NIST CSF 2.0: The world’s favorite cybersecurity framework comes of age

The NIST cybersecurity framework has been a go-to resource for defining cybersecurity strategies, policies, and activities ever since version 1.0 was published back in 2014. Originally intended specifically for US companies operating critical infrastructure, it soon gained popularity across all industries and is used by CISOs worldwide. February 2024 saw the launch of version 2.0 of the framework, renamed and restructured to bring it in line with real-life usage and modern cybersecurity challenges. Just as importantly, the NIST CSF 2.0 comes with practical implementation examples, quick start guides, and extensible community profiles for specific industries and use cases.

A brief history of the CSF

The original Framework for Improving Critical Infrastructure Cybersecurity was published in 2014 by NIST (The National Institute of Standards and Technology) in response to an Obama administration executive order calling for a standardized cybersecurity framework to help structure efforts around securing critical infrastructure. Originally intended to guide organizations managing critical infrastructure services in the US private sector, the framework proved popular with organizations of all sizes worldwide. Later updated to version 1.1, the document became informally known as simply the NIST cybersecurity framework.

In the wake of mounting supply-chain attacks a decade later, notably against SolarWinds and Colonial Pipeline, the Biden administration issued its own executive order on cybersecurity. Among its many provisions, the order also once again obligated NIST to prepare and issue suitable guidance. Two years later, in October 2023, NIST released a public draft of version 2.0 of its framework, followed by the final document in February 2024 that included enhancements based on community feedback. 

Now officially renamed the Cybersecurity Framework (CSF), the current document is intended to “…reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well.” Let’s take a look at the changes made to the framework itself and its accompanying resources in an effort to expand its usefulness far beyond the originally intended scope.

Changes in version 2.0 compared to CSF 1.1

The most obvious change to the framework core is that while v1.1 divided cybersecurity efforts into five core functions, version 2.0 has six: Govern, Identify, Protect, Detect, Respond, and Recover. The Govern function is the newcomer, mostly incorporating existing outcomes (subcategories) pulled from other functions. This new high-level home for governance functions highlights the importance of top-down planning and oversight in ever more complex environments.

The new Govern function also reflects the focus of the document, expanding beyond only protecting critical infrastructure and towards wider applicability. Every organization needs to first understand its unique operating context before defining its governance needs, risk management expectations, and strategies. The Govern function includes the following categories, the majority of which come from the Identify function of v1.1:

• Organizational Context
• Risk Management Strategy
• Roles, Responsibilities, and Authorities
• Policy
• Oversight
• Cybersecurity Supply Chain Risk Management (C-SCRM)

It’s interesting to see that managing supply chain security risk is considered so important that it gets its own governance category—a reflection both of the CSF’s roots in critical infrastructure security and of the growing dangers of supply chain attacks. Looking at recent security scares such as the xz-utils backdoor, prioritizing supply chain security as an integral part of governance is definitely a good idea for any organization.

To further underscore the expanded scope and applicability of the CSF, NIST clearly states:

The Functions, Categories, and Subcategories apply to all ICT used by an organization, including information technology (IT), the Internet of Things (IoT), and operational technology (OT). They also apply to all types of technology environments, including cloud, mobile, and artificial intelligence systems.

NIST resources to help apply the CSF in practice

The original NIST framework was more a formal guideline document than a practical guide. When using it for their own purposes outside its original scope, organizations would need to mix and match the high-level outcomes to suit their specific needs. They’d also have to interpret the abstract language in the context of their industry to arrive at the controls and actions to be implemented. In contrast, the CSF v2.0 provides a wealth of additional assets or (to quote NIST) “a suite of resources (documents and applications) that can be used individually, together, or in combination over time as cybersecurity needs change and capabilities evolve.”

Within the framework core itself, the subcategories (i.e. lowest-level items) now come with examples that illustrate how outcomes can be implemented in different situations. This makes the framework core far easier to read, adapt, and apply to your specific organization. New in version 2.0 are quick start guides covering various tools provided to help use the CSF in practice, including:

• Organizational profiles to create your current and target security profiles
• Community profiles submitted by organizations in various industries
• Four CSF tiers to define the desired rigor of cybersecurity risk governance (Partial, Risk Informed, Repeatable, Adaptive)
• A minimum cybersecurity governance guide for small businesses
• A guide to Cybersecurity Supply Chain Risk Management

Informative reference mapping resources are also provided to show how various frameworks and other documents map to other relevant NIST documents and guidelines. 

Getting familiar with the NIST cybersecurity framework 2.0

Compared to the previous version, CSF 2.0 is far more accessible and user-friendly, so anyone involved in cybersecurity would do well to visit the CSF resource center and get familiar with the available tools and resources. The interactive framework core CSF 2.0 reference tool is the best place to start seeing the structure of functions, categories, and subcategories, especially with the new examples giving some substance to the abstract formal definitions.

Every organization that has a cybersecurity program needs a framework to make sure there are no gaps in its security controls and policies—and its resulting cybersecurity posture. With all the changes introduced to make it more universal and easier to use, NIST CSF v2.0 should be at the top of every CISO’s bookmarks list, whether or not using it is mandatory for your organization’s cybersecurity compliance.

Frequently asked questions