NIST CSF 2.0

The NIST Cybersecurity Framework 2.0, commonly referred to as NIST CSF 2.0, is a voluntary cyber security framework published by the National Institute of Standards and Technology (NIST), a US government agency. While originally designed for organisations managing critical infrastructure, the framework has since been adopted globally by businesses of all sizes and sectors as a structured way to manage and reduce cyber security risk. Released in February 2024, Version 2.0 introduced several updates to the original framework, most notably the addition of a sixth core function: Govern.

The framework is organised around six core functions, each representing a different aspect of cyber security risk management:

  • Govern: Establishing and overseeing the organisation's cyber security strategy, policies, and risk management approach. Aids in achieving the outcomes of the other five functions.

  • Identify: Understanding risks associated with the organisation's assets (e.g. data, hardware, systems, software, people), suppliers, and cyber security.

  • Protect: Implementing controls to safeguard assets and reduce the likelihood of a security incident.

  • Detect: Monitoring systems to identify and analyse indicators of compromise, anomalies, and other potentially adverse events in a timely manner.

  • Respond: Taking appropriate action to contain and manage the impact of a cyber security incident, including mitigation, reporting, and communication.

  • Recover: Restoring normal operations and improving resilience following an incident.

Unlike other globally recognised standards such as ISO 27001 or SOC 2, there is no formal certification for NIST CSF 2.0. Instead, organisations use it to assess their current security posture, identify gaps, and set improvement targets, making it a useful tool for both internal security management and demonstrating a mature, structured approach to cyber security to customers, clients, and partners.

While there is no legal requirement to adopt NIST CSF 2.0, it is increasingly referenced in procurement processes and due diligence efforts, particularly by US-based organisations, or those working in highly regulated sectors.