Cybersecurity Framework 2.0

National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST) has released the final version of the Cybersecurity Framework (CSF) 2.0, a new version of a tool it first released in 2014 to help organizations understand, reduce and communicate cybersecurity risk. 


Cybersecurity Framework 2.0

Watch video

Executive summary

The NIST has published the final version of its Cybersecurity Framework (CSF) 2.0, which provides guidance to industry, government agencies, and other organizations on how to manage cybersecurity risks. It provides a taxonomy of high-level cybersecurity outcomes that can be used by any organization, regardless of its size, sector, or maturity, to better understand, assess, prioritize, and communicate its cybersecurity efforts.

CSF 2.0 contains new features that highlight the importance of governance and supply chains. It has three components: the CSF Core, the Organizational Profiles, and the Tiers. In addition, a set of online resources have been developed and will be regularly updated to help organizations use the CSF 2.0.

Main content

  • The CSF 2.0 has three components: the CSF Core, the Organizational Profiles, and the Tiers. The CSF Core is a taxonomy of activities and outcomes related to cybersecurity risk management, organized by function. New to the previous framework, governance has been added to the current list of functions, which also includes: identify, protect, detect, respond, and recover. The Organizational Profiles describe the organization’s current and the target cybersecurity posture in terms of the CSF Core results. The Tiers can be applied to the Organizational Profiles to characterize the rigor of the organization’s cybersecurity governance and risk management practices.
  • The paper also discusses how the CSF 2.0 can be used to improve cybersecurity risk integration into the organization’s management processes. For example, the framework can be used as a tool to prioritize cybersecurity risk management actions, can be useful to better communicate expectations and plans and/or can be integrated into the organization’s specific cybersecurity risk management and assessment programs.
  • The new framework also includes online resources to help organizations understand, adopt, and use CSF 2.0. These resources include normative references, profile templates and Quick Start Guides (QSGs).

Download the technical note on the Cybersecurity Framework 2.0.