Understanding NIST Cybersecurity Framework 2.0

Introduction to NIST CSF 2.0

The acronym NIST CSF has become synonymous with cybersecurity risk management since its initial release by the U.S. National Institute of Standards and Technology (NIST) in 2014. While the purpose and core functions of the NIST Cybersecurity Framework (NIST CSF) remain the same after more than ten years—to help organizations assess and improve their ability to identify, protect, detect, respond, and recover from cybersecurity risks—its components and popularity have notably evolved.

• 2014 - NIST CSF is initially released for critical infrastructure organizations
• 2017 - Federal agencies are mandated to implement the NIST CSF
• 2018 - NIST CSF 1.1 is released to enhance supply chain risk management and self-assessment processes
• 2019 - The framework has gained popularity in the private sector and internationally, with more than half a million downloads and translations available in 5 languages
• 2024 - NIST CSF 2.0 is released to enhance cybersecurity governance practices, support continuous improvement, and increase applicability to all organization types

NIST is also known for publishing and maintaining the Special Publication 800-53 (NIST SP 800-53), a set of security and privacy controls for federal information systems. While these are two distinct frameworks, they are by no means mutually exclusive. NIST CSF provides the guidance and flexibility needed to assess, improve, and report on an organization’s cyber risk posture through a taxonomy of outcome-driven statements, gap analyses, and standardized implementation tiers, while NIST SP 800-53 drills down into selecting, implementing, and assessing specific security and privacy controls. NIST’s crosswalk documentation is a helpful resource when it comes to identifying ideal controls that support each outcome statement.

Latest Updates on the NIST Cybersecurity Framework

Almost exactly a decade after the original publication of NIST CSF, version 2.0 was released with the primary goal of improving the applicability of this cybersecurity framework to all audiences, industry sectors, and organization types. Perhaps most notably, NIST also released a suite of resources to simplify the way organizations implement the CSF alongside the following landmark revisions:

• The Respond function has become more targeted, now mapping to more specific incident response outcomes. 
• NIST CSF 2.0 now has 6 Core Functions, with the addition of Govern to the well-known group of Identify, Protect, Detect, Respond, and Recover. Here we also find an increased focus on cybersecurity supply chain risk management.
• The Identify Function has been expanded to include an Improvement Category, focusing on cybersecurity assessments.
• Many outcome statements have been revised and include implementation examples to make the framework more action-oriented and to help position NIST CSF 2.0 as industry-agnostic.

Changes to the NIST Cybersecurity Framework Core Functions

The NIST CSF Core Functions, otherwise known as the Five Pillars, are the highest level of outcomes addressed by the framework and are essential to managing cybersecurity risk. Each Function is broken down into Categories and Subcategories, where specific outcome-based statements are provided. NIST CSF 2.0 introduced a sixth function, Govern, to the original Identify, Protect, Detect, Respond, and Recover Functions.

Role of the Govern Function

The Govern Function focuses on establishing, communicating, and monitoring an organization’s cybersecurity risk management strategy, expectations, and policy. A key result includes the integration of cybersecurity into broader enterprise risk management practices, helping IT and cybersecurity leaders increase organizational engagement, risk ownership, and overall program support. Specific categories within the Govern Function address:

• Organizational Context - Going beyond traditional asset identification and adding an additional layer of context based on the organization’s mission, stakeholder expectations, regulatory requirements, and additional attributes.
• Risk Management Strategy - Supporting operational risk decision making through an established risk management strategy that defines an organization’s priorities, risk tolerance, and cadence for communicating cybersecurity posture at the executive level.
• Roles, Responsibilities, and Authorities - Fostering accountability, performance assessment, and continuous improvement through clear roles.
• Policy - Going beyond policy creation to ensure ongoing review and revisions that reflect changes in the regulatory, technology, and threat landscapes.
• Oversight - Reviewing and adjusting the cybersecurity risk management strategy as needed to address risk and compliance requirements.
• Cybersecurity Supply Chain Risk Management - Expanding cybersecurity risk management to suppliers and partners and establishing cross-functional alignment between functions that contribute to cybersecurity supply chain risk management.

Implementing NIST CSF 2.0 - Guidance for Organizations of All Sizes

Feedback gathered on previous versions of the NIST CSF uncovered common challenges surrounding the complexity of implementing the framework. NIST recognizes that the implementation of its CSF will vary from organization to organization. They explicitly state that “the CSF does not embrace a one-size-fits-all approach” to account for unique risk landscapes, varying risk appetites, and overarching missions. This leaves NIST with the unique challenge of supporting a diverse set of teams on their implementation journey of the CSF.

