NIST Cybersecurity Framework 2.0

NIST released Cybersecurity Framework (CSF) 2.0 on 26 February 2024, delivering the first major overhaul of the United States’ flagship cyber governance playbook since 2018. The update introduces a new Govern function, refreshes all categories and subcategories, and expands guidance for small businesses, critical infrastructure, and supply chain partners. Security, risk, and technology leaders now have to recalibrate policies, control libraries, and oversight cadences so CSF 2.0 becomes the backbone of cyber resilience programs, aligns with executive orders, and satisfies examiner expectations.

What changed in CSF 2.0

CSF 2.0 retains the five core functions—Identify, Protect, Detect, Respond, Recover—and adds Govern as a foundational layer that underscores organizational context, risk management strategy, and cybersecurity supply chain risk management (C-SCRM). Across the 108 subcategories, NIST updated language to emphasize outcomes instead of prescriptive controls, mapped references to more than 50 standards (including ISO/IEC 27001:2022, CIS Controls v8, NIST SP 800-53 Rev.

5, and NIST SP 800-161 Rev. 1), and integrated cross-references to complementary frameworks such as the NIST AI Risk Management Framework and Privacy Framework. The revision also clarifies that CSF is applicable to any sector and organizational size, not just critical infrastructure.

Govern function highlights

The Govern function contains six categories: Organizational Context (GV.OC), Risk Management Strategy (GV.RM), Cybersecurity Supply Chain Risk Management (GV.SC), Roles, Responsibilities, and Authorities (GV.RR), Policy (GV.PO), and Oversight (GV.OV). It emphasizes establishing risk appetites, defining decision rights, integrating cyber into enterprise risk management, and ensuring leadership accountability.

Organizations must inventory legal, regulatory, and contractual obligations; maintain updated stakeholder maps; and align cybersecurity priorities with business objectives. Governance bodies should document reporting cadences to boards, risk committees, and regulators while ensuring that third-party dependencies receive consistent oversight.

Profiles, tiers, and setup examples

NIST introduced Implementation Examples that accompany each subcategory, giving organizations concrete tactics. For example, PR.AA-03 (identity authentication) highlights passwordless technologies and phishing-resistant MFA.

The agency also refreshed Profiles that illustrate CSF usage in sectors such as manufacturing, water utilities, and small businesses. Organizations can use the CSF 2.0 Reference Tool and Excel workbooks to tailor target profiles, compare current-state maturity, and align with the new CSF Tiers, which now span Partial, Risk Informed, Repeatable, and Adaptive. Each tier integrates Govern practices; for instance, a Tier 3 (Repeatable) organization must establish enterprise-wide risk-informed policies with documented supply chain expectations.

Regulatory and policy alignment

Federal directives now require alignment to NIST CSF. The Securities and Exchange Commission’s Form 8-K cyber incident disclosure rule, the Federal Trade Commission’s Safeguards Rule updates, and the Cybersecurity and Infrastructure Security Agency’s (CISA) proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule all reference NIST artifacts for good practices.

Executive Order 14028 and OMB Memorandum M-22-09 direct federal agencies and suppliers to implement NIST guidance, while sector-specific regulators—from the Federal Energy Regulatory Commission to the Office of the Comptroller of the Currency—expect financial institutions and energy operators to benchmark against CSF. Updating to version 2.0 positions organizations to show compliance during examinations.

Program management checkpoints

Program managers should begin with a gap assessment. Map existing policies, standards, and control libraries to the updated categories and subcategories, noting where CSF 1.1 mappings no longer align. Pay particular attention to new outcomes in the Govern function, including requirements to document risk tolerance statements, integrate cyber into merger and acquisition due diligence, and assign accountable roles for supply chain monitoring. Update charters for cyber risk committees, ensure board materials reflect new governance expectations, and verify that third-party risk questionnaires and contract clauses capture CSF 2.0 obligations.

