JP

TOP
Service & Solution
News & Blog
About Us
Contact Us
Service & Solution

News & Blog

NIST CSF 2.0: What’s New and Why It Matters

2025.08.04

NRI Secure Blog

Agenda

    NIST Cybersecurity Framework 2.0

    Every organization today faces complex and constantly changing cybersecurity dynamics. That’s why we need measures and frameworks like NIST CSF 2.0.
    The introduction of NIST Cybersecurity Framework 2.0 (NIST CSF), CIS Controls, and the ISO/IEC 27000 series, which are globally accepted and recognized cybersecurity frameworks, has brought a new dimension to cybersecurity measures. NIST CSF 2.0 is widely used in public and private sectors for its all-encompassing nature, which includes cyber resilience practices and its ability to address various organizational needs.

    What is NIST Cybersecurity Framework 2.0 (NIST CSF)?

    NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization --- big or small, in any sector or maturity --- to understand, assess, prioritize, and communicate their cybersecurity efforts.

    NIST Cybersecurity Framework (NIST CSF) was first established by the National Institute of Standards and Technology (NIST) in 2014 as a direct response to the Executive Order 13636 made by Former President Obama in 2013. The essence of the order was to promote cybersecurity for critical infrastructure. It is otherwise known as the "Cybersecurity Framework" or 'CSF" which offers a holistic approach to addressing cybersecurity risks.

    A revised version of the NIST CSF was then created in 2018 as version 1.1, and as of February 26, 2024, a new and current version, the NIST CSF 2.0 was released.

    Cyber attacks are advancing fast, and NIST CSF 2.0, known for its all-inclusive scope, offers a proactive and reactive approach to preventing breaches and addressing incidents. This framework is flexible enough to manage changing threats and has tools for vulnerability management.

    NIST CSF 2.0 is the foundation for many cybersecurity initiatives worldwide. NRI Secure's 2022 Information Security Survey found that at least 35% of US businesses use NIST CSF to assess their security. As the need for good security practices grows, it's a must-have for organizational security.

    Evolution of the NIST Cybersecurity Framework

    What are the Three Components of NIST CSF ?

    NIST Cybersecurity Framework (CSF) has three main components: Core, Tier, and Profile.

    • Core: This is a list of security controls and measures.
    • Tier: This is a four-step maturity template that defines the implementation level of security practices.
    • Profile: This is the categorization of an organization's current security posture and desired security state. In other words, it's the comparison of the security posture as it is versus how it wants to be.

    These three components allow businesses to identify and analyze the gaps between their current security approach and their desired goals, so they can prioritize where needed.

    What are the Four Key Revisions to NIST CSF 2.0?

    2022 introduced another version of the NIST through multiple workshops, webinars that stakeholders actively engaged with. It also brought along a draft version to generate feedback for its update. And then the final version of NIST CSF 2.0 was released on February 26, 2024. 

    This section highlights the four major updates included in the NIST CSF 2.0.

    Point 1: Expansion of the Framework’s Scope

    The first versions of the NIST Cybersecurity Framework (CSF) were 1.0 and 1.1. They were primarily developed to protect vital infrastructure such as power plants and hospitals in the U.S. It was however, adopted beyond the basis of such infrastructures by other government agencies and private businesses in different sectors and countries. 

    The introduction of the NIST CSF 2.0 was made to include bigger applications and now designed to cater to the needs of organizations and industries of all sizes. Also, the components of the framework have been made to reflect a generalized and flexible platform devoid of language specifics for a diverse range of users. 

    Furthermore, aside from the revised versions, the name of the framework has also undergone changes, from Framework for Improving Critical Infrastructure Cybersecurity to the more comprehensive Cybersecurity Framework. 

    Point 2: Addition of the "Govern (GV)" Function

    The NIST CSF framework was first released over a decade ago, and since that time, the business landscape has undergone several changes. The global adoption of remote work, emerging technologies like AI and quantum computing, and the rapid increase of reliance on supply chain ecosystems have drastically affected the landscape. In the same vein, cyber threats and attacks that target these supply chains have become more common.

    The NIST CSF 2.0 stresses how cybersecurity is now a risk with the same intensity as financial and reputational risks for businesses, and so organizations must incorporate extensive measures in addressing these risks and ensuring it is in line with their goals and subject to continuous improvement.

    The modification of version 2.0 also includes a sixth core function called the “Govern (GV)” in addition to five existing functions and they are:

    • Identify (ID)
    • Protect (PR)
    • Detect (DE)
    • Respond (RS)
    • Recover (RC)

    The figure below demonstrates the core functions in CSF 1.1 and 2.0. These functions are linked and displayed as a wheel with the new component “Govern (GV) placed at the centre. The positioning reflects its cross-functional role in prioritization and decision-making.

