NIST Cybersecurity Framework: What's new in v2.0

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.

On February 26, 2024, the US government agency National Institute of Standards and Technology (NIST) released a major update to its widely-adopted Cybersecurity Framework (CSF) – marking the transition from version 1.1 to 2.0.

What is the NIST Cybersecurity Framework?

NIST’s CSF was first published in 2014 after an executive order directed the agency to develop a cyber risk framework in response to growing digital applications. The voluntary framework provides a structured approach and guidelines for organizations to assess and strengthen cybersecurity defenses, regardless of business size, sector, or technical expertise. It also helps align cybersecurity activities with business requirements, risk tolerances, and resources by dividing activities and outcomes into five functions:

  • Identify: focuses on understanding and managing cybersecurity risks to systems, assets, data, and capabilities.
  • Protect: involves implementing safeguards to ensure the delivery of critical services while minimizing the impact of cybersecurity incidents.
  • Detect: aims to quickly identify cybersecurity events as they occur, facilitating timely responses.
  • Respond: involves taking appropriate actions to contain, mitigate, and recover from cybersecurity incidents.
  • Recover: focuses on restoring capabilities or services affected by cybersecurity incidents.

What’s new in CSF 2.0?

Since the release of v1.1 in 2018, the cybersecurity risk landscape has quickly advanced.

To reflect this rapid evolution, NIST’s v2.0 emphasizes the importance of integrating cybersecurity into organizational culture and decision-making processes to address new challenges, including:

  • Supply chain disruption and risks.
  • Growth of 5G and Internet of Things (IoT) devices.
  • Lack of skilled cybersecurity staff.

Version 2.0 provides more comprehensive guidance and flexibility for organizations. Some major changes include:

  • Added "Govern" function for cybersecurity strategy and policies. This is notable for elevating the importance of cyber risk governance.
  • Expanded guidance on supply chain risk management.
  • More guidance on measuring cybersecurity outcomes.
  • New templates for creating organizational profiles.
  • Better integration with broader organizational risk management.
  • Alignment with newer NIST publications on privacy, IoT, and cloud security.

What can organizations do?

Any organization currently using NIST’s CSF can review the v2.0 changes and updated framework core in depth. Businesses can then identify any gaps or improvements needed in existing CSF implementation and adjust cybersecurity policies, programs, and practices accordingly.

For new adopters, version 2.0 represents the most up-to-date set of standards to build a cyber risk management program on. NIST’s CSF v2.0 is a valuable resource for organizations seeking to enhance cybersecurity resilience and adapt to emerging threats.

Learn more from our digital trust experts in Strategically building breach resilience by Stephen Scott and Defending against AI’s dark side by Terry Minford.

Visit BSI’s Experts Corner for more insights from industry experts. Subscribe to our Experts Corner-2-Go LinkedIn newsletters for a roundup of the latest thought leadership content: Digital trustEHSsupply chain.

John Kociak

John Kociak, BSI Consulting, Senior Consultant specializing in Digital Trust delivers information management, risk advisory, consulting, and compliance services.