Demystifying NIST CSF 2.0: What's New and Why it Matters

5 min read


In 2014, NIST released the Cybersecurity Framework (CSF) to set a standard for organizations to understand, manage, and reduce cybersecurity risk. Created through collaboration between the US government and private sector, the CSF provides a series of flexible cybersecurity guidelines that can be tailored to each organization’s unique needs. It has been downloaded more than two million times across 185+ countries, and translated into at least nine languages.

Since it was last updated in 2018, a lot has changed in the world. We’ve witnessed a pandemic-fueled surge in digital transformation, the coming of age of AI, the rise of the metaverse, and datafication – all of which have amplified cybersecurity risks. Last year, global cyber-attacks increased by 38%. Ransomware alone hit 66% of organizations, compared to 37% in 2021. 

In response, regulators have issued a slew of cybersecurity mandates – be it the SEC’s rules on cybersecurity risk management, or the EU’s proposed Cyber Resilience Act or the upcoming EU Digital Operational Resilience Act and not to mention the various cybersecurity related legislations in over 150 countries worldwide

All these events and changes perhaps nudged NIST to revisit, refresh and update the CSF. Which is exactly what NIST has done. In August 2023, the agency announced its biggest reforms yet to the CSF with the release of a draft of the CSF 2.0. The new framework is expected to address both current and future cybersecurity challenges, while also making it easier for organizations to put the CSF into practice.

What’s New in the CSF 2.0?

The NIST Cybersecurity Framework 2.0 provides guidance to industry, government agencies, and other organizations to reduce cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts. Over the past year, NIST has conducted workshops with thousands of stakeholders across countries to develop and refine the CSF 2.0. The final version is expected to be published in early 2024. 

Here’s what has changed in the framework:

  • Expanded scope: While the original CSF was intended for critical infrastructure industries in the US, the new draft is designed for organizations of all types and sizes – from schools and small businesses, to non-profits and governments – around the world.
  • A new function- ‘Govern’: The earlier CSF listed five cybersecurity Functions - Identify, Protect, Detect, Respond, and Recover. Now in version 2.0, a sixth one has been added – Govern. It recognizes that cyber risk isn’t just an IT issue, but a major enterprise risk that should be as important to the leadership team’s consideration as financial risks. ‘Govern’ is all about establishing and monitoring cybersecurity strategy and policy – setting up risk objectives, determining risk appetites and tolerances, identifying roles and responsibilities for risk management, and fostering a risk-aware culture.
  • Increased guidance: In response to stakeholders asking for more practical guidance on how to apply the CSF, NIST has introduced a new section called Implementation Examples. It provides concise, actionable steps that organizations can take to achieve the CSF’s cybersecurity outcomes. For instance, under the sub-category PR.AA-06, which talks about managing access to physical assets, the CSF suggests using security guards, security cameras, locked entrances, alarm systems, and other physical controls to monitor facilities and restrict access.
  • Templates for framework profiles: One of the main components of the CSF is the Framework Profile which helps organizations describe their current (existing) and target (desired) cybersecurity posture based on the CSF outcomes. Given the complexity of many organizations, they may choose to have multiple, purpose-specific profiles, aligned with particular components and recognizing their individual needs. To simplify the creation and use of these Profiles, the CSF 2.0 includes new guidelines and templates that can be customized to an organization’s specific needs. An organization can use Framework Profiles to delineate cybersecurity standards and practices to incorporate into contracts with suppliers and provide a common language to communicate those requirements to suppliers. Profiles can also be used by suppliers to express their cybersecurity posture and related standards and practices. 
  • Emphasis on supply chain risk management: In the wake of third-party cyberattacks like the SolarWinds hack, the NIST CSF 2.0 has expanded its focus on supply chain cybersecurity. The Govern Function has a separate Category on establishing, managing, and monitoring processes for supply chain cybersecurity risk management. Even the other five Functions contain cybersecurity requirements that can be incorporated into supplier contracts. Framework Profiles can also be used to evaluate and monitor a supplier’s cybersecurity state. 
  • Additional guidance on cybersecurity measurement: To help organizations measure how their cybersecurity posture has improved with the CSF, the new framework provides a range of updates on cybersecurity assessments. The Framework offers an opportunity to explore or adjust methodologies for measurement and assessment. It also links to SP 800-55, Performance Measurement Guide for Information Security.
  • Focus on continuous improvement: Across the CSF 2.0, NIST emphasizes the importance of continuously improving cybersecurity risk management. For example, the Identify Function has a new Category called ‘Improvement’ (ID.IM) which talks about using continuous evaluations, security tests, and exercises to determine areas for improvement.
  • Alignment with other frameworks: Along with CSF 2.0, NIST has launched a Reference Tool that will make it easier for users to explore the relationships between various framework components, including Functions, Categories, Subcategories, and Controls. Eventually, the tool will include Informative References that show how the CSF is connected to other cybersecurity frameworks, standards, guidelines, and resources.

Simplify NIST CSF 2.0 Compliance with MetricStream

For years, organizations across industries have been using MetricStream’s CyberGRC suite of solutions to simplify compliance with the NIST CSF, as well as multiple other cybersecurity standards and regulations. With MetricStream, you can proactively identify, assess, and mitigate cybersecurity risks to achieve the outcomes of NIST CSF.               
CyberGRC enables you to:

  • Streamline and automate IT risk identification, assessment, and monitoring 
  • Gain a real-time view of your organization’s biggest cyber risks 
  • Improve NIST CSF compliance by mapping the framework to your processes, risks, controls, policies, and other compliance requirements in a single source of truth 
  • Harmonize controls to enable a ‘test once, comply with many’ approach 
  • Use pre-defined templates and schedules to simplify IT compliance surveys, certifications, and control self-assessments 
  • Intelligently manage and resolve cybersecurity compliance and control issues using AI/ML

Want to know more about how MetricStream can help you strengthen NIST compliance? 

Request a demo.

Agnishwar Banerjee

Agnishwar Banerjee Product Marketing, MetricStream

People call me AB and I am part of the CyberGRC Product Marketing team at MetricStream, where I handle the messaging, product go-to-market plans, and analyse market trends. Having witnessed the transition from offline to online firsthand (80’s child), for most of my life, I have been an avid enthusiast in the domain of technology and cyber security including personal cybersecurity. Over the last 10 years, I have been involved in developing and marketing risk-focused, SaaS products. I have a good mix of right brain and left brain and love reading, learning new things and am generally a big believer in the power of looking inward, effective processes and people.