NIST Releases Cybersecurity Framework 2.0: What’s New

The United States National Institute of Standards and Technology (NIST) has issued an updated edition of its seminal cybersecurity document, the Cybersecurity Framework (CSF), now reaching version 2.0.

This constitutes the first significant update since the document’s inception in 2014. The revised CSF is designed for a broad audience, encompassing organizations of all sizes and sectors, from small schools and non-profits to the largest corporations and government agencies.


In response to numerous comments received on the draft document, NIST has expanded the core recommendations of the CSF and developed additional resources to enable users to utilize it more effectively.

The new version supports the implementation of the National Cybersecurity Strategy, introduced by the White House last March, and broadens its scope to include governance issues that pertain to the adoption and implementation of informed decisions in cybersecurity strategy.

The updated CSF introduces a new “Govern” function, augmenting the previous five key functions: Identify, Protect, Detect, Respond, and Recover. Such measures offer a comprehensive view of the cybersecurity risk management lifecycle.

New resources and tools, such as the Reference Tool in CSF 2.0, simplify the document’s application, allowing users to view, search, and export data from the core recommendations in user-friendly formats. Additionally, a catalog of informative references assists organizations in aligning their current actions with the CSF guidelines.

NIST also offers the Cybersecurity and Privacy Reference Tool (CPRT), containing an interconnected set of NIST documents to help contextualize these resources. CPRT facilitates the communication of these ideas to both technical specialists and senior management, promoting coordination across all organizational levels.

NIST plans to continue enhancing its resources and making the CSF an even more valuable tool for a wide range of users. Community feedback will be crucial in this process.

The CSF versions 1.0 and 1.1 have been translated into 13 languages, and NIST anticipates that CSF 2.0 will also be translated by volunteers worldwide. This will allow the dissemination of cybersecurity best practices to many countries beyond the United States, raising the global level of digital defense.

NIST’s collaboration with the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) over the past 11 years has facilitated the harmonization of numerous cybersecurity documents, and plans to continue this work underscore a commitment to international consistency and standardization of cybersecurity standards.