NIST Cybersecurity Framework 2.0

The CSF is a voluntary framework — not a regulation, not a standard, not an audit certification. It is a structured vocabulary of cybersecurity outcomes (the Core), a method for setting targets and measuring current state (Profiles), and a way to describe maturity (Tiers). Organisations adopt it to communicate consistently across business, IT, security and supplier domains, and to map their controls to a common reference structure.

What it is not: a list of mandatory controls. The Core describes outcomes (e.g. 'Backups of data are conducted, maintained and tested'); the controls that achieve them come from NIST SP 800-53, ISO/IEC 27002, CIS Critical Security Controls, sector-specific guidance, or the organisation's own choice.

• Govern (GV) added as a sixth function alongside Identify, Protect, Detect, Respond, Recover.
• Scope broadened from 'critical infrastructure' (the 1.x framing) to organisations of all sizes and sectors.
• Implementation Examples introduced for each subcategory — concrete actions that satisfy the outcome.
• Reference Tool and Informative References modernised — mappings to SP 800-53 Rev 5, ISO/IEC 27001:2022, CIS Controls v8 and others.
• Quick Start Guides for small business, supply-chain risk, enterprise risk management, and creating community profiles.
• AI risk management — CSF 2.0 + the NIST AI RMF (AI 100-1) are presented as complementary; the CSF Profile concept is extended to AI-system risk.
• Supply-chain risk management elevated from a single Identify category to a Govern category (GV.SC) reflecting executive accountability.

Govern (GV) is the bridge between enterprise risk management and cybersecurity-specific functions. It contains the categories where executive accountability lives:

• GV.OC — Organizational Context (mission, stakeholders, legal/regulatory requirements, critical dependencies).
• GV.RM — Risk Management Strategy (objectives, appetite, statements, communication).
• GV.RR — Roles, Responsibilities, and Authorities.
• GV.PO — Policy (cybersecurity policy is established, communicated, enforced).
• GV.OV — Oversight (results of activities inform leadership; corrections are made).
• GV.SC — Cybersecurity Supply Chain Risk Management.

A Profile is the organisation's view of the Core: which outcomes apply, at what maturity, in what priority. CSF 2.0 distinguishes:

• Current Profile — where the organisation stands today against the chosen outcomes.
• Target Profile — where the organisation needs to be, based on mission, risk tolerance, legal requirements and stakeholder expectations.
• Community Profile — a baseline Profile authored for a sector or use case (e.g. SMB, healthcare, AI systems, election infrastructure) that organisations adopt and tailor.

The Current vs Target gap drives the prioritised action plan. CSF 2.0's emphasis on Community Profiles makes adoption easier for organisations that previously found the framework too abstract — they start from a sector baseline rather than from a blank Core.

Tiers (1 Partial → 2 Risk-Informed → 3 Repeatable → 4 Adaptive) describe the rigour and integration of cybersecurity risk management. Tiers apply to the organisation as a whole and to specific functions or categories — an organisation can be Tier 3 on Protect and Tier 2 on Respond.

• Medical devices — FDA's premarket cybersecurity guidance and Section 524B align with CSF outcomes (SBOM, threat modelling, vulnerability handling, monitoring).
• Critical-infrastructure operators — many sector-specific regulations (TSA pipeline security, FERC/NERC CIP, water/wastewater EPA guidance) cross-reference CSF.
• Federal contractors — CMMC and SP 800-171 inherit CSF concepts.
• Cloud / SaaS providers serving regulated customers — CSF Profile aligns naturally with SOC 2 TSC, ISO 27001 Annex A and FedRAMP control families.
• Boards — Govern function provides the structure for SEC cybersecurity disclosure (Reg S-K Item 106) conversations.

1. Pick the Community Profile that fits if one exists (small business, manufacturing, healthcare, AI). Start from the baseline.
2. Identify the in-scope assets, services and suppliers (Identify + Govern.OC).
3. Score the Current Profile against the subcategories. Be honest — overscored Current Profiles produce undersized action plans.
4. Set the Target Profile based on risk appetite, regulatory obligations and stakeholder expectations.
5. Prioritise the gap. The Govern function should set the priority criteria.
6. Operate. Detect and Respond outcomes generate the telemetry that the next Current Profile review uses.
7. Repeat annually (or after a material event) — CSF is a continuous, not a one-shot, activity.