What is NIST CSF 2.0: Everything You Need to Know

The NIST CSF 2.0 has received its long-awaited update six years after the previous version. With generative AI and other threats becoming more rampant, the US government has required implementing a framework that better addresses cybersecurity challenges for the private sector. The update has unveiled some meaningful changes and has received positive reactions from the industry and the auditors.

“NIST CSF 2.0 is a step in the right direction. I am happy with how they have made it more accessible to every organization, addressed supply chain issues, discussed cyber threat intelligence, and made subcategories more specific. It will help businesses improve their cybersecurity posture”, says Mackenzie Thomas, senior audit associate at Sensiba LLP.

CSF 2.0 is built by experts worldwide and is your free guide to advancing cybersecurity maturity. Moreover, it is flexible, so you should begin leveraging it to build better defenses. This blog has all the finer details of NIST CSF 2.0, including the key changes, the difference between the current and previous version, and how you can proceed to get compliant.

What is NIST CSF 2.0?

NIST Cybersecurity Framework 2.0 is an updated framework with expanded and more structured guidance on minimizing cybersecurity risks and covering various industries and organizations of all sizes. It aims to enhance the cybersecurity posture of businesses irrespective of their security maturity. The NIST CSF 2.0 was officially published on February 26, 2024. The updated framework has a broadened focus and emphasis, added a new function, and provided direction on handling evolving cybersecurity challenges.

Why is NIST updating the framework?

The first version of NIST CSF was released in 2014 in response to an executive order stating “Improving Critical Infrastructure Cybersecurity,” that was issued by the President in 2013. It was meant for crucial sectors like healthcare and energy but to NIST’s surprise, it proved to be useful to other sectors and was adopted by 50% of the U.S. organizations by 2020. This was due to the rising cybersecurity concerns across the globe.

While NIST did release 1.1 in 2018, after the original NIST release in 2014, the framework had its flaws. The guidance was still centered around ‘critical infrastructure’. Additionally, since NIST is a built-in public framework with recommendations from experts worldwide, it also faced other critiques.

So NIST finally decided to work on NIST CSF 2.0 meant for every industry and business size regardless of the maturity of their cybersecurity programs. The framework can now be used by businesses ranging from schools and startups to enterprises and government organizations. The groundwork for NIST SCF 2.0 was started in 2022 and finally, in 2024 we have an updated published framework.

To know more, download the NIST Cybersecurity Framework 2.0 today to strengthen your organization’s security posture and protect against evolving threats.

Key Changes in NIST CSF 2.0

The NIST CSF 2.0 is said to have contributions from over 4000 attendees and 100+ countries. The feedback has been incorporated to build a clearer and well-structured framework. It has enhanced cybersecurity guidance and a suite of resources, and even addresses emerging technologies such as AI.

Let’s have a look at the key changes in NIST CSF 2.0

Change in scope

While the original intent of the previous version was to safeguard critical infrastructure, the new version has expanded the scope for broader applicability. The new version has actionable guidance tailored for organizations at various stages of cybersecurity program maturity to increase adoption by small businesses.
NIST has clarified this intent by changing the title from “Framework for Improving Critical Infrastructure Cybersecurity” to “Cybersecurity Framework”.

Addition of the new ‘Govern’ function

NIST CSF 2.0 has a sixth function known as the Govern function or GV in addition to the 5 previous functions (Identify, Protect, Detect, Respond, and Recover). The addition of the ‘Govern’ function has reinforced the importance of integrating cybersecurity into an organization’s overall Governance and risk management strategy. The GV function has 6 categories and 21 controls:

• Organizational Context: To ensure businesses understand the organization’s mission statements, stakeholder expectations and context to integrate cybersecurity into broader Enterprise risk management (ERM).
• Risk Management Strategy: To ensure businesses understand priorities, constraints, risk appetite, etc. and take risk management decisions accordingly
• Roles, Responsibilities, and Authorities: To ensure accountability and responsibility are established and communicated
• Policy: To ensure that businesses establish the right policies and SOPs, keeping in mind the cybersecurity threat landscape
• Oversight: To ensure monitoring and surveillance of activities and use the results to improve and adjust the strategy
• Cybersecurity Supply Chain Risk Management: To integrate supply chain risks with overall governance and risk management activities

Updated categories and controls

The NIST CSF 1.1 had 23 categories and 108 subcategories or controls. There has been a lot of realignment, removal, and reshuffling within these categories and controls. The new version has 22 categories and 107 subcategories. Some of these categories are new, such as supply chain risk management.

Integration with other risk programs

NIST maintains several frameworks, such as the Privacy Framework, NIST Artificial Intelligence Risk Management Framework, etc., that are closely related to cybersecurity. The new version has acknowledged the overlap between these risk programs and regulatory requirements and established a clear connection for enhanced implementation by businesses. 

