verified_user
Standardful
Homechevron_rightStandardschevron_rightNIST CSF 2.0
ActiveInternational Standardupdate Standard Updated: Feb 2024fact_check Fact checked: Jun 28, 2026

NIST CSF 2.0

Cybersecurity Framework 2.0 — Framework for Improving Critical Infrastructure Cybersecurity

apartmentPublishing Organization:National Institute of Standards and Technology (NIST)

Standard Introduction

The NIST Cybersecurity Framework (CSF) 2.0 is a voluntary guidance document published by the U.S. National Institute of Standards and Technology to help organizations manage and reduce cybersecurity risk. Released in February 2024, version 2.0 introduces a new Govern function and expands the framework's applicability to all organizations, not just critical infrastructure.

Widely adopted across the globe, the NIST CSF provides a common language for cybersecurity risk management and maps to over 50 other cybersecurity standards. Organizations use it to assess their current posture, set target outcomes, and communicate cybersecurity priorities to leadership, regulators, and business partners.

governance

New Govern Function

Adds a sixth core function — Govern — emphasizing cybersecurity risk management strategy, organizational context, policies, and oversight at the leadership level.

public

Universal Applicability

Expanded beyond U.S. critical infrastructure to serve all organizations regardless of size, sector, or geography — including small businesses and international adopters.

link

Supply Chain Focus

Significantly strengthens supply chain risk management with dedicated subcategories requiring organizations to identify, assess, and manage cybersecurity risks in their supply chains.

list_alt Core Functions (6)

  • Govern — strategy, risk management, policies, oversight
  • Identify — asset management, risk assessment, improvement
  • Protect — access control, awareness, data security
  • Detect — continuous monitoring, adverse event analysis
  • Respond — incident management, analysis, mitigation
  • Recover — recovery planning, communications, improvements
  • Community Profiles and Organizational Profiles
  • Informative References mapped to 50+ standards

Who Needs to Comply?

groups

Any organization seeking to manage cybersecurity risk — from small businesses to large enterprises, across all sectors. While voluntary, NIST CSF is widely referenced in U.S. federal regulations and increasingly adopted internationally.

Key Requirements

1

Organizational Profiles

Create Current and Target Profiles describing your organization's cybersecurity posture. Use the gap analysis to prioritize improvements aligned with business objectives and risk tolerance.

2

Risk Assessment

Identify and evaluate cybersecurity risks to organizational operations, assets, and individuals. Prioritize risks based on likelihood, impact, and risk appetite.

3

Supply Chain Risk Management

Establish processes to identify, assess, and manage cybersecurity risks throughout the supply chain. Include cybersecurity requirements in supplier agreements and monitor compliance.

4

Continuous Improvement

Monitor and review cybersecurity practices regularly. Use lessons from incidents, audits, and emerging threats to update the cybersecurity program continuously.

Implementation Roadmap

1
Phase 1schedule Duration: 2-4 weeks

Prepare & define governance

Name an executive sponsor, define cybersecurity risk appetite, and agree how the Govern function will be owned across security, IT, legal, procurement, and business leaders. Confirm the business context, critical services, regulatory drivers, and third-party dependencies that the CSF profile must cover.

2
Phase 2schedule Duration: 4-6 weeks

Build current and target profiles

Map existing practices to the CSF 2.0 Core across Govern, Identify, Protect, Detect, Respond, and Recover. Create a Current Profile, define a Target Profile aligned to risk tolerance, and rank gaps by business impact, control maturity, and dependency on suppliers.

3
Phase 3schedule Duration: 8-16 weeks

Implement prioritized improvements

Turn profile gaps into funded work packages: asset inventory, identity controls, vulnerability management, monitoring, incident response, recovery planning, and supply-chain risk management. Map each improvement to existing standards such as ISO 27001, SOC 2, NIST SP 800-53, or FedRAMP so evidence can be reused.

4
Phase 4schedule Duration: Ongoing

Measure, audit & maintain profiles

Review profile progress with leadership, update risk decisions after incidents or material business changes, and refresh supplier and control evidence on a defined cadence. Use metrics and lessons learned to keep the Target Profile realistic and to show continuous improvement.

Compliance Checklist

0 / 12

checklist Governance & profile setup

checklist Core cybersecurity outcomes

checklist Supply chain & improvement

NIST CSF vs NIST SP 800-53 vs ISO 27001

These frameworks overlap, but they serve different levels of cybersecurity governance and assurance.