     

    NIST CSF 2.0 Framework Components

    The modification also combined the updates of the components and subcomponents within each function.

    • NIST CSF 1.1: 5 functions, 23 components, 108 subcomponents
    • NIST CSF 2.0: 6 functions, 22 components, 106 components

    While the "Govern (GV) component is the newest addition, its components and subcomponents are not new. They were simply reallocated from the "Identify (ID) function". They include

    Point 3: Expanded Online Resources to Support Framework Utilization

    The NIST CSF 2.0 is also characterized by a large range of online materials for businesses of all sizes to install the cybersecurity measures highlighted in the framework. They include:

    • Implementation Examples: include excellent approaches to implementing particular subcomponents. They are created as explanatory practices to help users understand better.

    • Informative references: This includes materials that contain guidelines and regulations that help with achieving specific outcomes. There is an updated version that offers a wide range of resources, and some are CRI Profile v2.0, CIS Controls v8, SP800-221A, and SP800-218.

    • Quick-Start Guides: This is a first-step guide for businesses looking to implement the frameworks. It is also a customized standard for desired needs, like small businesses. They include designing profiles and managing supply chain risks.

    To ensure accessibility and frequent updates, resources such as Implementation Examples, Informative References, and Quick-Start Guides are maintained online on the NIST website. Organizations are encouraged to refer to the official NIST page for the latest information.

    Point 4: Strengthening Supply Chain Risk Management

    In recent years, emerging technologies and globalization have transformed the business environment. Now, businesses can no longer depend on themselves but rather collaborate with other businesses and partners for smooth operations. As a result of the reliance on supply chains, more risks have emerged.

    The NIST CSF version 1.1, in 2018, introduced a new component, ID.SC (Supply Chain Risk Management) to confront these challenges and enhance its operations, but still, there has been a growing worldwide increase in supply chain attacks.

    The current version 2.0 has however, expanded on addressing these problems with its subcategories that focus on crucial measures for a robust supply chain risk management.

    The New Functionality in NIST CSF 2.0: GV (Governance)

    The new GV function emphasizes governance practices that address cybersecurity risks as a fundamental aspect of an organization's general business risk. These practices affect decision making across all other functions (Identify, Protect, Detect, Respond, Recover). There are six components under the Governance (GV) function, and they are:

     

    GV.OC (Organizational Context)

    A top-down approach is necessary to help mitigate cybersecurity risks. Addressing these and ensuring improvements based on an efficient risk management strategy is pivotal for the overall business growth 

    Here, risk management begins with an in-depth understanding of the business's mission and vision, clarity of the services the organization provides, managing the expectations of stakeholders involved, and ensuring compliance with the relevant laws and standards. 

    GV.RM (Risk Management Strategy)

    The cost of cybersecurity risks is often significant for affected organizations. They risk reputational damage, revenue loss, operational downtime, increased cost of operations, legal battles, and so much more. 

    This category focuses on the need to develop an all-inclusive risk management plan that covers all aspects of supply chains. Effectively doing this is pivotal for building organizational resilience and achieving strategic goals. 

    The NIST CSF 2.0 also introduced the positive risk (GV.RM -7) concept, which typifies opportunities that can facilitate the growth of the company. These opportunities include increased revenue, mutual trust, and efficient operations. 

    For instance, rather than viewing technological advancements like AI as a risk that could increase data breaches, it can also be used to grow and promote business operations. 

    GV.RR (Roles, Responsibilities, and Authorities)

    This category stresses the advantage of identifying and delineating the roles, responsibilities of officials in relation to cybersecurity measures within a company. When an individual is aware and understands the roles and responsibilities expected of them, organizations further strengthen their defence systems and promote a solid security culture.

    For better development, the presence of a Chief Information Security Officer (CISO) is essential in fostering a strong security culture. There should be a strong security consciousness among the employees in different departments, executive management, and supply chain partners.

    GV.PO (Policy)

    Here, there should be a strong focus on defining and documenting an organization's security risk management policies, ensuring that policies are disclosed if external needs arise.

    Also, these policies should be regularly reviewed and updated to ensure it is both current, meet regulatory standards and remain effective.

    GV.OV (Oversight)

    This category focuses on a new control added to the NIST CSF 2.0 that emphasizes regular reviewing of cybersecurity risk management efforts. By assessing these results, organizations can develop a well-tailored implementation plan for future risk management processes. 

    GV.SC (Cybersecurity Supply Chain Risk Management)

    One of the significant updates in CSF 2.0 is the focus on understanding and addressing security risks across the entire supply chain. This category highlights the importance of treating supply chain risks as integral to organizational risk management.

