標準簡介
NIST 網路安全框架(CSF)2.0 是由美國國家標準與技術研究院發佈的自願性指導文件,旨在協助組織管理和降低網路安全風險。2024 年 2 月發佈的 2.0 版本引入了新的「治理」功能,並將框架的適用範圍擴展至所有組織,而不僅限於關鍵基礎設施。
NIST CSF 在全球範圍內被廣泛採用,為網路安全風險管理提供了通用語言,並可對應到 50 多個其他網路安全標準。組織使用該框架評估當前態勢、設定目標成果,並向領導層、監管機構和業務夥伴傳達網路安全優先事項。
New Govern Function
Adds a sixth core function — Govern — emphasizing cybersecurity risk management strategy, organizational context, policies, and oversight at the leadership level.
Universal Applicability
Expanded beyond U.S. critical infrastructure to serve all organizations regardless of size, sector, or geography — including small businesses and international adopters.
Supply Chain Focus
Significantly strengthens supply chain risk management with dedicated subcategories requiring organizations to identify, assess, and manage cybersecurity risks in their supply chains.
list_alt Core Functions (6)
- Govern — strategy, risk management, policies, oversight
- Identify — asset management, risk assessment, improvement
- Protect — access control, awareness, data security
- Detect — continuous monitoring, adverse event analysis
- Respond — incident management, analysis, mitigation
- Recover — recovery planning, communications, improvements
- Community Profiles and Organizational Profiles
- Informative References mapped to 50+ standards
Who Needs to Comply?
Any organization seeking to manage cybersecurity risk — from small businesses to large enterprises, across all sectors. While voluntary, NIST CSF is widely referenced in U.S. federal regulations and increasingly adopted internationally.
Key Requirements
Organizational Profiles
Create Current and Target Profiles describing your organization's cybersecurity posture. Use the gap analysis to prioritize improvements aligned with business objectives and risk tolerance.
Risk Assessment
Identify and evaluate cybersecurity risks to organizational operations, assets, and individuals. Prioritize risks based on likelihood, impact, and risk appetite.
Supply Chain Risk Management
Establish processes to identify, assess, and manage cybersecurity risks throughout the supply chain. Include cybersecurity requirements in supplier agreements and monitor compliance.
Continuous Improvement
Monitor and review cybersecurity practices regularly. Use lessons from incidents, audits, and emerging threats to update the cybersecurity program continuously.
Penalties & Enforcement
No direct legal penalties — NIST CSF is a voluntary framework. However, it is referenced by many regulatory requirements (HIPAA, FISMA, FedRAMP) and failure to align with it may indicate insufficient cybersecurity due diligence in legal proceedings.