NIST Cybersecurity Framework Version 2.0: What Are the Main Changes?

The National Institute of Standards and Technology (NIST) originally developed the Cybersecurity Framework (CSF) v1.1 for improving critical infrastructure cyber security in the US private sector. However, it became widely used by public and private organisations of all sizes and geographic locations.

The publication of NIST CSF v2.0 reflects the need for organisations in critical sectors to adapt to the rapidly changing cyber security landscape, and to make the framework more accessible and applicable to a wider range of organisations.

Overview of the Changes

NIST CSF v2.0 introduces significant updates that enhance its clarity and usability. The framework retains its original five functions - Identify, Protect, Detect, Respond, Recover – while reorganising and consolidating categories and subcategories to streamline its structure.

This updated version aims to better align the framework with its expanded objectives and to provide clarity for organisations to improve their cyber security posture. A key addition in CSF 2.0 is the Govern function, designed to embed cyber security into organisational governance, emphasise its strategic importance, and ensure engagement by senior leadership.

The introduction of the Govern function, along with the restructuring of categories and subcategories, reflects the framework’s adaptability to evolving organisational needs and cyber security challenges.

The new structure of the NIST CSF v2.0 from v1.1 shown in the figure below.

The Importance and Necessity of the Govern Function

The Govern function is a pivotal addition to CSF v2.0, emphasising the strategic importance of cyber security within organisational governance. This function encourages senior leaders to integrate cyber security into their strategic decision-making processes, alongside other critical enterprise risks. With this in mind, the Govern function challenges organisations to answer difficult questions at that strategic level, such as:

• How well does your current cyber security strategy align with your overall business objectives?
• Are you confident that your cyber security investments are directly contributing to your business goals and risk management priorities?
• Can the executive leadership articulate the organisation's cyber security risk management strategy?
• Do you have a clear understanding of your organisation's most critical cybersecurity risks? If so, how do you prioritise and address these risks in alignment with your business risk appetite?
• Are you confident that your organisation allocates sufficient and appropriate resources (budget, personnel, technology) to manage cyber security risks effectively?
• How often do you engage with external experts to benchmark your cyber security practices against industry standards and best practices?

The emphasis on Govern is mirrored globally by standards and legislation. Worldwide, there is growing appreciation of the fact that for cyber security initiatives to be successful, governance must be discussed and backed at the highest level of the business. This narrative is also evident in the UK and US respective National Cyber Strategies, Digital Operational Resilience Act (DORA), Network and Information Systems 2 (NIS2) , and the Security and Exchanges Committee (SEC) Cybersecurity Requirements.

Implementation Examples

CSF 2.0 introduces practical implementation examples that provide organisations with actionable guidance on applying the framework’s principles. These examples are designed to help organisations, especially those with limited resources or cyber security expertise, translate the CSF’s broad principles into concrete actions. 

For example, the framework offers examples of how an organisation can implement the Identify function by developing an asset management policy, creating an inventory of assets and establishing roles and responsibilities. Similarly, for the Protect function, the framework suggests implementing access control policies, conducting security awareness training, and deploying protective technologies such as firewalls and intrusion detection systems.

By providing tangible implementation examples, the CSF 2.0’s improved usability not only makes the framework more approachable, but also promotes broader adoption across various industries, enhancing the overall cyber security posture of a diverse array of organisations. By supporting organisations how to implement the CSF v2.0 effectively, organisations are supported in their compliance obligations, whilst also being able to identify areas for cybersecurity enhancements, thus supporting practical management of cybersecurity risks.

• Cyber Security and Privacy Reference Tool (CPRT): An interactive online tool that allows users to explore CSF 2.0's core elements and implementation examples, available in user-friendly and machine-readable formats, with search and export capabilities.
• CSF 2.0 Informative References: Guides that illustrate methods to achieve the core outcomes of CSF 2.0, linking theory with practical implementation steps.
• CSF 2.0 Organisational Profiles: Templates that support the comparison of an organisation's current cyber security state against its target goals, aiding in gap analysis and strategic planning.
• National Online Informative References (OLIR): Searchable online database of cyber security and data privacy resources created by cyber security experts to enhance the framework's applicability and knowledge sharing. This NIST initiative supports organisations in their efforts to implement the CSF by providing them with the knowledge and resources they need to make informed decisions.