NIST CSF 2.0: The world’s favorite cybersecurity framework comes of age

The NIST CSF 2.0 is a long-awaited update to the NIST cybersecurity framework, bringing the document in line with the realities of modern information security. Reorganized and expanded to apply to all types and sizes of organizations, the CSF now also comes with examples and extra resources to aid implementation.

NIST CSF 2.0: The world’s favorite cybersecurity framework comes of age

The NIST cybersecurity framework has been a go-to resource for defining cybersecurity strategies, policies, and activities ever since version 1.0 was published back in 2014. Originally intended specifically for US companies operating critical infrastructure, it soon gained popularity across all industries and is used by CISOs worldwide. February 2024 saw the launch of version 2.0 of the framework, renamed and restructured to bring it in line with real-life usage and modern cybersecurity challenges. Just as importantly, the NIST CSF 2.0 comes with practical implementation examples, quick start guides, and extensible community profiles for specific industries and use cases.

A brief history of the CSF

The original Framework for Improving Critical Infrastructure Cybersecurity was published in 2014 by NIST (The National Institute of Standards and Technology) in response to an Obama administration executive order calling for a standardized cybersecurity framework to help structure efforts around securing critical infrastructure. Originally intended to guide organizations managing critical infrastructure services in the US private sector, the framework proved popular with organizations of all sizes worldwide. Later updated to version 1.1, the document became informally known as simply the NIST cybersecurity framework.

In the wake of mounting supply-chain attacks a decade later, notably against SolarWinds and Colonial Pipeline, the Biden administration issued its own executive order on cybersecurity. Among its many provisions, the order also once again obligated NIST to prepare and issue suitable guidance. Two years later, in October 2023, NIST released a public draft of version 2.0 of its framework, followed by the final document in February 2024 that included enhancements based on community feedback. 

Now officially renamed the Cybersecurity Framework (CSF), the current document is intended to “…reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well.” Let’s take a look at the changes made to the framework itself and its accompanying resources in an effort to expand its usefulness far beyond the originally intended scope.

Changes in version 2.0 compared to CSF 1.1

The most obvious change to the framework core is that while v1.1 divided cybersecurity efforts into five core functions, version 2.0 has six: Govern, Identify, Protect, Detect, Respond, and Recover. The Govern function is the newcomer, mostly incorporating existing outcomes (subcategories) pulled from other functions. This new high-level home for governance functions highlights the importance of top-down planning and oversight in ever more complex environments.

The new Govern function also reflects the focus of the document, expanding beyond only protecting critical infrastructure and towards wider applicability. Every organization needs to first understand its unique operating context before defining its governance needs, risk management expectations, and strategies. The Govern function includes the following categories, the majority of which come from the Identify function of v1.1:

  • Organizational Context
  • Risk Management Strategy
  • Roles, Responsibilities, and Authorities
  • Policy
  • Oversight
  • Cybersecurity Supply Chain Risk Management (C-SCRM)

It’s interesting to see that managing supply chain security risk is considered so important that it gets its own governance category—a reflection both of the CSF’s roots in critical infrastructure security and of the growing dangers of supply chain attacks. Looking at recent security scares such as the xz-utils backdoor, prioritizing supply chain security as an integral part of governance is definitely a good idea for any organization.

To further underscore the expanded scope and applicability of the CSF, NIST clearly states:

The Functions, Categories, and Subcategories apply to all ICT used by an organization, including information technology (IT), the Internet of Things (IoT), and operational technology (OT). They also apply to all types of technology environments, including cloud, mobile, and artificial intelligence systems.

NIST resources to help apply the CSF in practice

The original NIST framework was more a formal guideline document than a practical guide. When using it for their own purposes outside its original scope, organizations would need to mix and match the high-level outcomes to suit their specific needs. They’d also have to interpret the abstract language in the context of their industry to arrive at the controls and actions to be implemented. In contrast, the CSF v2.0 provides a wealth of additional assets or (to quote NIST) “a suite of resources (documents and applications) that can be used individually, together, or in combination over time as cybersecurity needs change and capabilities evolve.”

Within the framework core itself, the subcategories (i.e. lowest-level items) now come with examples that illustrate how outcomes can be implemented in different situations. This makes the framework core far easier to read, adapt, and apply to your specific organization. New in version 2.0 are quick start guides covering various tools provided to help use the CSF in practice, including:

Informative reference mapping resources are also provided to show how various frameworks and other documents map to other relevant NIST documents and guidelines. 

Getting familiar with the NIST cybersecurity framework 2.0

Compared to the previous version, CSF 2.0 is far more accessible and user-friendly, so anyone involved in cybersecurity would do well to visit the CSF resource center and get familiar with the available tools and resources. The interactive framework core CSF 2.0 reference tool is the best place to start seeing the structure of functions, categories, and subcategories, especially with the new examples giving some substance to the abstract formal definitions.

Every organization that has a cybersecurity program needs a framework to make sure there are no gaps in its security controls and policies—and its resulting cybersecurity posture. With all the changes introduced to make it more universal and easier to use, NIST CSF v2.0 should be at the top of every CISO’s bookmarks list, whether or not using it is mandatory for your organization’s cybersecurity compliance.

Frequently asked questions

What is the NIST Cybersecurity Framework?

Currently called the NIST CSF 2.0, the NIST Cybersecurity Framework is a guidance document that helps organizations from all industries and sectors to manage cybersecurity risks. The latest version adds a wealth of additional resources and practical examples to the core framework document.
 
Read about applying a cybersecurity framework to web application security.

Why do organizations need to use a cybersecurity framework?

By design, a cybersecurity framework helps to consider every possible aspect of systems and data security when planning and implementing security policies and controls. Following a structured framework helps to minimize the risk of security gaps and vulnerabilities that could lead to data breaches and other incidents if exploited.
 
Read about high-profile data breaches and the lessons to learn from them.

Who can use the NIST CSF?

The updated NIST CSF is intended as a resource for organizations of all sizes regardless of industry or location. As with the previous version, organizations can mix and match the security functions and categories to apply them in various scenarios, from full-scale enterprise risk management to a basic cybersecurity program for a small or medium business.
 
Read about five steps to improve your cybersecurity posture.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.