22 Mar 2024
by John Kociak

NIST Cybersecurity Framework: What's new in v2.0

Guest blog by John Kociak, Senior Consultant specializing in digital trust at BSI Consulting

On February 26, 2024, the US government agency National Institute of Standards and Technology (NIST) released a major update to its widely-adopted Cybersecurity Framework (CSF) – marking the transition from version 1.1 to 2.0.

What is the NIST Cybersecurity Framework?

NIST’s CSF was first published in 2014 after an executive order directed the agency to develop a cyber risk framework in response to growing digital applications. The voluntary framework provides a structured approach and guidelines for organizations to assess and strengthen cybersecurity defenses, regardless of business size, sector, or technical expertise. It also helps align cybersecurity activities with business requirements, risk tolerances, and resources by dividing activities and outcomes into five functions:

  • Identify: focuses on understanding and managing cybersecurity risks to systems, assets, data, and capabilities.
  • Protect: involves implementing safeguards to ensure the delivery of critical services while minimizing the impact of cybersecurity incidents.
  • Detect: aims to quickly identify cybersecurity events as they occur, facilitating timely responses.
  • Respond: involves taking appropriate actions to contain, mitigate, and recover from cybersecurity incidents.
  • Recover: focuses on restoring capabilities or services affected by cybersecurity incidents.

What’s new in CSF 2.0?

Since the release of v1.1 in 2018, the cybersecurity risk landscape has quickly advanced.

To reflect this rapid evolution, NIST’s v2.0 emphasizes the importance of integrating cybersecurity into organizational culture and decision-making processes to address new challenges, including:

  • Supply chain disruption and risks.
  • Growth of 5G and Internet of Things (IoT) devices.
  • Lack of skilled cybersecurity staff.

Version 2.0 provides more comprehensive guidance and flexibility for organizations. Some major changes include:

  • Added "Govern" function for cybersecurity strategy and policies. This is notable for elevating the importance of cyber risk governance.
  • Expanded guidance on supply chain risk management.
  • More guidance on measuring cybersecurity outcomes.
  • New templates for creating organizational profiles.
  • Better integration with broader organizational risk management.
  • Alignment with newer NIST publications on privacy, IoT, and cloud security.

What can organizations do?

Any organization currently using NIST’s CSF can review the v2.0 changes and updated framework core in depth. Businesses can then identify any gaps or improvements needed in existing CSF implementation and adjust cybersecurity policies, programs, and practices accordingly.

For new adopters, version 2.0 represents the most up-to-date set of standards to build a cyber risk management program on. NIST’s CSF v2.0 is a valuable resource for organizations seeking to enhance cybersecurity resilience and adapt to emerging threats.

Learn more from our digital trust experts in Strategically building breach resilience by Stephen Scott and Defending against AI’s dark side by Terry Minford.

Visit BSI’s Experts Corner for more insights from industry experts. Subscribe to our Experts Corner-2-Go LinkedIn newsletters for a roundup of the latest thought leadership content: Digital trustEHSsupply chain.

You can find the original post here.

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more

Join techUK's Cyber Security SME Forum

Our new group will keep techUK members updated on the latest news and views from across the Cyber security landscape. The group will also spotlight events and engagement opportunities for members to get involved in.

Join here

Cyber Security updates

Sign-up to get the latest updates and opportunities from our Cyber Security programme.





John Kociak

Senior Consultant specializing in digital trust, BSI Consulting