Listen to this post

On February 26, 2024, the National Institute of Standards and Technology (“NIST”) announced the release of Version 2.0 of its voluntary Cybersecurity Framework (“CSF”).

The first iteration of the CSF was released in 2014 as a result of an Executive Order, to help organizations understand, manage, and reduce their cybersecurity risks. The original CSF was developed for organizations in the critical infrastructure sector, such as hospitals and power plants, but has since been voluntarily implemented across various sectors and industries, including throughout schools and local governments.

The final version of CSF 2.0 incorporates stakeholder feedback that NIST received in public comments based on a draft version it released in 2023. CSF 2.0 is designed to apply to all organizations, not just those considered critical infrastructure. The framework is organized around six key functions relating to cybersecurity risks: Identify, Protect, Detect, Respond, Recover, and the newly added Govern, which provides guidance on how an organization can manage its internal cybersecurity decisions. In addition to its updated CSF guidance, NIST has released a suite of resources to help organizations manage their cybersecurity, which can be accessed at NIST’s CSF 2.0 Resource Center.