NIST CSF 2.0: What's new in the Cybersecurity Framework

Introduction: Why NIST CSF 2.0 matters

Since its first release in 2014, the NIST Cybersecurity Framework (CSF) has become the gold standard for managing cybersecurity risk. Organizations use it to formulate their security programs, communicate risk, and align technical controls with business objectives. On February 26, 2024, NIST released CSF 2.0, marking the first major update since version 1.1 in April 2018. This update reflects a fundamental shift in how organizations are expected to approach cybersecurity in today’s complex digital environment.

Why this is a major update

CSF 2.0 is shaped by years of real-world use, emerging threats, and changing business realities. Some key changes include:

• Governance is now a core function, with emphasis on leadership accountability and cybersecurity as a business risk, not just a technical issue.
• The framework’s applicability is extended to organizations of all types and industries.
• Supply chain risk management is elevated to a strategic priority amidst growing third-party and vendor-related threats.
• New implementation resources have been added to help organizations adopt the framework more effectively.

Who should use CSF 2.0

While earlier versions of the framework addressed critical infrastructure, CSF 2.0 is designed for all organizations, from global enterprises to small and mid-sized businesses. It provides guidance for organizations at varying levels of cybersecurity maturity, helping them prioritize actions based on risk, resources, and business goals. Whether you want to build a security program from the ground up or improve an existing one, CSF 2.0 offers a solid and scalable foundation. Example scenarios include:

• A healthcare startup building its first security program.
• A manufacturer facing new supply chain security requirements from customers.
• An enterprise CISO aligning security strategy with board-level risk discussions.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (CSF) is a voluntary set of guidelines and best practices developed by the National Institute of Standards and Technology to help organizations understand, manage, and lower cybersecurity risk. More specifically, it organizes cybersecurity activities around six Core Functions: Govern, Identify, Protect, Detect, Respond, and Recover.

CSF is flexible, risk-based, and can work alongside existing security programs. Organizations can adapt it to fit their size, maturity level, industry, regulatory environment, and risk tolerance. The framework does not prescribe specific tools or controls, but provides a common language and structure that security, IT, and business leaders can use to align priorities and make informed decisions.

CSF vs. compliance standards

CSF is not a compliance checklist or a pass/fail assessment; it is a risk management framework. While compliance standards tell you what to do, CSF helps you understand why it matters and how to set priorities based on risk. Organizations use CSF to:

• Assess their current cybersecurity posture and identify gaps.
• Define target states, i.e., establish measurable goals for where the organization needs to stand with respect to each security function, based on risk tolerance and business priorities.
• Communicate cybersecurity risk to executives, the board, and other stakeholders by translating technical security issues into business language that everyone understands.
• Support regulatory and compliance efforts by mapping CSF controls to compliance frameworks to avoid duplicate efforts.

Core components of the framework

The NIST Cybersecurity Framework is built around a set of components that help organizations structure, assess, and improve their cybersecurity programs. These components work together to translate high-level risk management goals into outcomes. Organizations can use the Core to define outcomes, Profiles to assess and plan, and Tiers to understand their risk management level.

The CSF Core

The CSF Core defines the cybersecurity outcomes an organization should strive to achieve. It organizes these outcomes into:

Profiles

Profiles help organizations map their cybersecurity activities and objectives to the CSF Core in a way that reflects their current reality and future goals. These profiles should align with the organization's business requirements, risk tolerance, legal and regulatory obligations, and available resources.

By comparing the Current and Target Profiles, organizations can identify gaps, set priorities, and develop roadmaps for strengthening their security posture.

Tiers

Tiers help organizations describe the rigor and sophistication of their cybersecurity risk management practices. They are not maturity levels and organizations are not expected to progress through them. Instead, an organization should select the tier appropriate to their Profile.

Major changes in NIST CSF 2.0

The updates rolled out in NIST CSF 2.0 reflect how cybersecurity is practiced today. These changes make the framework more accessible and relevant to organizations of all sizes and industries.

Renamed for broader applicability

One of the most obvious changes in CSF 2.0 is the name itself. NIST dropped “for Improving Critical Infrastructure” from the name. It is now just the “Cybersecurity Framework” and that's intentional. While CSF initially targeted organizations operating critical infrastructure, organizations of all sizes and sectors had also been using it for years. The new name reflects that reality and reinforces NIST’s intent that the framework is suitable for all organizations.