It has also emphasized the focus on supply chain risks, which are among the top risks for any organization. Increasing globalization, cloud computing, outsourcing, and dependence on third parties call for better supply chain risk management to minimize any adverse impact on production and business continuity. Interestingly, one-third of the controls in the Govern function deal exclusively with Supply Chain Risk Management.

New references and expanded guidance

NIST CSF 2.0 has added several informative references for better adoption and guidance related to the framework. The new guidance material includes implementation examples, quick start guides, mapping of NIST framework with other cybersecurity frameworks, and other supplementary resources. NIST has also expanded guidance on community profiles with new and in-depth examples, steps to create and use them as well as an actionable profile template.

Additionally, NIST has launched a CSF 2.0 reference tool that enables you to search and select informative resources from CSF 2.0 Core and create your own version for personalized implementation.

Difference between NIST CSF 2.0 and NIST CSF 1.1

Both NIST CSF 1.1 and NIST CSF 2.0 aim to bolster organizations’ cybersecurity posture and have been built with public participation. While both are globally recognized for their guidance on strong cybersecurity practices, there are some significant differences between the two. Here’s a quick look at this table for NIST CSF 1.1 Vs NIST CSF 2.0

Basis	NIST CSF 1.1	NIST CSF 2.0
Scope	Meant for controllers and operators of critical infrastructure	Meant for all organizations irrespective of their size, industry and security maturity
Title to set the intent	Framework for Improving Critical Infrastructure Cybersecurity	Cybersecurity framework
Number of Functions	Five functions: Identify, Protect, Detect, Respond and Recover	Six Functions: Govern, Identify, Protect, Detect, Respond and Recover
Categories and controls	23 categories and 108 controls	22 categories and 106 controls
Integration with other risk programs	Does not integrate with other risk programs	Integrates with supply chain risks, AI, privacy etc. to address the interconnectedness
Guidance	Generic guidance that lacks specific instructions	Implementation examples, quick start guides, mapping to other frameworks, expanded guidance on profiles and CSF 2.0 reference tool

How will these changes impact the existing functions?

The existing 5 functions in the previous iteration of the NIST CSF have undergone some restructuring for enhanced clarity. Several controls have been moved from existing functions to the ‘Govern’ function to improve the overall relevance. There have been several control additions and removals as well.

Here are some examples

• The identity function had categories such as business environment and Governance. The business environment as a category has been removed in the new version, while Governance is a whole new function.
• Similarly, categories such as detection processes (detect function) and response planning (response function) have been dropped, and a new category, incident management, has been introduced in the response function.

The overall count, however, is more or less the same as the original: From 23 categories and 108 controls to 22 categories and 107 controls.

How to implement NIST CSF 2.0 if you are NIST 1.1 compliant?

If you are already compliant with the previous NIST CSF, here’s how you can proceed to get compliant with the new version:

• Understand the changes in the new version and perform a gap analysis between the current version and the previous version implementation. This will help you prioritize cybersecurity efforts and create an implementation plan.
• Update existing policies or create new policies to accommodate the changes. Ensure the changes are discussed with key stakeholders and the policies are acknowledged org-wide.
• Conduct training and awareness regarding the changes, implementation priorities, and new roles and responsibilities.
• Start building your pipeline of NIST controls and collect evidence against each compliance action.
• Keep monitoring and iterating till you reach the >90% compliance mark for NIST certification

How can Sprinto make CSF 2.0 implementation easier?

Ever since the announcement, organizations are gearing up to get NIST CSF 2.0 compliant but they also know that it requires a lot of groundwork to be done. Using a compliance automation tool like Sprinto can make this easier by eliminating the need for repetitive manual tasks.

Sprinto caters to 20+ cybersecurity frameworks, including NIST. It can help you with scoping to make the adoption of the framework easier. It can integrate with your existing infrastructure to enable automated granular-level checks for continuous compliance. The platform also eliminates the need to create policies from scratch by providing policy templates and simplifying training with in-built modules. 

You can expand the scope of the program with integrated risk management, automated evidence collection and more. If you are already compliant with the previous version of NIST CSF, Sprinto can get you ready for CSF 2.0 by automatically mapping common controls and reducing the time and effort to get certification-ready.

FAQs

What is the current version of NIST CSF?

The current version of NIST CSF is NIST CSF 2.0, which was released on February 26, 2024.

Is NIST CSF better than NIST SP 800-53?

NIST CSF is a broader-level framework meant for organizations of all sizes and is flexible for adoption. NIST 800-53 is a more detailed framework with a catalog of privacy and security controls and intended for federal agencies. It is not accurate to say one is better than the other.

What is the CSF 2.0 Reference tool?

The CSF 2.0 Reference Tool is a human and machine-readable tool that allows businesses to search for keywords in the Core component and create their own version to suit the tailored needs of the organization.