CyberGrind · Orange Book Published March 27, 2026
Framework Deep Dive

NIST Cybersecurity
Framework 2.0

What it is, why it was built, what changed in version 2.0, and how any organization — from a small nonprofit to a federal agency — can use it to manage cybersecurity risk.

ReleasedFebruary 26, 2024
Published ByNIST (Dept. of Commerce)
ComplianceVoluntary
ScopeAll organizations, all sectors
Contents
  1. What Is the NIST CSF?
  2. Why Was It Created?
  3. What Changed in Version 2.0?
  4. The Six Core Functions
  5. Implementation Tiers
  6. Organizational Profiles
  7. Who Should Use It?
  8. Limitations & Uncertainty
  9. References

What Is the NIST CSF?

The NIST Cybersecurity Framework (CSF) is a voluntary, outcome-based framework published by the National Institute of Standards and Technology — a non-regulatory agency of the U.S. Department of Commerce. It is designed to help organizations of all sizes and sectors understand, communicate, assess, and manage cybersecurity risk.

The key word here is outcome-based. The CSF does not tell you which firewall vendor to use, which SIEM to deploy, or which specific technical controls to implement. Instead, it describes the results you should be working toward — and maps those results to a wide variety of standards, guidelines, and practices that can help you get there. This makes it both technology-neutral and sector-neutral, which is a large part of why it has been adopted so broadly worldwide.

Core Purpose

The CSF is a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of size, sector, or technical maturity — to understand, assess, prioritize, and communicate cybersecurity risk. It is not a checklist. It is a framework for strategic thinking.

The CSF is organized around three components: the CSF Core (a hierarchy of functions, categories, and subcategories describing cybersecurity outcomes), Organizational Profiles (a mechanism for describing current and target cybersecurity posture), and Implementation Tiers (context for how an organization views and manages cybersecurity risk).

Why Was It Created?

The original CSF (version 1.0) was created in direct response to Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," signed by President Obama in February 2013. The order directed NIST to work with the private sector to develop a framework for reducing cyber risks to critical infrastructure — power grids, water systems, financial networks, telecommunications, and other sectors on which the nation's safety and economy depend.

At the time, there was no single, widely-adopted standard that organizations across these diverse sectors could use to assess and communicate their cybersecurity posture. Different industries operated with different standards, different vocabularies, and different levels of maturity. The CSF was intended to provide that common language and structural approach — while remaining flexible enough to be adopted voluntarily across vastly different organizational contexts.

NIST published CSF 1.0 in February 2014, just one year after the executive order. It was rapidly adopted by both public and private sector organizations well beyond the original critical infrastructure scope. CSF 1.1 followed in April 2018 with refinements but no structural overhaul.

By 2022, NIST recognized that the cyber landscape had shifted significantly enough to warrant a substantive revision. The world had experienced accelerating cloud adoption, a dramatic expansion of remote work, the emergence of widespread ransomware campaigns, large-scale supply chain attacks (including SolarWinds and Kaseya), and increasing attention to AI and quantum computing as both tools and threat vectors. NIST opened a public comment and workshop process in early 2022, publishing CSF 2.0 on February 26, 2024.

What Changed in Version 2.0?

Expanded Scope

Perhaps the most significant change is one that formalizes what had already been happening in practice: CSF 2.0 explicitly applies to organizations of all sizes and sectors — not just critical infrastructure. The original framework was scoped to critical infrastructure but was widely adopted beyond it anyway. Version 2.0 acknowledges this reality and designs for it intentionally, including dedicated Quick-Start Guides for small businesses, for organizations new to cybersecurity, and for those improving existing programs.

The Govern Function

The most structurally notable change is the addition of a sixth core function: Govern (GV). In CSF 1.1, governance-related activities were embedded within subcategories and not given top-level prominence. Elevating Govern to a core function signals that cybersecurity governance — leadership accountability, strategy alignment, risk management policy, and supply chain oversight — must be treated as a foundational, first-class organizational priority rather than an administrative afterthought.

Why Govern Matters

The Govern function establishes, communicates, and monitors an organization's cybersecurity risk management strategy, expectations, and policies. Its placement at the center of the framework model reflects a fundamental insight: no amount of technical investment produces lasting security if leadership isn't aligned, accountable, and driving the strategy. Govern is the function that makes all other functions sustainable.