Expanded guidance for small and mid-sized businesses (SMBs)

CSF 2.0 provides greater support for SMBs that lack dedicated security teams and extensive budgets. It introduces quick-start guides and implementation examples tailored to SMBs with limited cybersecurity maturity and resources. These additions help SMBs focus on practical, risk-based improvements rather than attempting to implement the entire framework at once, making adoption easy and achievable.

Clearer language and updated terminology

NIST listened to feedback and simplified the framework's language and structure, making it clearer and more consistent. Definitions are clearer, jargon is reduced, and the terminology is updated to reflect modern cybersecurity practices, technologies, and organizational structures. This makes the framework easier to understand and apply, particularly for non-technical stakeholders such as executives, risk managers, and board members.

New implementation resources

CSF 2.0 comes with enhanced resources that help organizations translate high-level requirements to real-world action, making implementation less daunting. These include:

• Implementation examples for each Subcategory, with guidance on how outcomes can be achieved.
• Quick-start guides tailored to different roles and organization types.
• Reference tools that map CSF outcomes to other frameworks you might already be using.
• Community Profiles, which provide industry-specific guidance and serve as a starting point for organizations with similar risk environments.

The new ‘Govern’ Function

If there is one change that signals where cybersecurity is headed, it is this: Govern is now a standalone Function. In earlier versions of the framework, governance-related activities were scattered across other functions. By pulling them into a new Function, NIST is making a clear statement: cybersecurity is not just an IT problem but an enterprise risk. Effective cybersecurity requires leadership involvement, accountability, and alignment with organizational objectives. Executive leadership and the board have a definite role to play in setting direction, defining risk tolerance, and overseeing cybersecurity strategy.

Categories within Govern

The NIST CSF Govern Function is made up of six Categories that focus on leadership, accountability, and risk management at the organizational level.

Why governance now?

Over time, cybersecurity has moved from an IT issue to a board-level responsibility. Several high-profile breaches have proved that poor governance can lead to financial, operational, and reputational consequences. Regulatory developments, such as the US SEC’s cybersecurity disclosure rules and the EU’s NIS2 Directive now explicitly require senior leadership and boards to take an active role in overseeing cybersecurity risk. By elevating governance into a Core Function, CSF 2.0 formally recognizes that effective cybersecurity depends on leadership involvement, accountability, and integration with enterprise risk management.

Updates to the original five Functions

While Govern steals the spotlight as the new addition, NIST also refined the original five Functions in CSF 2.0 to improve clarity, usability, and support for modern cybersecurity practices.

Identify (ID)

The focus here shifts toward understanding your organizational context and cybersecurity risk. It is not just about cataloging assets, but knowing why they matter and what risks they carry. Guidance related to asset management, business environment, and risk assessment has been refined to be more practical and better support risk-based decision-making.

Protect (PR)

Updates to the Protect Function clarify controls related to identity and access management, data security, and security awareness training. The guidance caters to modern environments such as cloud infrastructure, hybrid systems, remote workforces, and increased reliance on third-party services.

Detect (DE)

The Detect Function includes improved guidance on continuous monitoring, anomaly detection, and adverse event analysis. It emphasizes timely detection of cybersecurity events and the importance of visibility across systems, networks, and data sources to reduce the impact of incidents.

Respond (RS)

In the Respond Function, CSF 2.0 provides more actionable outcomes for incident response activities, including response planning, incident management, analysis, mitigation, and internal as well as external communications. This helps organizations respond more effectively when cybersecurity incidents occur.

Recover (RC)

Recovery is more than just getting systems back online. CSF 2.0 expands guidance on recovery planning, improvement activities, executing recovery processes smoothly, and maintaining clear communication throughout the recovery period so that stakeholders know where things stand.

Expanded guidance on Profiles and Tiers

CSF 2.0 expands on how organizations should use Profiles and Implementation Tiers as practical tools, not just theoretical concepts.

Creating Organizational Profiles

CSF 2.0 provides clearer, more actionable guidance on developing Organizational Profiles that reflect both current capabilities and future objectives. Organizations are encouraged to:

• Assess their Current Profile by mapping existing practices against CSF outcomes. What are you already doing well? Where are the gaps?
• Define a Target Profile based on business objectives, risk tolerance, and regulatory requirements.
• Perform a gap analysis to pinpoint differences between the Current and Target Profiles.
• Prioritize remediation efforts based on risk, impact, and resources.

