Written by: Gizem Toprak
Additional Contributors: Müzeyyen Gökçen Tapkan

What is NIST CSF 2.0?

NIST CSF 2.0 refers to the second proposed version of the NIST Cybersecurity Framework (CSF). It is a set of guidelines designed to help organizations improve their cybersecurity practices and manage cybersecurity risks in a consistent and comprehensive manner. 

What is specific about NIST CSF 2.0 Version?

This release aims to update and enhance the original set of guidelines to address evolving cybersecurity issues and incorporate feedback from the framework’s users and stakeholders. More importantly the version includes several changes to address growing challenges related to third parties and cybersecurity supply chain risk management (C-SCRM).

It allows a searchable catalog of informative references that allows users to cross-reference the framework’s guidance with more than 50 other cybersecurity documents. And NIST CSF 2.0 Reference Tool now simplifies the way organizations can implement the CSF, allowing users to browse, search and export data and details from the CSF’s core guidance in human-consumable and machine-readable formats.

What has changed in NIST CSF 2.0?

  • The addition of a sixth Function to the original five it set out for an effective cybersecurity program: Govern. A new core function that addresses cybersecurity risk management strategy, expectations, and policies. It is moved to the Manage section. It increases the importance of governance by aligning cybersecurity with overall enterprise risk.
  • Expanded Application & Wider Relevance can be applied to a wider range of organizations, such as small businesses and academic institutions. This is accomplished by eliminating CI-specific terminology and making the framework more universally applicable.
  • Supply Chain Risk Management Enhancement: This addition addresses the increasing reliance on third parties for operational needs and the cyber threats that can arise from supply chain.
  • The updated Protect Function highlights the critical need for resilient technological infrastructure.
  • Enhanced Emphasis on Incident Forensics and Learning now highlights the importance of forensic medicine in incident response and management by introducing new categories within Response and Rescue Functions.
  • Improved Guidance on Evaluation and Metrics: It contains additional recommendations for measurement and evaluation that provide a standardized taxonomy and vocabulary for expressing the results of an organization’s evaluation efforts, regardless of the specific risk management approach used.
  • Enhanced Harmonization with Other Frameworks including NIST and external security frameworks. This advanced integration facilitates smoother implementation of security measures and more efficient deployment of cybersecurity resources.
  • Global Cooperation Enhancement focuses on strengthening international partnerships and encouraging countries globally to fully or partially adopt the framework.

What are the core differences between NIST CSF 1.0 and NIST CSF 2.0?

  • The new category “Govern”focused on cybersecurity supply chain risk management.
  • The Govern function intends to cover organizational context; risk management strategy; cybersecurity supply chain risk management; roles, responsibilities, and authorities; policies, processes, and procedures; and oversight.
  • The title was originally called “Framework for Improving Critical Infrastructure Cybersecurity,” but it has now been changed to the more widely recognized name, “Cybersecurity Framework.”
  • The scope of the Framework has been expanded to include all organizations, more than original focus on critical infrastructure.
  • Tiers clarified to focus on cybersecurity governance, risk management, andthird-party considerations.

Why is NIST updating the Cybersecurity Framework?

NIST Cybersecurity Framework (CSF), is commonly used by public and private organizations of all sectors and sizes worldwide. Increasing cybersecurity risks, technology, threat and policy trends, gives rise to further development and evolvement of the standard. Lessons must be learned and best practices will be established as common practice.

Why does NIST CSF 2.0 matter for your organization?

  • It ensures that cybersecurity strategies are integrated at the highest levels of an organization, emphasizing governance.
  • With clear guidance on managing supply chain risks, organizations can better protect their networks and data against vulnerabilities introduced through third-party vendors.
  • Addressing the unique challenges posed by IoT, AI, and other emerging technologies, CSF 2.0 helps organizations adapt to and secure these innovations, ensuring they can leverage new tools without compromising on security.
  • With increased customization options, CSF 2.0 can be adapted to fit the specific needs and risk profiles of diverse organizations, making it more broadly applicable across industries and sizes.
  • Improved alignment with other frameworks and standards ensures that organizations can seamlessly integrate CSF 2.0 into their existing compliance and security efforts, simplifying processes and enhancing overall security measures.

Who needs NIST CSF 2.0?

The NIST Cybersecurity Framework is aimed at helping organizations, particularly those in critical infrastructure, to manage cybersecurity risks effectively. Recommended by the U.S. Commerce Department for all organizations, it is designed to identify and mitigate cybersecurity vulnerabilities. While it primarily targets federal agencies and their partners, the framework is broadly applicable and beneficial to any organization focused on enhancing its cybersecurity measures.

Is NIST CSF the best choice for your business?

The NIST Cybersecurity Framework (CSF) is a flexible and comprehensive option suitable for a wide range of businesses. Its adaptability to various industries, compliance with other standards, and emphasis on improvement make it a strong choice for managing cybersecurity risks. Also its simplicity is a great advantage, making a good starting point for organizations who are new to implement a cybersecurity program.

Whether NIST CSF is the best choice for your business depends on your specific needs, regulatory requirements, risk profile, and available resources. For many organizations, updates to CSF 2.0 in particular provide a solid foundation for cybersecurity practices while allowing customization to meet unique challenges.

What are other NIST compliances?

  • NIST Special Publication (SP) 800-53
  • NIST SP 800-171
  • NIST Cybersecurity Framework (CSF)
  • NIST CSF 2.0
  • NIST CSF can help any organization looking to improve its cybersecurity.

What is “unique” about Black Kite’s  Unique Parser?

Black Kite’s Unique Parser revolutionizes the compliance process by simplifying the task of aligning security policies with standards. With the industry’s first cyber-aware AI engine, the parser allows vendors to effortlessly upload their security policies or custom questionnaires in various formats, including doc, txt, xlsx, csv and pdf. This cutting-edge technology then swiftly calculates mappings, delivering results in seconds. By leveraging the power of Black Kite’s Unique Parser, companies can navigate the complex landscape of compliance with ease, ensuring their security measures are up to par without the traditional, time-consuming manual effort. The Unique Parser stands out as a key tool for businesses looking to streamline their compliance efforts, making it a simpler, more efficient process.

Updated [February 21, 2024]: List of affiliates, Lockbit’s statements after the operation, Lockbit’s operational websites.


Learn about the threat actors that are still out there.