare the two Profiles, identify gaps, and prioritize remediation
- Implement the action plan and update the Profile: execute, track progress, and refresh the Profiles as the environment changes