Risk and threat integration

CSF 2.0 stresses that threat intelligence, vulnerability management, and consequence analysis must connect to decision-making. The Identify function now includes ID.IM-01 through ID.IM-04 (improvement management), which require organizations to incorporate lessons learned from incidents, exercises, and tests into program updates. Detect and Respond categories emphasize the need for continuous monitoring, adversary emulation, and coordinated playbooks. If you are affected, integrate MITRE ATT&CK techniques, CISA Known Exploited Vulnerabilities catalog, and sector-specific advisories into risk registers and detection pipelines.

Supply chain and third-party governance

NIST expanded supply chain coverage beyond procurement. GV.SC, ID.SC, PR.SD (secure development), and RS.MI (response improvements) collectively require organizations to identify critical suppliers, evaluate the cybersecurity posture of upstream and downstream partners, and include contract clauses addressing security requirements, incident reporting, and vulnerability disclosure.

Manufacturers and software publishers must align with secure development practices referenced in NIST SP 800-218 (Secure Software Development Framework) and maintain software bills of materials (SBOMs). If you are affected, establish supplier tiering models, define minimum security expectations, perform due diligence before onboarding, and schedule periodic reassessments that incorporate independent attestations (such as SOC 2 Type II) or on-site inspections.

Integration with privacy and AI governance

CSF 2.0 explicitly points to the NIST Privacy Framework and AI RMF. Privacy and cyber teams should harmonize data inventories, incident response plans, and impact assessments. AI development teams must integrate cybersecurity controls when deploying machine learning models, including supply chain vetting for training data, securing MLOps pipelines, and monitoring model drift.

Governance committees should align risk metrics across cybersecurity, privacy, and AI, ensuring that board dashboards cover resilience indicators, breach response times, and model incident logs. This convergence supports compliance with EU GDPR, U.S. state privacy laws, and emerging AI legislation such as the EU AI Act and Colorado AI Act.

Operationalizing CSF 2.0

Implementation requires layered execution. Security architecture teams should update reference architectures to incorporate zero trust principles aligned with NIST SP 800-207. Identity teams must adopt phishing-resistant MFA, privilege management, and continuous authentication per PR.AC (Access Control).

Infrastructure and cloud operations should implement automated configuration baselines, infrastructure-as-code scanning, and runtime telemetry that feed into detect-and-respond workflows. Application security teams need to integrate software composition analysis, dynamic application security testing, and secure coding standards into CI/CD pipelines. Incident response teams should rehearse playbooks that tie to RS.PO (Response Planning) and update crisis communications, legal escalation, and regulatory reporting steps.

Metrics and assurance

Governance bodies demand evidence that CSF 2.0 controls work. If you are affected, establish key risk indicators (KRIs) and key performance indicators (KPIs) for each function.

Examples include percentage of critical assets with up-to-date inventories (ID.AM), mean time to detect and respond to incidents (DE.DP, RS.MI), number of critical suppliers with current assessments (GV.SC, ID.SC), and completion rates for security awareness training (PR.AT). Internal audit should refresh audit programs to align with the new subcategories, using sampling techniques, walkthroughs, and penetration tests to validate control effectiveness. Where regulators or customers require attestations, organizations can reference CSF 2.0 mappings when producing SOC reports or ISO certifications.

Small business and sector-specific guidance

NIST released Quick Start Guides for small businesses, supply chains, enterprise risk managers, and organizations at different maturity levels. Small entities can use simplified checklists that focus on foundational actions such as asset inventories, patch management, and backup validation.

Critical infrastructure operators should consult the Manufacturing Profile and the Cybersecurity Framework Manufacturing Profile Update to align operational technology (OT) controls with CSF outcomes, bridging to NIST SP 800-82 Rev. 3 for ICS security. Healthcare organizations can map CSF categories to the Health Industry Cybersecurity Practices (HICP) playbooks, while financial institutions can align with FFIEC Cybersecurity Assessment Tool domains.

