Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Travel Update! The NIST CSF 2.0 is HERE…Along with Many Helpful Resources…

An image of a road with different NIST CSF resources labeled along the path
Credit: Natasha Hanacek, NIST

The NIST Cybersecurity Framework (CSF) development process all started with Executive Order (EO)13636 over a decade ago, which called for building a set of approaches (a framework) for reducing risks to critical infrastructure. Through this EO, NIST was tasked with developing a "Cybersecurity Framework." We knew that, to do this the right way, NIST would need to work alongside industry, academia, and other government agencies. This is exactly what we did—and have been doing over the past 10 years—as the CSF became more popular around the globe.

We also knew that the CSF needed to be a living document that should be refined, improved, and evolve over time. To address current and future cybersecurity challenges and improvements, NIST set out on the journey of developing the CSF 2.0. Along the way, NIST has solicited input via formal Requests for Information, workshops and smaller meetings, suggestions from users and non-users alike, and draft documents for public comment. This all resulted in CSF Versions 1.0 and 1.1 and, most recently, a draft of CSF 2.0.

What Organizations Should Know About NIST’s CSF 2.0…and Related Resources
 
The CSF 2.0, along with NIST’s supplementary resources, can be used by organizations to understand, assess, prioritize, and communicate cybersecurity risks. It is particularly useful for fostering internal and external communication at all levels (including across internal teams, from the C-Suite through middle management—and to those carrying out daily cybersecurity responsibilities). The CSF also seeks to improve communication with suppliers and partners and is intended to help organizations integrate cybersecurity-related issues with broader enterprise risk management strategies. 

The CSF 2.0 is organized by six Functions — Govern, Identify, Protect, Detect, Respond, and Recover. Together, these Functions provide a comprehensive view for managing cybersecurity risk. The Framework is also comprised of the following:

CSF Core  A taxonomy of high-level cybersecurity outcomes that can help any organization manage its cybersecurity risks. This can be found in Appendix A in the CSF 2.0 (and the Core can be browsed via the CSF 2.0 Reference Tool).

CSF Organizational Profiles— A mechanism for describing an organization’s current and/or target cybersecurity posture in terms of the CSF Core’s outcomes.

CSF Tiers — An approach that can be applied to CSF Organizational Profiles to characterize the rigor of an organization’s cybersecurity risk management practices. Today’s big news is not just about one singular document; it is about a suite of resources (documents and applications) that can be used individually, together, or in combination over time as cybersecurity needs change and capabilities evolve. The materials are designed to reach all audiences and to span across industries and organization types.

The CSF 2.0 improves on prior versions; we listened to your feedback, made key updates, developed new resources and tools, and adjusted our guidance based on today’s cybersecurity environment

  • By offering practical and actionable suggestions, NIST’s resources—especially the set of Quick Start Guides we are sharing today (and the ones we add later in the future)—can help organizations immediately improve their cybersecurity posture because they focus on how the CSF can be implemented. 
  • To better integrate related resources, NIST’s mapping solution demonstrates how users can move quickly from CSF outcome statements to better cybersecurity in practice. 
  • New implementation examples enables users to review action-oriented steps to help them get started (or keep going).

Explore the Resources!

Now that the big release day is finally here, we hope organizations (and those who guide or carry out cybersecurity strategies) will find the CSF 2.0 suite of documents and tools to be difference makers in managing and reducing cybersecurity risks. 

NIST continues to encourage candid, constructive discussions and other engagements about organizations’ experiences with the CSF. Remember, cybersecurity risk management is always a journey – and the CSF 2.0 is a navigational guide that can help make that journey more successful. 

Comments, questions, or feedback? Email us at cyberframework [at] nist.gov (cyberframework[at]nist[dot]gov)! You can also follow us on X via @NISTcyber to stay updated as we make more pitstops along the way.

About the author

Kevin Stine

Mr. Kevin Stine is the Chief of the Applied Cybersecurity Division in the National Institute of Standards and Technology’s Information Technology Laboratory (ITL). He is also NIST's Acting Chief Cybersecurity Advisor and Acting Associate Director for Cybersecurity in NIST's ITL. In these roles, he leads NIST collaborations with industry, academia, and government to improve cybersecurity and privacy risk management through the effective application of standards, best practices, and technologies. The Applied Cybersecurity Division develops cybersecurity and privacy guidelines, tools, and reference architectures in diverse areas such as public safety communications; health information technology; smart grid, cyber physical, and industrial control systems; and programs focused on outreach to small businesses and federal agencies. The Division is home to several priority programs including the National Cybersecurity Center of Excellence, Cybersecurity Framework, Cybersecurity for IoT, Identity and Access Management, Privacy Engineering and Risk Management, and the National Initiative for Cybersecurity Education. 

Related posts

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.