The following resources were developed as part of NIST CSF 2.0 to support organizations of all sizes, providing a variety of pathways into the CSF with the goal of making the framework easier to put into action.

CSF 2.0 Reference Tool: Easily browse, search and export data from the CSF Core in a human-readable format.

Informative Catalog: Map activities from 50+ cybersecurity documents, like CIS Controls and ISO 27001, to the CSF. This can help identify existing controls within an organization that support NIST CSF outcome statements to avoid redundancies and limit the scope of work required to implement the framework.

Implementation Examples: Gain additional context and examples of actions needed to achieve the outcomes of each Subcategory. Within the Govern Function, for example, an implementation example for Subcategory GV.OC-01: “The organizational mission is understood and informs cybersecurity risk management” looks like Ex1:  “Share the organization’s mission (e.g., through vision and mission statements, marketing, and service strategies) to provide a basis for identifying risks that may impede that mission.”

Quick-Start Guides (QSGs): Learn more about CSF-specific topics in an easily digestible format to identify actionable first steps. The current library of NIST CSF QSGs include: CSF 2.0 Overview

Organizational Profiles, Community Profiles, Small Business, Cybersecurity SCRM, Tiers, and Enterprise Risk Management.

Determining NIST CSF 2.0 Priorities: The Impact of Organizational Objectives and Regulatory Requirements

NIST recognizes that the applicability and priority for each CSF outcome will vary from organization to organization. This is done intentionally to address the unique needs of each organization’s industry, risk and regulatory landscapes, mission, and countless other variables. The framework is meant to be a guide, not a prescription, which can make its implementation feel unstructured and unclear. This is why the NIST CSF includes the concept of Organizational Profiles and Tiers. Teams can now use the Quick-Start Guides mentioned above to effectively understand these concepts and put them into practice.

CSF Organizational Profiles: The end goal of an Organizational Profile is to close the gap between existing cybersecurity risk management practices and targeted outcomes. This is done by identifying applicable outcomes, documenting and assessing existing related practices, and outlining future goals. Once gaps between the current Organizational Profile and the Target Profile are identified, corrective actions can be documented and implemented.

It’s not uncommon for various business units and entities to have different target outcomes, which is why NIST recommends creating multiple Profiles as needed. For example, a financial institution may have separate profiles for retail banking, investment banking, and insurance services. Each business line faces different cybersecurity risks, regulatory compliance requirements, and operational priorities—separate profiles ensure alignment without overburdening other units. Another common example would be new business acquisition, where cybersecurity practices may differ significantly from the existing organization. Separate profiles allow for a phased approach to integrating the acquired organization’s cybersecurity strategies into the parent company’s.

CSF Tiers: While not required for the successful creation of Organizational Profiles and the implementation of the NIST CSF, Tiers can be a helpful guide that informs cybersecurity risk governance and management methodologies. The CSF includes four tiers that represent the progression from “informal, ad hoc responses to approaches that are agile, risk-informed, and continuously improving.” Tiering does not need to be, and is not recommended, at the Subcategory level. Ideally, organizational leadership sets the standard by selecting the targeted tier for each CSF Function based on overarching goals, feasibility, and critical assets. This can then be incorporated as a column within the Organizational and Target Profile documentation.

The Impact of NIST CSF on Enterprise Risk Management

Rather than living in a silo, cybersecurity risk management should be part of a holistic, enterprise risk management program. NIST CSF 2.0 and the incorporation of the Governance Function directly connect cybersecurity risks and their impact to the information and communications technology (ICT) on which the organization relies to deliver its mission. This top-down and bottom-up relationship between system-level risk registers and the overarching enterprise risk management strategy creates the opportunity for improved visibility and continuous improvement. The framework specifically aims to:

• Ensure executive leadership and boards are engaged by emphasizing that cybersecurity risk is a business risk.
• Embed cybersecurity and third-party risks into the organization's overall risk framework.
• Prioritize security measures based on the potential impact on business operations.
• Encourage continuous risk assessment and integration with real-time monitoring tools to adapt to emerging risks.
• Help organizations adjust cybersecurity policies dynamically based on business needs.

Actionable Next Steps - Progress Over Perfection

If you’re new to NIST CSF, getting started may feel like the biggest hurdle. Don’t let perfection be the enemy of progress, but you have to start somewhere. Read through each Quick Start Guide then familiarize yourself with NIST’s Organizational Profile template to solidify your foundational knowledge. It may even be helpful to experiment with NIST’s template by adding your own data points, such as implementation examples and cross-mapped NIST SP 800-53 controls.

If you’re looking to simplify the implementation of NIST CSF at your organization and connect your Organizational Profile back to broader cyber risk and enterprise risk management programs, book a demo of Risk Cloud today.