Roadmap for 2024 and beyond

NIST plans to maintain CSF 2.0 as a living resource, updating the online reference tool with additional profiles, informative references, and success stories. If you are affected, monitor the NIST Cybersecurity Framework portal for updates, webinars, and community of interest meetings.

They should also expect regulators to update guidance: CISA’s planned CSF 2.0 setup guide for state, local, tribal, and territorial governments; the Department of Energy’s alignment materials for the Electricity Subsector Cybersecurity Capability Maturity Model; and potential linkage to forthcoming SEC rulemakings on cyber risk management. Maintaining a change log and assigning owners to track NIST updates will help organizations stay current.

Integrating CSF 2.0 diagnostics, control mapping, and executive reporting so security leaders can evidence Govern-to-Recover coverage across complex digital estates.

You may also find useful

Hand-picked articles on adjacent topics.

Cybersecurity · Credibility 90/100 · February 26, 2024

NIST CSF 2.0

NIST Cybersecurity Framework 2.0 dropped with a new Govern function, supply chain risk management focus, and improved implementation guidance. If your security program is built on CSF 1.1, time to update your mappings.

Cybersecurity · Credibility 95/100 · February 26, 2024

NIST Cybersecurity Framework 2.0 released

On 26 February 2024 NIST released Cybersecurity Framework 2.0, adding a Govern function, expanded guidance for all organization sizes, and improved supply chain risk management coverage.

Cybersecurity · Credibility 91/100 · February 21, 2024

NIST Finalizes SP 800-66 Rev. 2 for HIPAA Security Rule — February 21, 2024

NIST dropped the new HIPAA Security Rule guide on February 21, 2024. SP 800-66 Rev 2 maps everything to CSF 2.0, includes practical risk management templates, and gives you actual assessment checklists. If you are in…

Cybersecurity · Credibility 91/100 · March 6, 2024

HHS Publishes Healthcare Cybersecurity Performance Goals — March 6, 2024

HHS published cybersecurity performance goals for healthcare organizations in March 2024. While voluntary, these CPGs signal where enforcement and incentives are heading. MFA, encryption, patching cadence, and incident…

Cybersecurity · Credibility 93/100 · March 7, 2024

Volt Typhoon Living-Off-the-Land Tactics Detailed — March 7, 2024

CISA, NSA, and FBI detailed Volt Typhoon's living-off-the-land techniques in U.S. critical infrastructure. The Chinese APT uses native tools to avoid detection. They are pre-positioning for potential disruption.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Complete Beginner Cybersecurity Guide for Home Users

  A practical cybersecurity guide designed for non-technical home users. Covers threat awareness, home network security, password management, multi-factor authentication, device…

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

Documentation

1. NIST releases Cybersecurity Framework 2.0 — www.nist.gov
2. NIST CSWP: Cybersecurity Framework 2.0 Core — csrc.nist.gov
3. NIST CSF 2.0 Quick Start Guides — www.nist.gov
4. NIST CSF 2.0 Reference Tool — csf.tools
5. NIST CSF 2.0 Request for Information (2022) — www.nist.gov
6. NIST CSF 2.0 Workshop — August 2022 — www.nist.gov
7. CSF 2.0 Concept Paper — www.nist.gov
8. Draft CSF 2.0 Core (August 2023) — www.nist.gov
9. CSF 2.0 Draft Public Comment Summary — www.nist.gov
10. Executive Order 13636: Improving Critical Infrastructure Cybersecurity — www.federalregister.gov
11. NIST releases draft update to the Cybersecurity Framework — www.nist.gov
12. NIST Cybersecurity Framework 2.0 Roadmap — www.nist.gov
13. Directive (EU) 2022/2555 on measures for a high common level of cybersecurity (NIS2) — eur-lex.europa.eu
14. SEC Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure — www.sec.gov
15. Regulation (EU) 2022/2554 on digital operational resilience (DORA) — eur-lex.europa.eu