Community Profiles

Community Profiles are new in CSF 2.0, and they are a game-changer for organizations that do not want to start from scratch. These are profiles developed by industry groups, government agencies, and other sector organizations (healthcare, financial services, manufacturing, etc.) to provide guidance tailored to specific industries, technologies, and use cases. Community Profiles serve as a practical starting point or benchmark, allowing organizations to benefit from shared expertise and address common risks within their sector.

Using Tiers effectively

CSF 2.0 reinforces that Implementation Tiers are intended to provide context, not to rank or score organizations. Tiers help organizations describe how effectively they manage cybersecurity risk and communicate their level to internal and external stakeholders, including boards, regulators, customers, and partners.

The framework also clarifies that not every organization needs to reach Tier 4. A small non-profit and a multinational bank should not aim for the same Tier, and that's perfectly fine. The right Tier depends on factors such as risk appetite, business model, regulatory obligations, and resources.

New focus areas in NIST CSF 2.0

The NIST Cybersecurity Framework update places greater emphasis on areas that have become critical due to evolving threats, complex environments, and regulatory expectations.

Supply chain risk management

Supply chain and third-party risks receive significant attention in CSF 2.0 and are addressed throughout the framework. The new Govern function includes dedicated categories for managing third-party and supplier risks, providing stakeholders and C-suite executives more oversight into a cyber incident. Security teams need to know who has access to systems, how that access is used, and how to respond if they got compromised.

SolarWinds and similar incidents have highlighted how vulnerabilities in vendors, software providers, and service partners can have widespread impact. As a result, CSF 2.0 encourages organizations to treat supply chain risk as a strategic concern and integrate it into overall governance and risk management.

Emerging technologies

CSF 2.0 updated its guidance to better reflect modern technology environments and address current security challenges. This includes considerations for cloud-based systems, remote and hybrid work models, Internet of Things (IoT) deployments, and the growing use of artificial intelligence and machine learning. The framework provides practical guidance for securing these technologies without pretending that they are just variations of old problems with new names.

Privacy integration

Cybersecurity and privacy go hand in hand. A data breach is both a security failure and a privacy violation. CSF 2.0 acknowledges this overlap and provides stronger alignment with the NIST Privacy Framework. This enables organizations to integrate privacy considerations into their cybersecurity programs, thereby managing both risks in a coordinated way.

International standards alignment

CSF 2.0 better aligns with international and industry standards, making it easier for organizations to map CSF outcomes to existing control frameworks. It provides additional mappings and clearer informative references to standards such as ISO/IEC 27001, CIS Controls, and NIST SP 800-171, which enables organizations to demonstrate compliance with multiple frameworks without duplicating effort.

Implementing NIST CSF 2.0

Whether you are migrating from CSF 1.1 or starting fresh, here is how to approach implementation in a practical and manageable way.

Gap analysis from CSF 1.1

If you are already using CSF 1.1, the good news is that CSF 2.0 builds on what you know. Begin by conducting a gap analysis against CSF 2.0. The following approach allows organizations to identify gaps and priority areas while keeping the transition smooth.

1. Review the new Govern Function by assessing existing governance practices against the GV Categories, such as risk management strategy, oversight, and supply chain risk management. You are probably already doing some of this work; now it is about formalizing it.
2. Map existing controls to the updated Categories and Subcategories to understand where current practices already align.
3. Identify gaps, with particular attention to areas that received greater emphasis in CSF 2.0, such as third-party and supply chain risk management.
4. Update Organizational Profiles to reflect the CSF 2.0 structure. Your Current Profile should account for the new Govern function and your Target Profile should reflect where you want to be under the updated framework.

Phased adoption strategy

A phased approach keeps implementation manageable and builds momentum as you go.

How Netwrix supports NIST CSF 2.0 implementation

Netwrix offers products that directly support key CSF Functions across identity, data, governance, monitoring, and response. It helps organizations gain visibility, control access, detect threats, and consolidate evidence to demonstrate compliance.

