In celebration of its 10th anniversary, the National Institute of Standards and Technology (NIST) has finally updated its cybersecurity framework, now known as the NIST Cybersecurity Framework 2.0. This isn’t a minor facelift. It's a substantial revamp further improving what's already regarded as the gold standard of cyber risk management frameworks.

To learn about the key changes in NIST CSF 2.0, and how they could impact your cybersecurity posture improvement efforts, read on.

1. Revamped respond and recover functions

Arguably, the most impactful change in NIST CSF 2.0 is its increased attention across Respond and Recover functions - functions receiving disproportionately less attention in version 1.1 of NIST CSF.

The Respond function now maps to cyber incident response outcomes that are actually impactful and not just addressed at a high level. To illustrate the more targeted nature of the response function of the new framework, here’s a comparison between the category lists of version 1.1 and version 2.

 Response category list in NIST CSF 1.1
Response category list in NIST CSF 1.1
Response category list in NIST CSF 2.0
Response category list in NIST CSF 2.0

2. Introduction of a new(ish) function: Govern

The most prominent change in version two of the CSF is the addition of a Govern function, bringing the total number of core functions to six. Though an added partner to the original core, the Govern function isn’t actually entirely new. Much of its details are a consolidation of category information in version 1.1, making version 2.0 much neater and simpler to understand - an attribute that's now a defining aspect of the new and improved NIST CSF.

For example. In version 1.1 of NIST CSF, outcomes for Roles and Responsibilities were spread across PR.IP and ID.BE categories. Now, they’re conveniently consolidated in the Govern function.

List of categories in the new Govern Function of NIST CSF 2.0.
List of categories in the new Govern Function of NIST CSF 2.0. These details, which were previously dispersed throughout version 1.1, are now conveniently consolidated in a stand-alone function. Source: nvlpubs.nist.gov

The other benefit of integrating GRC outcomes into NIST CSF is that it allows non-technical stakeholders to understand how their governance duties intersect with cybersecurity risk management tasks, resulting in board members getting a seat in strategic cybersecurity decisions - an arrangement that's becoming an increasingly critical requirement.

Learn how to create a cybersecurity report board members will actually appreciate >

Govern function is now integrated into original five function in NIST CSF 2.0
Govern function is now integrated into original five function in NIST CSF 2.0.
The sixth function (Govern) in NIST CSF 2.0 ensures stakeholders remain informed about cybersecurity practices and action plans.

3. Increased focus on supply chain risk management

With plenty of supply chain attacks occurring since NIST CSF was initially launched in 2014, NIST has expectantly increased its focus on Cybersecurity Supply Chain Risk Management (SCR.) in its new framework. Most of these outcomes are nested in the Govern function, giving stakeholders and C-suite staff more oversight into an attack vector, costing businesses an average of 4.76 USD million when exploited.

By 2025, 45% of organizations worldwide will have been impacted by a software supply chain attack, a three-fold increase since 2021.

- Source: Gartner
Figure 3 - NIST CSF 2.0 Consolidates and expands its SCRM cybersecurity outcomes in the Govern function.
Figure 3 - NIST CSF 2.0 Consolidates and expands its SCRM cybersecurity outcomes in the Govern function.
A business partner supply chain compromise cost 11.8% more and took 12.8% longer to identify and contain than other breach types
A business partner supply chain compromise cost 11.8% more and took 12.8% longer to identify and contain than other breach types. Source: IBM Cost of a Data Breach Report 2023.

4. Expanded industry scope (and much clearer guidelines)

Though originally designed to help critical infrastructures bolster their cyber threat resilience in response to the 2013 Executive Order 13636, NIST CSF has been widely adopted by almost every industry for one simple reason - it just works, really, really well.

NIST CSF 2.0 is NIST’s attempt to rebrand its cyber framework from one that’s critical infrastructure-centric to one that’s more industry-agnostic. This shift isn’t just reflected in the framework’s new name (the official name of the first edition was Framework for Improving Critical Infrastructure Cybersecurity, now it’s known as The NIST Cybersecurity Framework (CSF) 2.0) but also it's much clearer communication.

For example, in NIST CSF Version 1.1, subcategory 1 of the Information Protection category was as follows:

  • PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

Pretty confusing, right?

