NIST Releases CSF 2.0, Caters to Audience Beyond Critical Infrastructure

March 04, 2024 - The National Institute of Standards and Technology (NIST) released version 2.0 of its Cybersecurity Framework (CSF), which is broadly used to reduce cyber risk across critical infrastructure. Considering the framework’s longstanding success in critical infrastructure, NIST has expanded its reach by designing version 2.0 for all audiences and organization types, regardless of security maturity.

“The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio.

“CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.” 

NIST first released the CSF in 2014 following a 2013 executive order on improving critical infrastructure cybersecurity under the Obama administration. Adoption of the framework is voluntary but can help critical infrastructure entities, including those in the healthcare sector, enhance their cybersecurity programs and mitigate cyber risks.

Version 2.0 is the CSF’s first major update in a decade. The updated version expands the CSF’s core guidance and also includes complementary resources to help users tailor the framework to their needs.

Additionally, the latest version, which supports the implementation of the National Cybersecurity Strategy, focuses more on governance and how organizations can make informed cyber strategy decisions.

Users will also have access to the CSF 2.0 Reference Tool, which allows them to easily search and export data from the CSF’s core guidance. NIST also created a searchable catalog of information references that map specific security actions to CSF controls. Users can leverage this catalog to cross-reference the CSF’s guidance to more than 50 other cybersecurity documents.

The CSF has been translated into 13 languages and has been a pillar for securing critical infrastructure over the past decade. These new additions will enable even more organizations to reap the benefits of this framework.

“As users customize the CSF, we hope they will share their examples and successes, because that will allow us to amplify their experiences and help others,” said Kevin Stine, chief of NIST’s Applied Cybersecurity Division.

“That will help organizations, sectors and even entire nations better understand and manage their cybersecurity risk.”