NIST Releases Cybersecurity Framework 2.0 — February 26, 2024

Executive briefing: On 26 February 2024 the National Institute of Standards and Technology (NIST) published Version 2.0 of the Cybersecurity Framework (CSF), the first major revision since 2014. CSF 2.0 introduces a new Govern function, expands supply-chain and third-party risk coverage, and provides implementation profiles and quick-start guides tailored to small and medium-sized entities.

Key updates

• Govern function. Establishes outcomes for cyber risk strategy, policy, roles, and oversight to ensure executive accountability.
• Supply-chain emphasis. Reinforces risk management expectations for suppliers and technology providers, aligning with recent federal directives.
• Implementation resources. Adds CSF 2.0 Reference Tool, Informative References, and Community Profiles to accelerate adoption across sectors.

Control alignment guidance

• CSF 2.0 Profiles. Map existing security programmes to the new functions and categories, identifying gaps in governance, incident response, and supply-chain management.
• NICE Workforce Framework. Use CSF outcomes to prioritise workforce development initiatives aligned with the Govern and Protect functions.
• ISO/IEC 27001 integration. Update control crosswalks to reflect revised CSF categories and informative references.

Operational recommendations

• Refresh board reporting to incorporate the Govern function outcomes and demonstrate accountability for cyber risk strategy.
• Reassess supplier onboarding and monitoring processes against the updated supply-chain outcomes.
• Leverage NIST’s implementation examples and quick-start guides to tailor CSF 2.0 adoption for business units with varying maturity.

Related briefings

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 90/100 · November 17, 2023

NIST Issues SP 800-171 Rev. 3 Final Public Draft — November 17, 2023

The draft updates controlled unclassified information protections with supply chain, logging, and continuous monitoring requirements.

Cybersecurity · Credibility 92/100 · June 13, 2024

NIST Finalizes SP 800-82 Revision 3 for OT Cybersecurity — June 13, 2024

NIST’s updated guide for industrial control systems expands zero-trust, supply chain, and ransomware defenses for operators.

Cybersecurity · Credibility 90/100 · August 8, 2023

Cybersecurity Briefing — NIST Releases Cybersecurity Framework 2.0 Public Draft

On 8 August 2023, NIST released the first full public draft of the Cybersecurity Framework 2.0 for public comment, expanding the framework beyond critical infrastructure, introducing a Govern function for roles and…

Cybersecurity · Credibility 90/100 · December 11, 2024

Cybersecurity Threat Intelligence Briefing — December 11, 2024

ENISA's Threat Landscape 2024 report details ransomware dominance, hacktivist campaigns, and supply chain weak points European defenders must fold into 2025 planning.

Cybersecurity · Credibility 94/100 · December 27, 2022

EU NIS2 Directive Published in Official Journal — December 27, 2022

Directive (EU) 2022/2555 (NIS2) is now in force, giving organisations until October 2024 to implement stronger cyber risk management, supply-chain controls, and staged incident reporting across essential and important…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook — Zeph Tech

  Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.