NIST CSF 2.0: A Closer Look

NIST CSF 2.0: A Closer Look

Avatar photo
Charles Ho
7 min read
Share this article:

Cybersecurity is no longer a “nice to have.” It’s a necessity for businesses of all sizes in all industries – whether or not they have a full-scale security team to implement and manage the program. However, setting up a cybersecurity program is significant work, and keeping up with best practices is challenging, even for large organizations. That’s why public cybersecurity frameworks have been developed. 

Cybersecurity frameworks are sets of standards and processes that businesses use to implement and manage security controls in order to minimize their cybersecurity risk. These frameworks are used by all kinds of companies to ensure their security program relies on best practices and is as effective as possible.

Though there are many frameworks available, the most popular is the NIST Cybersecurity Framework (CSF). NIST is a government institute that provides resources, tools, and information and is used widely across private, public, and government agencies in particular. This means that by implementing the NIST CSF, a company will not only be secure, but they’ll also meet most regulatory standards.

For the first time in 10 years, NIST released a major update to its cybersecurity framework: the NIST CSF 2.0. The newly released guidelines expand on what was established in CSF 1.0 to address threats that have emerged in the last decade. And, because bad actors are no longer exclusively targeting big fish, these guidelines can be used by all businesses.

Considering that the NIST framework has become nearly synonymous with cyber resiliency, it’s important to understand the new updates and how NIST CSF 2.0 actually makes it easier for companies of all sizes to improve their security posture.

What is the NIST cybersecurity framework?

Back in 2014, the National Institute of Standards and Technology (NIST) created a set of best practices to help organizations in the critical infrastructure sector, including healthcare, communication, energy, water, and transportation improve their cybersecurity efforts. These best practices focused on how to identify, reduce, and manage their cybersecurity risks while also having the ability to communicate how they managed these risks. The original framework, which remains largely intact today, focused on five primary functions. They include:

  • Identify: This function states that organizations need to understand their cybersecurity risks and how to protect their most important assets. It also focuses on making improvements to organizational cybersecurity risk management processes, procedures, and activities. 
  • Protect: The protect function offers guidance on how to protect an organization and address its cybersecurity risks. This includes incorporating training, data and platform security measures, authentication and access control best practices, as well as controls for security architectures as part of their cybersecurity risk management strategy.
  • Detect: The detect function details how companies can identify risks, vulnerabilities, and adverse events via continuous monitoring and comprehensive environment analysis for complete visibility and detection capabilities.
  • Respond: The best practices detailed in the response function primarily deal with creating a plan for incident response, as well as providing analysis, reporting the incident, and engaging in risk mitigation.
  • Recover: Finally, the recover function lays out best practices for incident response, recovery, remediation, and communication. This ensures that the organization doesn’t succumb to the same attack via its previously exploited vulnerability.

Though NIST released a few updates to its framework in 2018 with NIST CSF 1.1, the first major overhaul came in 2024 with NIST CSF 2.0. In August of 2023, NIST released a draft version of CSF 2.0 and opened a period of public comments and discussion about its proposed changes. After gathering significant feedback, changes were made, and NIST CSF 2.0 was officially released in February.

The biggest changes in NIST 2.0

While the core of the NIST framework remained largely unaltered, there were some major changes worth highlighting.

Expansion to all industries:

While NIST originally created its framework to address critical infrastructure companies like hospitals and power plants, the reality is that cyberattacks are no longer limited to those industries. Every company needs to implement cybersecurity best practices, so the new guidelines were expanded to include all organizations whether they’re Fortune 500 companies or small nonprofits. This means any organization can now implement the NIST security framework.

Addition of Governance function:

Perhaps the most notable change in NIST CSF 2.0 is the addition of a sixth function: Governance. The goal of adding this new function is to bring cybersecurity out of the IT and tech teams and make it an enterprise-wide initiative. It elevates the ownership of cybersecurity up to the C-suite and board levels.

This sixth function isn’t just an additive – it changes the structure of the framework itself. The other five functions — identify, protect, detect, respond, and recover — revolve around this new governance function. According to NIST, the Governance function “provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder expectations.”