    The controls within this category guide organizations in establishing processes to ensure that critical third parties, upon which they depend, consistently maintain appropriate cybersecurity standards. It is the most detailed category, comprising 10 subcategories, more than any other in the framework.

    Notable additions include identifying and prioritizing third parties based on their criticality (GV.SC-4) and performing pre-contract evaluations and due diligence on cybersecurity measures (GV.SC-6). These represent new controls that were not part of CSF 1.1.

    Achieving Security Assessments Aligned with the NIST CSF Framework

    With the features and emphasized importance of the NIST CSF 2.0, it is important to note that no one cybersecurity framework can be applied to all businesses. Organizations have different missions and business goals, and have varying risk tolerance levels and so all organizations require a customized approach to addressing their unique threats. 

    Frameworks that are globally used have different specifications and threats; therefore, finding what works for whom ensures an effective method of managing risks and threats. 

    What Is SecureSketCH?

    SecureSketCH is a web-based platform developed by NRI Secure that conceptualizes an organization's cybersecurity posture using a score of 1,000 points and a deviation score generated from responses to 75 security-related questions.

    SecureSketCH uses local and internationally recognized frameworks such as NIST CSF, NIST SP800-171, ISO/IEC 27001/2 and Japan's Cybersecurity Management Guidelines in its operations. These frameworks form the baseline of the 75 questions.

    SecureSketCH's Guideline Check Function enables businesses to identify and assess the effectiveness of their security measures and whether they align with multiple frameworks. The platform also helps to reduce operational efforts and offers in-depth insights for informed decision-making.

     

    Key Takeaways

    The NIST Cybersecurity Framework (CSF) is a world-acclaimed standard that guides the management of cybersecurity risks. Its current version, 2.0, supports comprehensive organizational risk management. Also, the framework has introduced a new Governance (GV) function that prioritizes the inclusion of leadership at the executive level. 

    Furthermore, there have been some revisions in the framework to manage today's constantly evolving threat landscape and also include ways to address supply chain risk management. These modifications will further help companies to mitigate risks more effectively and increase their resilience against cyberattacks. 

    FAQs

    What is the NIST CSF 2.0 standard?

    The NIST CSF 2.0 is designed around a standard and structured 6 core functions that encapsulate the necessary steps to take when managing threats or attacks. They are: Identify, Protect, Detect, Respond, Recover, and the newest function, Govern.

    Who needs the NIST CSF 2.0?

    The NIST CSF is for everyone. Small, medium or large business, any industry or security practice. It’s perfect for those looking to improve their security.

    How many versions does the NIST CSF have?

    The NIST CSF has had three versions since its inception. 1.0 was released in 2014, 1.1 in 2018 and 2.0 in 2024.

    Why was the NIST CSF updated to version 2.0?

    The update addresses significant changes in the cybersecurity landscape, including increased reliance on supply chains, emerging technologies like artificial intelligence, and the global shift to remote work environments.

    What is the significance of the new "Govern" function in CSF 2.0?

    The Govern function is central to CSF 2.0, emphasizing that cybersecurity is an enterprise-wide risk. It ensures strategic alignment, oversight, and decision-making by senior leadership.

    How does CSF 2.0 address supply chain risk management?

    CSF 2.0 significantly strengthens guidance on supply chain risk management. It provides clear categories and subcategories within the Govern function to help organizations manage third party risks effectively.

    What are the key benefits of implementing NIST CSF 2.0?

    Key benefits include clearer communication of cyber risks to leadership, driving continuous security improvement, more efficient resource allocation, and better decision-making for managing organizational risk.

    Is NIST CSF 2.0 a mandatory standard for organizations?

    No, the NIST Cybersecurity Framework 2.0 is a voluntary framework. However, it is widely adopted globally as a best practice for managing and reducing cybersecurity risks across various industries.

    What role do Profiles play in NIST CSF 2.0?

    Profiles are crucial for tailoring the framework. They enable organizations to compare their current cybersecurity posture against a target posture, helping prioritize actions based on unique business needs.

    Does NIST CSF 2.0 provide guidance for small and medium-sized businesses?

    Absolutely. CSF 2.0 includes specific guidance and enhanced resources tailored to help small and medium-sized businesses effectively manage their cybersecurity risks with practical, scalable advice.
    NRI Secure Blog

    If you have any questions, please don’t hesitate to contact us at info@nri-secure.com

    Related Articles

    A Guide to U.S. Cybersecurity Laws and Compliance
    7 Key Supply Chain Security Best Practices 7 Key Supply Chain Security Best Practices

    7 Key Supply Chain Security Best Practices

    How to Implement the CIS Controls Framework: A Beginner-Friendly Guide

    The Strategic Benefits of Cybersecurity Compliance
    X facebook linked-in hatena bookmark

    Contact Us