NIST Cybersecurity Framework (CSF) 2.0

The NIST Cybersecurity Framework (CSF) 2.0 is a comprehensive guide developed by the National Institute of Standards and Technology to help industry, government agencies, and other entities manage cybersecurity risks. As a cornerstone of Cybersecurity Frameworks & Standards, CSF 2.0 provides a taxonomy of high-level cybersecurity outcomes. It is designed to be accessible to any organization—regardless of size, sector, or maturity—enabling them to better understand, assess, prioritize, and communicate their defensive efforts.

Rather than prescribing specific tools or methods, the framework focuses on what outcomes should be achieved, serving as a foundational element of Enterprise Cybersecurity Risk Management.

The Six Core Functions

The CSF 2.0 Core organizes cybersecurity outcomes into six high-level functions. A major update in version 2.0 is the addition of the Govern function, elevating cybersecurity risk governance to a central, overarching role.

• Govern (GV): This function establishes, communicates, and monitors the organization's cybersecurity risk management strategy, expectations, and policy. It covers organizational context, roles and responsibilities, oversight, and notably, cybersecurity supply chain risk management.
• Identify (ID): Focuses on understanding the organization's current cybersecurity risk to its assets and operations. Categories include asset management, risk assessment, and continuous improvement.
• Protect (PR): Outlines safeguards to ensure delivery of critical infrastructure and services. This encompasses identity management, authentication, access control, awareness and training, data security, platform security, and technology infrastructure resilience. Implementing these outcomes often requires adherence to Secure by Design & Default Practices.
• Detect (DE): Defines activities to identify the occurrence of a cybersecurity event, specifically through continuous monitoring and adverse event analysis.
• Respond (RS): Details actions to take regarding a detected cybersecurity incident. Categories encompass incident management, analysis, response reporting and communication, and incident mitigation.
• Recover (RC): Identifies activities to maintain plans for resilience and to restore capabilities impaired by an incident, including recovery plan execution and internal/external recovery communication.

Key Components and Implementation

CSF 2.0 translates these functions into actionable guidance through several core components:

• Core: The hierarchical taxonomy of Functions, Categories (e.g., Data Security), and Subcategories that describe specific risk management outcomes.
• Profiles: Organizations use organizational profiles to align the CSF Core with their specific business requirements, mission, risk tolerance, and resources. Profiles are instrumental in defining a "Current State" and prioritizing a target "Desired State."
• Tiers: Provide a mechanism for organizations to evaluate the maturity and characteristics of their approach to managing cybersecurity risk.
• Reference Tool: NIST provides a dynamic CSF 2.0 Reference Tool that maps the framework's outcomes to informative references and tangible implementation examples in human- and machine-readable formats.

Relationship to Other Frameworks

Because CSF 2.0 is outcome-based, it relies on informative references to dictate how to achieve those results. Organizations frequently pair the CSF with detailed control catalogs. For example, an organization might use the CSF for high-level board reporting and strategy while implementing specific technical controls from NIST SP 800-53 Revision 5 or CIS Critical Security Controls Version 8.

Additionally, mapping CSF outcomes against the MITRE ATT&CK Framework can actively assist in Building a Threat-Informed Defense Strategy, allowing security teams to continuously validate the effectiveness of their Protect and Detect capabilities.