Connect with us

Hi, what are you looking for?



NIST Cybersecurity Framework 2.0 Officially Released

NIST releases Cybersecurity Framework 2.0, the first major update since the creation of the CSF a decade ago.

NIST Cybersecurity Framework 2.0

NIST on Monday announced the official release of version 2.0 of its Cybersecurity Framework (CSF), the first major update since its creation a decade ago.

The cybersecurity framework was originally aimed at critical infrastructure organizations, but it has been widely used and widely recommended and NIST highlighted that CSF 2.0 is designed to help all organizations reduce risks, regardless of sector, size, or level of security sophistication. 

Based on the feedback it received on the draft of the Cybersecurity Framework 2.0, NIST expanded the core guidance and created additional resources to help organizations use the CSF to its full potential. 

[ Read: Industry Reactions to NIST Cybersecurity Framework 2.0 ]

The CSF 2.0 supports implementation of the National Cybersecurity Strategy and it’s organized around six key areas: identify, protect, detect, respond, recover and govern. The govern function was introduced with this major update of the CSF. 

“The addition of the Govern function provides a vital and previously missing piece to the NIST Cybersecurity Framework, important to critical elements such as risk management,” Robert Booker, chief strategy officer at HITRUST, a contributor to the development of CSF 2.0, said via email.

Users are provided implementation examples and quick-start guides that are tailored to their specific needs. 

The CSF 2.0 also offers a searchable catalog of references that enables organizations to map guidance to over 50 other relevant cybersecurity documents. 

Advertisement. Scroll to continue reading.

The first major version of NIST’s cybersecurity framework is available in over a dozen languages and volunteers from around the world will likely translate CSF 2.0 as well. 

“The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats,” said NIST Director Laurie E. Locascio. “CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.” 

Katherine Ledesma, head of public policy & government affairs at industrial cybersecurity firm Dragos, has made some interesting comments on the implications and benefits for organizations with industrial control systems (ICS) and operational technology (OT) systems.

“Similar to the National Cybersecurity Strategy released last year, the CSF 2.0 continues to move the conversation from cybersecurity investment as a cost center to cybersecurity investment as a way not only to protect but also support business operations, particularly when it comes to ICS and OT cybersecurity. This is important to manufacturing facilities that need to maintain safe, continuous operation, as well as for electric or water utilities that need to provide reliable, essential services to communities,” Ledesma told SecurityWeek.

“Although the CSF 2.0 identified that functions, categories, and subcategories are intended to be broad enough to apply to both IT and OT environments, as the dialogue around the CSF and related guidance continues, we will see specific attention paid to the distinct approaches needed to protect ICS/OT, given the unique purposes of and risks to those types of systems. This includes continuing to update documents such as the Guide to OT Security, and also incorporation of these concepts into broader planning and guidance documents,” Ledesma added.

Related: US Publishes Implementation Plan for National Cybersecurity Strategy

Related: NIST: No Silver Bullet Against Adversarial Machine Learning Attacks

Related: NIST Publishes Final Version of 800-82r3 OT Security Guide

Related: Using the Full NIST Cybersecurity Framework for the Win

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...