Now, compare this language to how the Platform Security subcategories are written in version 2.0:

  • PR.PS-01: Configuration management practices are established and applied
  • PR.PS-02: Software is maintained, replaced, and removed commensurate with risk
  • PR.PS-03: Hardware is maintained, replaced, and removed commensurate with risk
  • PR.PS-04: Log records are generated and made available for continuous monitoring
  • PR.PS-05: Installation and execution of unauthorized software are prevented o PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle.
By expanding from the more technical critical infrastructure sector, NIST CSF 2.0 is now a helpful cybersecurity guide that can be easily understood by organizations of all sizes. 

Clearer communication means that cybersecurity initiatives are now much simpler to communicate with stakeholders and board members who tend not to be comfortable with technical cybersecurity jargon.

Learn how UpGuard further closes the technical deficit between cybersecurity teams and stakeholders with its cybersecurity reporting features.

Find out more >

This expanded scope of focus also brings about other much-needed changes.

(a). We (finally) have implementation examples

Previously, users had to essentially offer their best guess to decipher the technical desired outcomes in NIST CSF. Now, in version 2.0, this veil of obscurity is completely removed with the addition of implementation examples - yes,  NIST CSF 2.0 finally has tangible examples of how to achieve its desired outcomes! 

For example, subcategory three of Organizational Context under the Govern function is as follows:

GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed

There's a lot to unpack here, which increases the risk of being led down multiple needlessly convoluted implementation pathways. 

But now, with the support of implementation examples,  the guesswork is completely eradicated:

Implementation Examples: GV.OC-03

Ex1: Determine a process to track and manage legal and regulatory requirements

regarding protection of individuals’ information (e.g., Health Insurance Portability

and Accountability Act, California Consumer Privacy Act, General Data Protection

Regulation)

Ex2: Determine a process to track and manage contractual requirements for

cybersecurity management of supplier, customer, and partner information

Ex3: Align the organization’s cybersecurity strategy with legal, regulatory, and

contractual requirements

The public draft of NIST CSF 2.0 implementation examples can be accessed here.

By providing implementation examples in addition to a much clearer communication style, NIST CSF version 2.0 now makes the attainment of a resilient security posture a possibility for more businesses than ever before.

Implementation examples clarify the specific cybersecurity challenges being addressed, and shed a bright light on how to actually overcome them.

(b). Updated information references and quick start guides

To streamline implementation, NIST has overhauiled its information reference and quick start guides. Collectively, the quick start guide library addresses just about all dimensions of NIST CSF implementation, including how to use Community Profiles, and a guide on C-SCRM - a great resource for stakeholders and board members feeling a little apprehensive about their increased supply chain governance duties.

The revamped NIST CSF quick start guides allow security teams and stakeholders to jump straight into risk management strategy planning with minimal implementation friction.

The refreshed quick start guides allows everyone, regardless of their cyber experience, to benefit from the cyber risk mitigation advantages of NIST CSF, from small businesses to enterprise risk managers and CISOs.

The updated NIST CSF quick start library.
The updated NIST CSF quick start library.

Access the NIST CSF quick start library here.

Access the NIST CSF 2.0 reference tool here.

(c). Addition of community profile templates

NIST organizational profiles simplify the process of tailoring NIST CSF to an organization’s unique security objectives and intended outcomes - they help you bridge the gap between your current cybersecurity posture and your target cybersecurity posture.

NIST CSF 2.0 profile template comparing current to target cyber posture states.
NIST CSF 2.0 profile template comparing current to target cyber posture states.

Access the CSF 2.0 Organizational Profile template here.

For guidance with specific implementation use cases, the Cyber Risk Institute offers a profile template (in .xls format) mapping NIST CSF 2.0 to specific standards, such as FFIEC (CAT) and NYDFS. This template even includes a plan for utilizing NIST CSF 2.0 to achieve greater resilience against today’s most dangerous cybersecurity threat - ransomware.

Learn how to defend against ransomware with this ultimate guide >

Amongst other mapping use cases, the CRI profile template maps NIST CSF 2.0 to a target state of improved ransomware attack resilience.
Amongst other mapping use cases, the CRI profile template maps NIST CSF 2.0 to a target state of improved ransomware attack resilience.


Access the CRI Profile v2.0 template here.

Ready to see
UpGuard in action?