Identify: Visibility into IT assets and data

A strong cybersecurity program begins with knowing what assets and data you have, where they reside, and what risks they carry. Netwrix supports the Identify Function by providing deep visibility into hybrid IT environments. It enables organizations to discover assets, classify sensitive data, and understand where critical and regulated information resides across file servers, databases, SharePoint, Office 365, and cloud storage.

• Netwrix Auditor provides visibility into changes, configurations, and access across IT systems such as Active Directory, file servers, and Microsoft 365, enabling organizations to identify security gaps and track user activity.
• Netwrix Data Classification enables organizations to discover and classify sensitive information, helping them identify inadequately protected or regulated data across on-prem and cloud repositories.

Together, these solutions provide comprehensive asset visibility that directly supports the Identify Function's requirements for asset management and risk assessment.

Govern: Access controls and policy enforcement

• Netwrix Privilege Secure provides privileged access management (PAM), enabling just-in-time access and reducing standing administrative privileges. It also offers session monitoring and recording for oversight and accountability of privileged activities.
• With AI-powered risk remediation capabilities, the Netwrix 1Secure platform not only identifies data security risks but also provides tailored remediation steps, with a focus on high-risk permissions that may expose data.

These capabilities map directly to the Govern outcomes related to roles, responsibilities, oversight, and supplier or third-party access control.

Detect: Change tracking and anomaly detection

Continuous monitoring and early detection help to limit the impact of cyber incidents. Netwrix strengthens the Detect Function by improving visibility into suspicious activity and unexpected changes.

• Netwrix Auditor provides security analytics to identify security gaps, detect anomalies in user behavior, and investigate threat patterns in time to respond to potential threats.
• The platform monitors changes to critical systems in real time, including Active Directory modifications, file access patterns, configuration changes, and privileged user activity. It also alerts security teams when it detects unusual activity or deviations from normal behavior.

This supports CSF Detect outcomes related to anomaly detection, monitoring, and adverse event analysis.

Recover: Audit trails and reporting

Recovery is not limited to restoring systems; it requires accountability, forensic evidence, and clear communication. Netwrix supports the Recover Function through rapid recovery, audit support, and reporting capabilities.

• Netwrix Auditor maintains detailed activity records and change histories that can be used for forensic analysis and incident investigation, giving security teams the evidence they need to understand what happened, who was involved, and how to contain the damage.
• It also offers automated reporting, alerting, and investigation tools to support compliance with regulatory requirements and help IT teams efficiently address audit requests.
• Pre-built reports align with requirements from PCI DSS, HIPAA, SOX, GDPR, and NIST standards, making it easier to demonstrate CSF alignment to boards, auditors, and regulators during both Response and Recovery phases.
• Netwrix Identity Recovery enables organizations to quickly recover Active Directory and Entra ID objects, attributes, and even entire forests to restore operations with minimum downtime.

These capabilities support effective incident management, post-event analysis, recovery communication, and business resilience, which are key outcomes of the Respond and Recover functions in CSF 2.0.

Key takeaways for organizations

Organizations can use CSF 2.0 to strengthen security programs, governance, resilience, and communication around risk. As you consider implementing or upgrading to NIST CSF 2.0, here are some essential points to keep in mind.

1. Governance is central:
   In NIST CSF 2.0, governance is central. The new Govern Function formalizes what many organizations have learned through experience: cybersecurity is an enterprise risk that demands leadership accountability and board-level oversight, not just technical controls.
2. Accessibility improved:
   CSF 2.0 is explicitly designed for organizations of all sizes and sectors. New guidance and implementation resources make the framework more usable for SMBs as well as mature enterprises. You do not need a large security team to benefit from the framework anymore.
3. Supply chain focus:
   Third-party and supplier risk management is now woven throughout the framework. This reflects the growing impact of vendor dependencies and reinforces that suppliers must meet cybersecurity expectations.
4. Practical resources:
   CSF 2.0 comes with implementation examples, quick-start guides, and Community Profiles that give you a running start. These resources translate high-level concepts into actionable steps, making adoption easier.
5. Global alignment:
   CSF 2.0 comes with improved mapping to frameworks such as ISO/IEC 27001, CIS Controls, and NIST SP 800-171. Organizations can map CSF requirements to compliance obligations rather than running full-fledged compliance programs separately.