Current NIST Cybersecurity Guidelines

By Mark D. Albin, MS

NIST Cybersecurity Framework 2.0 - Overview

The NIST Cybersecurity Framework (CSF) 2.0 was officially published on February 26, 2024, marking the first major update to the framework since its original release in 2014. It provides comprehensive, non-prescriptive cybersecurity guidance for organizations of any size, sector, or maturity level.

Key Aspects of CSF 2.0

  • Expanded Scope: Now explicitly covers all organizations, irrespective of size or type, rather than focusing primarily on critical infrastructure as earlier versions did.
  • A New Core Function: Govern: CSF 2.0 adds a sixth function, Govern, to the original five (Identify, Protect, Detect, Respond, Recover). Govern addresses how an organization makes and oversees its cybersecurity risk management decisions, including strategy, roles, policy, and oversight of supply chain risk.
  • The Six CSF 2.0 Functions: Govern, Identify, Protect, Detect, Respond, and Recover together form the framework's core, each broken into categories and subcategories of cybersecurity outcomes.
  • Implementation Examples: CSF 2.0 includes practical Implementation Examples for each subcategory, giving organizations concrete starting points rather than abstract goals, maintained as a living online resource.
  • Quick-Start Guides: NIST published supplementary Quick-Start Guides tailored to different audiences, including small businesses, enterprise risk managers, and organizations creating CSF profiles.
  • Non-Prescriptive Framework: CSF 2.0 still offers guidance and maps to resources for achieving cybersecurity outcomes, rather than prescribing specific tools or methods, so it can be adapted to an organization's existing risk management approach.

Getting Started With CSF 2.0

Most organizations begin by running a current-state assessment against the six functions to identify gaps, then build a target profile describing the outcomes they want to achieve. If you're already following another framework, such as ISO 27001 or CIS Controls, NIST provides informative references mapping CSF 2.0 outcomes to those standards, making it possible to layer CSF 2.0 on top of an existing program rather than starting over. Strong identity controls are often one of the first gaps organizations close, since the Protect function explicitly calls for safeguards like multifactor authentication to limit unauthorized access.

Useful Links

Not sure how your organization measures up against the CSF 2.0 functions, or how it compares to threats like those covered in our Comprehensive Guide to Cyber Attacks? Our Managed IT Services team can help assess your environment and build a roadmap aligned to the framework.

Current NIST Cybersecurity Guidelines | IT Master Services