Supply Chain Risk Management

CSF 2.0 significantly expands guidance around supply chain risk management (SCRM). CSF 1.1 introduced supply chain risk as a category, but version 2.0 elevates and expands it — particularly within the Govern function — with more detailed subcategories covering roles, responsibilities, and specific practices for managing third-party and supplier cyber risk. This reflects the dramatic increase in supply chain-based attacks observed between 2018 and 2024.

Organizational Profiles & Community Profiles

CSF 2.0 formalizes and expands the use of Organizational Profiles — structured descriptions of an organization's current and target cybersecurity posture. It also introduces Community Profiles, which are pre-built profile templates designed for specific sectors or use cases, allowing organizations within the same industry to benchmark against a shared baseline rather than starting from zero.

Simplified Language & Implementation Examples

The framework uses clearer, more accessible language throughout. CSF 2.0 adds implementation examples for each subcategory — concrete illustrations of what achieving a given outcome might look like in practice, without being prescriptive about the specific method. This reduces the gap between the framework's abstract outcomes and the practitioner's real-world decisions.

AspectCSF 1.1 (2018)CSF 2.0 (2024)
ScopeCritical infrastructure focusAll organizations, all sectors
Core Functions5 (Identify, Protect, Detect, Respond, Recover)6 (adds Govern)
GovernanceEmbedded in subcategoriesElevated to top-level function
Supply ChainSingle category (ID.SC)Expanded throughout, especially in Govern
ProfilesMentioned, not formalizedFormalized; Community Profiles added
Implementation ExamplesNot includedProvided for each subcategory
Quick-Start GuidesLimitedMultiple audience-specific guides

The Six Core Functions

The CSF Core is organized into six Functions, each representing a high-level cybersecurity outcome. These functions are not sequential steps — they are concurrent, continuous activities. Every mature cybersecurity program operates across all six simultaneously.

GV · GOVERN · NEW IN CSF 2.0
Govern

Establishes, communicates, and monitors the organization's cybersecurity risk management strategy, expectations, and policies. Covers organizational context, risk management strategy, supply chain risk, roles and responsibilities, policy, and oversight. Acts as the foundation underpinning all five other functions — the mechanism by which cybersecurity becomes part of enterprise risk management rather than a siloed technical exercise.

ID · IDENTIFY
Identify

Understand the current cybersecurity risk landscape. Covers asset management (data, hardware, software, systems, facilities, people, suppliers), risk assessment, and improvement planning. Knowing what you have and what threats exist is the prerequisite for everything else.

PR · PROTECT
Protect

Implement safeguards to manage cybersecurity risk and prevent or reduce the likelihood and impact of cybersecurity events. Covers identity management, access control, awareness and training, data security, platform security, and technology infrastructure resilience.

DE · DETECT
Detect

Find and analyze possible cybersecurity attacks and compromises in a timely manner. Covers continuous monitoring and adverse event analysis. Detection capability is what closes the gap between an attack occurring and your organization knowing about it.

RS · RESPOND
Respond

Take action to contain and manage the effects of a detected cybersecurity incident. Covers incident management, analysis, mitigation, reporting, and communication — both internal and external (including regulators and the public where applicable).

RC · RECOVER
Recover

Restore assets, operations, and services affected by a cybersecurity incident. Covers incident recovery planning, execution, and communications. A mature Recover function means the organization can return to normal — or better — without catastrophic, extended downtime.

Each Function is broken down into Categories (specific outcomes within the function) and Subcategories (granular outcome statements). CSF 2.0 contains 22 categories and 106 subcategories across the six functions.

Implementation Tiers

The four Implementation Tiers describe how an organization views cybersecurity risk and the processes it has in place to manage it. They are not maturity levels to be climbed sequentially — they are descriptors that help an organization understand its current posture and determine whether that posture is appropriate given its risk appetite. A Tier 2 organization is not "failing" — it may be exactly where it needs to be given its size and context.

1
Partial
Risk management is ad hoc and reactive. Limited awareness of cybersecurity risk. Little to no integration with organizational risk management.
2
Risk Informed
Risk management practices are approved by leadership but not yet adopted organization-wide. Some awareness of supply chain risk.
3
Repeatable
Risk management practices are formally approved and expressed as policy. Consistent implementation across the organization. Supply chain risk is managed.
4
Adaptive
Organization adapts cybersecurity practices based on lessons learned and predictive indicators. Actively shares information with partners. Continuous improvement embedded in culture.