Through the Governance function, an organization’s cybersecurity risk management strategy, expectations, and policies are established, communicated, and monitored. Categories of the governance function include:

  • Organizational context
  • Risk management strategy
  • Roles, responsibilities, and authorities
  • Policy
  • Oversight
  • Cybersecurity supply chain risk management

Focus on supply chain:

Businesses are building increasingly connected digital ecosystems, which opens them up to supply chain attacks. To address this common risk, CSF 2.0 includes guidance on supply chain risk management and expands on the outcomes detailed in CSF 1.1. The framework states that cybersecurity supply chain risk management is a “systematic process for managing exposure to cybersecurity risk throughout supply chains and developing appropriate response strategies, policies, processes, and procedures.” Most of these supply chain best practices can be found under the new Governance function.

Massive development of resources:

The NIST framework has historically been difficult to understand and implement, especially for those who aren’t cybersecurity experts. In an effort to simplify the implementation of controls, NIST developed a vast resource library for businesses trying to become cyber resilient. As part of this library, NIST has included resources on how to create a profile to “describe an organization’s current and/or target cybersecurity posture in terms of cybersecurity outcomes.” From there, companies can learn how to use CSF Tiers to “provide context on how an organization views cybersecurity risks and the processes in place to manage those risks.” As we’ll discuss later, this allows organizations to customize the framework to fit their unique needs.

NIST has also assembled quick-start guides for types of organizations and functions like small businesses and enterprise risk managers, as well as organizations seeking to secure their supply chains. Additionally, CSF 2.0 includes a searchable catalog of informative references and implementation examples so organizations can cross-reference the CSF’s guidance with other cybersecurity frameworks, standards, guidelines, and resources.

NIST’s Cybersecurity and Privacy Reference Tool (CPRT) provides a means for companies to access reference data from various NIST cybersecurity and privacy standards, guidelines, and frameworks. The information is downloadable in both XSLS and JSON.

How to implement the NIST framework

The NIST security framework, specifically in its 2.0 state, is meant to be a resource that adapts and grows with a company’s security capabilities. With the addition of a Governance function, the framework now includes six functions, 23 categories, and 106 subcategories. However, not every organization will need to implement controls to address all 106 subcategories. The framework is designed to be modified and customized so each company can roll out its own implementation and meet its own specific needs. NIST is a framework that offers flexibility through its comprehensive nature.

With the new Governance function, the first step to implementing the NIST CSF 2.0 is to get buy-in from the top. Cybersecurity needs to be an organizational priority and companies need to build a security-focused culture with the support of leadership. The C-Suite and board need to be brought into cybersecurity early, and KPIs should be established to ensure the program is working.

Leaders can then use the quick start guides to create profiles and Tiers to determine which controls they need to adopt based on industry, company size, etc. From there, the tech or security team should read through the relevant categories and subcategories to establish where their organization meets the best practices and where it falls short.

Once your company has an understanding of which components it’s missing, you’ll need to develop a plan to implement the necessary security tools, processes, and procedures to achieve the desired outcome. After implementing those tools, processes, and procedures, you’ll also need to continuously monitor the performance of the program and update software and processes as needed. Additionally, investing in ongoing security training for your team will be a must.

Implementing NIST CSF with a managed security partner

Whether you’re starting from scratch or simply updating your security program to meet the standards laid out in the Governance function, implementing the NIST cybersecurity framework is likely to be a big operation. Unlike other NIST functions, Governance alone is a large undertaking that involves multiple teams and the creation of cybersecurity policies for your entire organization. While that might seem overwhelming and expensive, it’s nothing compared to the time and costs associated with recovering from a breach.

While some organizations can implement the NIST framework in-house, others may want to look for a managed security partner. Managed security partners can provide your business with the guidance needed to meet NIST CSF requirements and secure your organization from attacks. They can also help you implement the processes and training needed to meet the Governance function and maintain your program over time. If security is a priority at your organization and you don’t have a large team to oversee your program on an ongoing basis, a managed security provider might be the most effective route. 

SolCyber is the first-of-its-kind outsourced security program partner. With our 24/7 detection and response services and Foundational Coverage, businesses of all sizes, in all industries, can quickly uplevel their security posture and compliance standards.

Ready to get started? Reach out to the experts at SolCyber today.

Avatar photo
Charles Ho
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

The world doesn’t need another traditional MSSP or MDR or XDR.
What it requires is practicality and reason.

And security that won’t let you down. It's time to put an end to the cyber insanity once and for all.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more juggling multiple technologies and contracts.

Follow us!


Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

SolCyber. All rights reserved
Made with
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo