The National Institute of Standards and Technology (NIST) has released version 2.0 of its Cybersecurity Framework (CSF), introducing significant updates and enhancements to better guide organizations in managing cybersecurity risks. Originally established in 2014 to secure U.S. infrastructure, the framework has evolved to accommodate the dynamic nature of cyber threats. The new version includes an additional core function, ‘Govern,’ which focuses on establishing cybersecurity strategies, roles, responsibilities, and oversight within organizations. This expansion reflects a broader scope beyond critical infrastructure to include all organizations, regardless of size or sector.
Version 2.0 offers more extensive subcategories within its core functions—Identify, Protect, Detect, Respond, Recover, and now Govern—providing detailed references and resources to assist in achieving cybersecurity objectives. It also introduces enhanced framework tiers, which help organizations assess and improve their cybersecurity posture, ranging from ‘Partial’ to ‘Adaptive,’ reflecting different levels of sophistication and effort required for implementation.
The updated framework places a stronger emphasis on supply chain and third-party risk management, urging organizations to consider cybersecurity risks within their software supply chains and conduct thorough due diligence before engaging with suppliers or contractors. NIST encourages voluntary self-adoption of the framework, making it relevant for a wide audience, including cybersecurity planners, risk managers, executives, and policymakers.
Overall, the NIST Cybersecurity Framework 2.0 aims to foster better decision-making, improve security standards, and address emerging threats like phishing and ransomware, ensuring comprehensive protection across various sectors.