Organizational Profiles

An Organizational Profile is the CSF's mechanism for applying the framework to a specific organization's context. It documents the organization's cybersecurity outcomes — current state and target state — in terms of the CSF Core, informed by the organization's mission, risk appetite, threat environment, and legal/regulatory requirements.

Current Profile
Documents the cybersecurity outcomes the organization is currently achieving. Essentially a snapshot of existing posture — honest, not aspirational. This is the baseline from which gaps are identified.
Target Profile
Documents the outcomes the organization aims to achieve. Driven by business objectives, risk tolerance, and regulatory requirements. The gap between Current and Target Profile drives prioritization and resource allocation.

CSF 2.0 also introduces Community Profiles — profile templates developed for specific sectors, subsectors, or technology types. For example, a Community Profile might be developed for small healthcare providers, or for organizations deploying industrial control systems. Community Profiles allow organizations within the same domain to benchmark against a shared reference point rather than starting profile development from a blank page.

Who Should Use It?

The CSF is genuinely useful for a wide range of organizations. Its strength is in providing structure for conversations that might otherwise be impossible — between technical teams and executive leadership, between procurement and security, between an organization and its regulators or auditors. It also maps to many other frameworks and standards, including NIST SP 800-53, ISO/IEC 27001, CIS Controls, and others, making it a useful translation layer across different compliance environments.

"The CSF prompts its users to consider their cybersecurity posture in context and then adapt the CSF to their specific needs." — NIST CSF 2.0

For small and mid-sized organizations new to structured cybersecurity: start with the CSF 2.0 Quick-Start Guide and use the framework as an assessment and prioritization tool. You don't need to achieve all subcategories — you need to understand your risks and make informed decisions about where to invest.

For larger organizations with existing programs: use Organizational Profiles to formally document current vs. target posture, and use the Govern function specifically to ensure leadership alignment with cybersecurity strategy.

For federal agencies and contractors: CSF 2.0 maps to SP 800-53 and can complement your RMF (Risk Management Framework) process. NIST provides official mapping documentation between the two.

Limitations & Uncertainty

Transparency note: The following represents genuine limitations or areas where I cannot confirm specifics — not acknowledged facts presented as uncertainty for rhetorical effect.

Adoption statistics: Precise, current global adoption figures are not reliably available. Claims about what percentage of organizations use CSF typically originate from vendor surveys with limited methodological transparency. We have not cited specific adoption percentages.

Compliance mapping precision: NIST provides mappings between CSF 2.0 and other frameworks (including SP 800-53), but these mappings are not one-to-one. The documentation itself notes that "mappings and crosswalks are not always one-to-one and relationship analysis can be subjective." Do not treat mapping tables as equivalence tables.

Implementation complexity: The CSF is intentionally flexible, which means implementation difficulty varies enormously by organization. There is no single right way to implement it, and NIST does not prescribe one. What works for a large federal agency may be entirely inappropriate for a 50-person nonprofit.

This is not compliance advice: Nothing in this article constitutes legal, regulatory, or compliance guidance. If your organization has specific FISMA, FedRAMP, HIPAA, or other regulatory obligations, consult qualified professionals and the primary NIST publications directly.

References

  1. NIST. (2024). The NIST Cybersecurity Framework (CSF) 2.0. NIST CSWP 29. Published February 26, 2024. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
  2. NIST. (2024). NIST CSF 2.0: Resource & Overview Guide. NIST SP 1299. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1299.pdf
  3. Arctic Wolf. (2025). NIST CSF 2.0: Understanding and Implementing the Govern Function. https://arcticwolf.com/resources/blog/nist-csf-2-0-understanding-and-implementing-the-govern-function/
  4. IBM Think. (2025). Unpacking the NIST Cybersecurity Framework 2.0. https://www.ibm.com/think/insights/nist-cybersecurity-framework-2
  5. Drata. (2025). Everything You Need to Know About NIST CSF 2.0. https://drata.com/blog/nist-csf-2-guide
  6. Contrast Security. (2025). What is NIST Cybersecurity Framework (CSF) 2.0? https://www.contrastsecurity.com/glossary/nist-csf
  7. CybelAngel. (2025). NIST CSF 2.0: What Changed and How to Implement It. https://cybelangel.com/blog/guide_nist_2/
  8. NRI Secure. (2025). NIST CSF 2.0: What's New and Why It Matters. https://www.nri-secure.com/blog/nist-csf-2