NIST Cybersecurity Framework 2.0: Adoption Guide

What Changed in NIST CSF 2.0

Released in February 2024, the NIST Cybersecurity Framework 2.0 represents the first major revision since the original framework launched in 2014. Key changes include a new sixth core function (Govern), expanded scope beyond critical infrastructure to all organisations, enhanced supply chain risk management guidance, and improved alignment with other frameworks.

The Six Core Functions

CSF 2.0 organises cybersecurity activities into six functions:

• Govern (GV): Establish and monitor cybersecurity risk management strategy, expectations, and policy
• Identify (ID): Understand your organisation's cybersecurity risks to systems, people, assets, and data
• Protect (PR): Implement safeguards to ensure delivery of critical services
• Detect (DE): Develop activities to identify cybersecurity events
• Respond (RS): Take action regarding detected cybersecurity incidents
• Recover (RC): Maintain plans for resilience and restore impaired capabilities

Each function is divided into categories and subcategories providing specific outcomes.

Understanding the Govern Function

The Govern function is the most significant addition. It addresses organisational context, risk management strategy, roles and responsibilities, policy creation and enforcement, leadership oversight, and supply chain risk management. The Govern function sits at the centre of the framework, informing how all other functions are implemented.

Building Your Current Profile

A Current Profile describes your organisation's present cybersecurity posture. To build one:

• Review each CSF subcategory and assess your current state of implementation
• Gather evidence from existing policies, procedures, tools, and assessments
• Engage stakeholders across IT, security, legal, and business functions
• Document findings honestly, noting both strengths and gaps
• Use a consistent rating scale, such as Partial, Risk Informed, Repeatable, or Adaptive

Defining Your Target Profile

A Target Profile describes the desired cybersecurity outcomes based on your risk appetite and business objectives. To define it:

• Prioritise CSF subcategories based on business criticality and risk assessment
• Align target outcomes with applicable regulations and contractual obligations
• Set realistic, time-bound goals for each subcategory
• Validate the profile with senior leadership to ensure strategic alignment

Conducting Gap Analysis

Compare your Current Profile against your Target Profile to identify gaps. For each gap, assess the associated risk, estimate the effort needed, prioritise actions based on risk reduction value, and develop an action plan with milestones.

Practical Adoption Roadmap

For organisations new to the CSF, follow this sequence:

1. Start with the Govern function to establish your governance foundation
2. Build your Current Profile through self-assessment
3. Define your Target Profile aligned with business objectives
4. Conduct gap analysis and prioritise actions
5. Implement improvements in priority order
6. Monitor progress and refine profiles annually

NIST CSF 2.0 is designed to be flexible and scalable. Use it as a communication tool with leadership, a planning instrument for your security programme, and a benchmark for measuring progress over time.