NIST CSF 2.0 – Top 10 Things You Should Know

This article was written by Brian Benestelli and John Fry

In the decade since the initial release of the Cybersecurity Framework (CSF), it has become one of the most widely used tools in the cybersecurity practitioner’s toolbox. Our team has developed a deep connection to the CSF. Axio team members have contributed to the development of both the initial version and each subsequent version of the CSF. We’ve also worked with many clients on cyber program evaluations and improvement efforts based on the CSF. In this blog post, we’ll walk through a short history of the CSF and share our top 10 items that we think you should know about CSF 2.0.

Background

The National Institute of Standards and Technology (NIST) was directed by the Obama administration—through Executive Order 13636—to develop the initial version of the CSF (originally titled the Framework for Improving Critical Infrastructure Cybersecurity). This executive order acknowledged that cyber attacks against critical infrastructure assets could result in grave impacts to national and economic security. The order directed agencies within the executive branch to improve information sharing between government and operators of critical infrastructure, develop the CSF, and establish programs to support the adoption of the CSF. The initial version of the CSF (CSF 1.0) was released in 2014 and an updated version (CSF 1.1) was released in 2018 that included updates to the CSF’s Categories and Subcategories, as well as supplemental information to aid organizations in self-assessment and implementation.

CSF 2.0 Development Process

Starting in 2022, NIST initiated an effort to develop CSF 2.0. Over the next two years, NIST held a series of public workshops and released preliminary documents for public review. These efforts culminated in the February 2024 release of CSF 2.0.

https://www.nist.gov/cyberframework/nists-journey-csf-20

How has CSF 2.0 changed?

CSF 2.0 was significantly updated from the previous version, but users should view this update as an evolutionary—not revolutionary—change. In general, changes were focused on reorganization, opposed to major additions or modifications to existing material. The most noteworthy update is the addition of a new Function – Govern. Users will notice additional changes to the cybersecurity outcomes at the Category and Subcategory levels within each of the CSF Functions. NIST has also expanded their suite of supplemental materials to aid users in adoption of the CSF and is increasing the interoperability of CSF with other frameworks and models with additional tools.

Top 10 Things You Should Know

We have compiled a list of the top 10 things we think you should know about CSF 2.0.

1. Evolution not Revolution – While many changes have been made, the content of the CSF remains largely unchanged. CSF 2.0 reorganizes existing concepts, adds a few new ones, and broadens the pool of existing resources for interpretation and implementation. Why it matters: These changes may create unexpected gaps in executive reports that warrant an early warning to executives to prime them before reporting time.
2. The Govern Function – The most significant architectural change to CSF was the addition of the Govern Function. The cybersecurity outcomes in the Function were largely pulled from the Identify and Protect Functions, but reorganization of these concepts into a Function is an explicit endorsement from NIST of the importance of executive leadership’s hands-on involvement in cybersecurity. Why it matters: The additional prominence given to the subject of governance by this change offers an opportunity for cybersecurity leaders to highlight potential additional program needs within their own organizations.
3. Expansion of Supply Chain Risk Management – While the 2018 CSF 1.1 update increased emphasis on supply chain risk management, CSF 2.0 introduces additional focus on the processes to evaluate and manage third-party relationships. New concepts include due diligence before entering a relationship and performing specified actions when terminating a relationship. Why it matters: As more and more vendors transition their infrastructure to the cloud, organizations are being transitioned to the cloud, sometimes without realizing it. And, in general, supply chain issues are hard to solve because they expand the zone of trust bringing in more parties—and control environments—that may impact security.
4. Implementation Examples – The Subcategories in the CSF are descriptive—opposed to prescriptive—but may feel abstract to readers. To help address this, NIST added Implementation Examples for each Subcategory to provide exemplar activities that may achieve described outcomes. Why it matters: The new Implementation Examples provide elaboration on the concepts described in the CSF to help make implementation more approachable.
5. Program Improvement – CSF 2.0 now includes a Category that expands improvement efforts from just response and recovery plans to cyber program‑wide improvements. Why it matters: These additions help rationalize the hours and budget leaders may need to analyze important sources of program improvement information such as lessons learned, the results of evaluations, and exercises.
6. Expansion of the Respond and Recover Functions – CSF 2.0 includes additional concepts in the Respond and Recover Functions for consideration when developing cyber incident response plans. Why it matters: Response and Recovery capabilities are gaining more attention from regulators as a contributor to organizational resilience. Following the recent SEC rulings—which highlight response and recovery—regulators from other industry verticals may adopt a similar stance.
7. Community Profiles and Quick Start Guides – NIST has developed additional resources (beyond the CSF Functions, Categories, and Subcategories) to aid adoption of the CSF by organizations. Resources include guidance to help organizations build Community Profiles, which are documents that represent a “baseline of CSF outcomes that is created and published to address shared interests and goals among a number of organizations” and Quick Start Guides to help users with specific implementation objectives or considerations (e.g., integrating with enterprise risk management, implementing CSF Tiers). Why it matters: Similar to implementation examples, community profiles and quick start guides make usage of cyber frameworks more approachable and lessen the investment needed to achieve results from framework use.
8. Consistent level of abstraction – The language in CSF 2.0 was updated to be at a more consistent level of detail—that is at a more descriptive and outcome-focused. Why it matters: The additional consistency will improve interpretation and could better enable organizations to apply quantitative measurements and to do so in a way that is more fungible and could be compared across the organization.
9. Integration with other NIST tools – CSF 2.0 includes additional tools to help highlight relationships between the CSF and other cybersecurity frameworks and models. Tools like the Online Informative Reference Program (OLIR) and the Cybersecurity and Privacy Reference Tool (CPRT) allow users to submit mappings and leverage mappings developed by other community members. These resources will enable the CSF’s Informative References to be updated dynamically. Why it matters: There is an ever-growing array of cybersecurity frameworks (regulatory and otherwise). Organizations are increasingly being pressured to adopt more than one to suit different use cases. Harmonization across frameworks will lower the administrative burden of operating in a multi-framework environment. Bonus tip: When selecting frameworks, consider whether each candidate model “plays well with others” as part of selection criteria.
10. Not just critical infrastructure – The CSF underwent a name change in CSF 2.0 from the “Framework for Improving Critical Infrastructure Cybersecurity” to the “Cybersecurity Framework”. Why it matters: This change acknowledges the widespread international use of—and need for—standardized cybersecurity frameworks like the CSF by all organizations, not just critical infrastructure operators.

If you’re interested in hearing more from our experts about CSF 2.0, check out this webinar where we discussed how to leverage this update to the CSF to supercharge your cyber program.

No matter what stage you’re at in your adoption of the NIST CSF, Axio can help. Our Axio360 platform enables you to evaluate the performance of your program in alignment with frameworks like the CSF, along with other popular frameworks and models like C2M2, CMMC, CIS18, and other custom frameworks. Additional features of the platform include aggregated reporting, target setting, and trending over time. We can also help you understand the cost of potential cyber risks and make the right investments in your cyber program.

Want to learn more? Schedule a meeting with one of our cyber risk experts.