AspectNIST CSF 2.0NIST SP 800-53ISO 27001
Primary purposeCybersecurity outcomes and risk communicationDetailed security and privacy control catalogCertifiable information security management system
Best fitBoard reporting, program planning, and gap prioritizationControl baselines for federal, regulated, and high-assurance systemsThird-party certification and management-system discipline
Assurance modelNo official certificationAssessed through programs such as FedRAMP or FISMACertification by accredited auditors
Implementation styleProfile-driven and flexibleControl selection, tailoring, implementation, and assessmentRisk assessment, controls, internal audit, and management review

Common Misconceptions

cancel
Myth

NIST CSF compliance means every subcategory must be fully implemented.

check_circle
Reality

CSF is risk-based. Organizations define target outcomes based on context, risk appetite, and resources, then justify priorities through profiles.

cancel
Myth

CSF replaces ISO 27001, SOC 2, or FedRAMP.

check_circle
Reality

CSF helps organize cybersecurity outcomes, but it does not replace auditable or mandatory assurance frameworks. It often works as the governance layer above them.

cancel
Myth

The Protect function is the main goal.

check_circle
Reality

Effective CSF adoption balances all six functions, including governance, detection, response, and recovery.

Penalties & Enforcement

warning

No direct legal penalties — NIST CSF is a voluntary framework. However, it is referenced by many regulatory requirements (HIPAA, FISMA, FedRAMP) and failure to align with it may indicate insufficient cybersecurity due diligence in legal proceedings.

Frequently Asked Questions

Is NIST CSF 2.0 mandatory?

expand_more

No. NIST CSF 2.0 is a voluntary cybersecurity risk-management framework, not a certification scheme or statute. It is still widely used because regulators, customers, boards, and insurers recognize it as a practical way to organize cybersecurity outcomes and due diligence.

What changed in CSF 2.0?

expand_more

CSF 2.0 adds Govern as a sixth core function and makes the framework explicitly applicable to organizations of all sizes, sectors, and geographies, not only U.S. critical infrastructure. It also places stronger emphasis on supply-chain risk, organizational profiles, and implementation examples.

How do Current and Target Profiles work?

expand_more

A Current Profile records how your organization currently achieves CSF outcomes. A Target Profile defines the outcomes you need based on mission, risks, and risk appetite. The gap between them becomes a prioritized improvement plan rather than a generic checklist.

Can we get certified to NIST CSF?

expand_more

NIST does not operate an official CSF certification program. Consultants may offer assessments or maturity ratings, but those are private services. If a customer needs formal third-party assurance, organizations usually pair CSF mapping with ISO 27001, SOC 2, FedRAMP, or another auditable framework.

How does CSF relate to NIST SP 800-53?

expand_more

CSF describes cybersecurity outcomes in business-friendly language, while NIST SP 800-53 provides a detailed catalog of security and privacy controls. Many organizations use CSF for governance and communication, then map outcomes to SP 800-53 or other controls for implementation evidence.

Is CSF only for large enterprises?

expand_more

No. CSF 2.0 was designed for broad adoption, including small and medium organizations. Smaller teams can start with a lightweight profile, focus on critical services and the most material risks, and expand measurement as the program matures.

How often should we update a CSF profile?

expand_more

Profiles should be reviewed at least annually and whenever major changes occur, such as a new product, acquisition, cloud migration, significant incident, or major supplier change. High-risk environments often review progress quarterly as part of risk governance.

What evidence shows CSF alignment?

expand_more

Useful evidence includes approved profiles, risk registers, asset and supplier inventories, policies, control test results, incident and recovery exercises, remediation tracking, and executive reporting. The best evidence links CSF outcomes to actual operating controls rather than to policy statements alone.

Official Documentation

View All

Implementation Timeline

gavel
Feb 2013
Executive Order 13636 directs NIST to develop framework
new_releases
Feb 2014
NIST CSF 1.0 published
update
Apr 2018
NIST CSF 1.1 released with updates
drafts
Jan 2023
CSF 2.0 Concept Paper published for comment
check_circle
Feb 2024
NIST CSF 2.0 officially released
build
2024-2025
Quick Start Guides and reference tools published

Related Categories