Key Takeaways

1. The NIST 2.0 framework’s major update includes making the framework more accessible to service organizations.

2. NIST CSF 2.0 was officially released last February 26, 2024.

3. I.S. Partners specializes in conducting cybersecurity framework audits to help organizations comply. Our team of experts is up to date when it comes to the most critical frameworks, including NIST CSF 2.0.

NIST 2.0: What Is It and When Will It Be Released?

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) version 2.0 is the updated version of NIST’s cybersecurity framework. This update adds a new focus on cybersecurity governance, improves usability, and addresses the main modern cybersecurity threats. 

The NIST CSF 2.0 release date took place on February 26, 2024. Originally, the NIST CSF was designed to enhance cybersecurity in the critical infrastructure sector, and its official title was “Framework for Improving Critical Infrastructure Cybersecurity.” 

However, the CSF’s guidance was very effective, and companies across all industry verticals used it to inform other standards. Recognizing this, NIST CSF 2.0 was designed to make it more broadly accessible and to provide updated cybersecurity guidance to address modern security threats.

Major Changes in NIST CSF 2.0

The 2024 NIST CSF update was designed to modernize and make it more accessible for its users. One cosmetic change was officially renaming it to the NIST Cybersecurity Framework (CSF) to reflect its use by more than just critical infrastructure.

Along with this rebranding, the NIST CSF 2.0 changes incorporated several major updates, including:

  • The New Govern Function. The original version of the NIST CSF included five core functions. The updated version included a new “Govern” function, highlighting the importance of governance and strategic planning in a corporate cybersecurity and compliance program.
  • Implementation Guidance. Often, organizations struggle to translate the high-level requirements of standards and regulations into functional, real-world implementations. NIST CSF 2.0 incorporates implementation examples and quick-start guides designed to ease the process of implementing particular cybersecurity practices of the framework or the standard as a whole.
  • Updated Focus Areas. The original NIST CSF is over a decade old and lacks guidance for managing modern threats and potentially adverse events, such as supply chain attacks, artificial intelligence, remote work, and cloud computing. The new framework version provides explicit, forward-thinking guidance on how to manage cybersecurity risks in a modern landscape.
  • Metrics for Success. Achieving full compliance with a regulation or standard is often a process, and measuring an organization’s current cybersecurity maturity level can be difficult. The new CSF includes clear metrics designed to make it easy for companies to measure their current level of compliance with the standard’s requirements. These metrics can be incorporated as an integral part of a cybersecurity strategy.
  • Relationship Mapping. The NIST CSF is inspired by standards such as ISO/IEC 27001 and has overlapping requirements with many other regulations. The new CSF includes additional mappings and clearer references to other cybersecurity standards.
  • Additional Resources: The NIST CSF is a cybersecurity framework supported by a collection of online resources; however, these resources were frequently outdated and difficult to use. During the CSF update process, NIST has worked to improve these resources and created a NIST CSF 2.0 Reference Tool to improve usability.

Although there have been major changes, the NIST CSF is still a comprehensive framework that helps companies with cybersecurity risk management and reduces supply chain risks. The mentioned changes were made to help organizations adapt to more modern cybersecurity risks, operational technology, and advanced management of security protocols.

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.

SPEAK TO AN EXPERT

Should Companies Expect Regular Updates to the NIST CSF?

This update to the NIST CSF is the first in a decade and was the result of an extensive process where NIST requested, reviewed, and implemented public feedback. The scale of this undertaking makes it unlikely that the NIST CSF will receive regular, formal updates.

That said, part of the update process was to update and expand the resources used to support the core NIST CSF. These resources may receive more frequent updates, enabling the standard to provide relevant, up-to-date information without frequent overhauls.

How Does the NIST CSF 2.0 Align With International Cybersecurity Guidelines?

Various international cybersecurity frameworks inspired the NIST CSF 2.0, and the NIST webpage offers a searchable catalog of mappings between various NIST documents and external standards.

While the majority of the existing mappings are between the NIST CSF 2.0 and other NIST documents, it does include one for the Center for Internet Security (CIS) Critical Security Controls, and cybersecurity programs will likely be added over time.

Should You Pursue NIST CSF 2.0 Compliance?

The NIST CSF is an optional cybersecurity standard. Therefore, an update doesn’t mean that organizations must scramble to update their compliance programs before some implementation deadline.

However, the NIST CSF is a well-regarded standard that provides useful advice for managing cybersecurity risk. While not required, organizations can benefit significantly from implementing its recommendations, especially since the new standard is designed to make this easier than ever.

Those areas where NIST made a special effort to create or update their guidance deserve special attention. Creating a new core function for cybersecurity risk governance is a big deal and highlights the importance of strategic security planning at the highest levels. Many of the cyber threats that NIST specifically focused on — cloud computing, AI, supply chain, etc. — are also some of the areas that companies are struggling the most to manage.

What to Do if You’ve Already Implemented NIST CSF?

If an organization has already implemented version 1 of the NIST CSF, then an effort to implement the new version should begin with a gap analysis. The framework’s new version includes high-level changes — such as the new “Govern” function — and updates to the recommended security controls. Achieving compliance with the new standard requires identifying and implementing any missing security controls and processes.

That said, the update process will likely not be as onerous as it might seem on the surface. For example, the introduction of a new “Govern” function might make it look like an organization will need to make extensive changes to its security program to be compliant.

However, a security program that is mature enough to be compliant with the optional NIST CSF 1.0 likely already has compliance governance functions in place. Complying with the new version will likely involve mapping and modifying existing processes to fit the new framework and filling any gaps that remain.

Operationalize NIST CSF 2.0 in Your Company With I.S. Partners

A strong foundation is essential to an effective and scalable cybersecurity and compliance program. As a comprehensive security framework with references to other standards and regulations, NIST CSF 2.0 provides a roadmap to doing just that.

A phased rollout provides a manageable and scalable approach for organizations looking to achieve NIST CSF compliance for the first time. I.S. Partners has deep expertise in implementing and assessing compliance with NIST standards.

Allow our expert CPAs to guide you through the new NIST CSF 2.0 compliance journey and make the process easier for you. Our team comprehensively evaluates your cybersecurity posture and creates detailed reports to help you fill in gaps. Create a supply chain risk management strategy and stronger security policies with I.S. Partners’ help.

For support with your NIST CSF 2.0 implementation journey, contact us.

About The Author

Comment on this article

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Scroll to Top