The US National Institute for Standards and Technology (NIST) has released Version 2.0 of its NIST Cybersecurity Framework (CSF), its first major update since its initial 2014 release.
Its intended audiences are individuals and teams responsible for developing and leading cybersecurity programs, and others involved in managing risk — including executives, boards of directors, acquisition professionals, technology professionals, risk managers, lawyers, human resources specialists, and cybersecurity and risk management auditors. It is also useful to policymakers and those who communicate priorities for cybersecurity risk management.
CSF 2.0 is organized around six key functions: Identify, Protect, Detect, Respond and Recover, and a newly added Govern function. Together, these functions provide a life cycle perspective for managing cybersecurity risk.
Originally intended for organizations running critical IT infrastructure, such as power utilities and hospitals, Version 2.0 has updated its core guidance and provides resources for any organization; adding emphasis on governance; to provide different audiences with tailored pathways into the CSF and make the framework easier to put into action.
NIST is highlighting brief “success stories” explaining how diverse organizations use the Framework to improve their cybersecurity risk management. The agency is also providing guidance to organizations that wish to develop and submit their own for the benefit of others, and Quick Start Guides that enable them to target specific communities.
A new CSF 2.0 Reference Tool now simplifies the way organizations can implement the CSF, allowing users to browse, search and export data and details from the CSF’s core guidance in human-consumable and machine-readable formats.
In addition, the CSF 2.0 offers a searchable catalog of informative references that shows how their current actions map onto the CSF. This catalog allows an organization to cross-reference the CSF’s guidance to more than 50 other cybersecurity documents, including others from NIST, such as SP 800-53 Rev. 5, a catalog of tools (called controls) for achieving specific cybersecurity outcomes.
Organizations can also consult the Cybersecurity and Privacy Reference Tool (CPRT), which contains an interrelated, browsable and downloadable set of NIST guidance documents that contextualizes these NIST resources, including the CSF, with other popular resources
Further reading
The NIST Cybersecurity Framework (CSF) 2.0. Standards reference document (PDF). February 26, 2024. National Institute for Standards and Technology (NIST)
NIST releases Version 2.0 of landmark Cybersecurity Framework. Press release. February 26, 2024. National Institute for Standards and Technology (NIST)
Why it matters
The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high- level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts.
The CSF does not prescribe how outcomes should be achieved. Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes. This document describes CSF 2.0, its components, and some of the many ways that it can be used.
