标准简介
NIST 网络安全框架(CSF)2.0 版是由美国国家标准与技术研究院(NIST)于 2024 年 2 月发布的网络安全风险管理框架。该框架最初于 2014 年发布,主要面向关键基础设施,2.0 版将适用范围扩展至所有规模和类型的组织。CSF 2.0 围绕六大核心功能构建:治理(新增)、识别、保护、检测、响应和恢复,为组织提供了理解、评估、优先排序和沟通网络安全工作的通用语言和系统方法。
CSF 2.0 的最大变化是新增的「治理」功能,将网络安全提升为组织战略层面的关注点,强调高层领导的参与和问责。该框架引入了组织概况(Organizational Profiles)和层级(Tiers)概念,帮助组织评估当前网络安全状态并设定目标状态。NIST 同时提供了丰富的在线参考资源和快速入门指南,降低了中小企业的实施门槛。CSF 虽然是自愿性框架而非强制性法规,但已被广泛采纳为行业最佳实践,许多监管机构和政府合同也将其作为合规参考基准。
New Govern Function
Adds a sixth core function — Govern — emphasizing cybersecurity risk management strategy, organizational context, policies, and oversight at the leadership level.
Universal Applicability
Expanded beyond U.S. critical infrastructure to serve all organizations regardless of size, sector, or geography — including small businesses and international adopters.
Supply Chain Focus
Significantly strengthens supply chain risk management with dedicated subcategories requiring organizations to identify, assess, and manage cybersecurity risks in their supply chains.
list_alt Core Functions (6)
- Govern — strategy, risk management, policies, oversight
- Identify — asset management, risk assessment, improvement
- Protect — access control, awareness, data security
- Detect — continuous monitoring, adverse event analysis
- Respond — incident management, analysis, mitigation
- Recover — recovery planning, communications, improvements
- Community Profiles and Organizational Profiles
- Informative References mapped to 50+ standards
Who Needs to Comply?
Any organization seeking to manage cybersecurity risk — from small businesses to large enterprises, across all sectors. While voluntary, NIST CSF is widely referenced in U.S. federal regulations and increasingly adopted internationally.
Key Requirements
Organizational Profiles
Create Current and Target Profiles describing your organization's cybersecurity posture. Use the gap analysis to prioritize improvements aligned with business objectives and risk tolerance.
Risk Assessment
Identify and evaluate cybersecurity risks to organizational operations, assets, and individuals. Prioritize risks based on likelihood, impact, and risk appetite.
Supply Chain Risk Management
Establish processes to identify, assess, and manage cybersecurity risks throughout the supply chain. Include cybersecurity requirements in supplier agreements and monitor compliance.
Continuous Improvement
Monitor and review cybersecurity practices regularly. Use lessons from incidents, audits, and emerging threats to update the cybersecurity program continuously.
Penalties & Enforcement
No direct legal penalties — NIST CSF is a voluntary framework. However, it is referenced by many regulatory requirements (HIPAA, FISMA, FedRAMP) and failure to align with it may indicate insufficient cybersecurity due diligence in legal proceedings.