top of page

NIST CSF Improvements to Assist More Organizations

green typewriter with Update written on white paper

The National Institute of Standards and Technology (NIST) has recently released the second version of its Cybersecurity Framework (CSF), a voluntary guidance document that helps organizations of all sizes and sectors to manage and reduce their cybersecurity risks. The CSF 2.0 builds on the success of the first version, which was published in 2014 and has been widely adopted by organizations across the world.


The CSF 2.0 introduces some new features and enhancements that aim to make the framework more user-friendly, flexible, and comprehensive. In this blog post, we will highlight some of the main changes and benefits of the CSF 2.0, and how you can use it to improve your cybersecurity posture.


What is the CSF?

The CSF is a set of high-level cybersecurity outcomes that are organized into five core functions: Identify, Protect, Detect, Respond, and Recover. Each function consists of several categories and subcategories that describe specific goals and activities for achieving cybersecurity objectives.


The CSF does not prescribe how to achieve these outcomes, but rather links to online resources that provide additional guidance on practices and controls that could be used to implement them. These resources are called Informative References, and they include standards, guidelines, best practices, and frameworks from various sources, such as NIST, ISO, COBIT, CIS, etc.


The CSF also provides a methodology for creating and using Organizational Profiles, which are customized representations of an organization's cybersecurity objectives, priorities, capabilities, and gaps. Profiles can help organizations to align their cybersecurity efforts with their business needs, risk appetite, and resources.


Additionally, the CSF defines four Tiers that describe different levels of cybersecurity risk management maturity. Tiers can help organizations to assess their current state, identify areas for improvement, and communicate their progress to stakeholders.


New sticker on box holding it closed

What's new in the CSF 2.0?

The CSF 2.0 incorporates feedback from users and stakeholders who have used the first version of the framework since 2014. Some of the main changes and enhancements are:

  • A new section on Cybersecurity Risk Governance that explains how organizations can establish and maintain effective governance structures and processes for managing cybersecurity risks across the enterprise.

  • A revised section on Cybersecurity Risk Management that clarifies how organizations can use Profiles and Tiers to assess and improve their cybersecurity capabilities and performance.

  • A simplified process for creating and using Organizational Profiles that consists of five steps: define scope, assess current state, define target state, perform gap analysis, and develop action plan.

  • A new section on Implementation Examples that provides illustrative scenarios of how different types of organizations can use the CSF to address common cybersecurity challenges and opportunities.

  • A new section on Framework Profiles that provides templates and useful resources for creating and using Profiles for specific purposes or sectors, such as electric utilities, healthcare providers, small businesses, etc.

  • An updated set of Informative References that reflects the latest standards, guidelines, best practices, and frameworks available for achieving the CSF outcomes.

  • A new online tool called CSF Navigator that allows users to browse, search, filter, compare, and customize the CSF components and Informative References in an interactive way.


How can you use the CSF 2.0?

The CSF 2.0 is designed to be flexible and adaptable to the needs and preferences of different organizations. You can use it as a whole or in part, depending on your goals and context. Here are some possible ways to use the CSF 2.0:

  • As a benchmark to evaluate your current cybersecurity state against a set of best practices and identify gaps and areas for improvement.

  • As a roadmap to plan and prioritize your cybersecurity actions and investments based on your business objectives and risk appetite.

  • As a communication tool to articulate your cybersecurity vision, strategy, goals, progress, and challenges to internal and external stakeholders.

  • As a learning resource to increase your awareness and understanding of cybersecurity concepts, issues, trends, solutions, and opportunities.

  • As a collaboration platform to share your experiences and insights with other organizations who use the CSF or similar frameworks.


Where can you find more information?

If you are interested in learning more about the CSF 2.0 or accessing its components and resources, you can visit the official NIST website at


There you will find:

  • The full text of the CSF 2.0 document (NIST CSWP 29) in PDF format

  • The Quick Start Guides for users with specific common goals

  • The Framework Profiles and templates for different purposes and sectors

  • The Informative References (Mappings) and how they relate to the CSF outcomes

  • The Implementation Examples and how they illustrate the use of the CSF

  • The CSF Navigator online tool and how it can help you explore and customize the CSF

  • The latest updates and news on the CSF development and adoption


You can also contact NIST directly at if you have any questions, comments, or feedback on the CSF 2.0.


We hope this blog post has given you a brief overview of what's new in the CSF 2.0 and how you can use it to enhance your cybersecurity. We encourage you to check out the CSF 2.0 and contact Webcheck Security to discuss how the framework can help you achieve your cybersecurity goals. Our Fractional Information Security Officers (FISOs) can aid in the implementation of the framework.

12 views0 comments


bottom of page