NIST Cybersecurity Framework 2.0
NIST CSF 2.0 organizes cybersecurity into six outcome-based functions, including a new govern function for leadership accountability. It gives organizations a common language to assess posture, communicate risk to executives, and prioritize improvements.
Best Practice: NIST Cybersecurity Framework 2.0
The NIST Cybersecurity Framework (CSF) 2.0 is a voluntary framework that organizes cybersecurity work into a set of outcomes rather than prescriptive tools. Version 2.0, released in 2024, defines six core functions: govern, identify, protect, detect, respond, and recover. The addition of "govern" emphasizes leadership accountability and risk strategy. It matters because it gives organizations of any size a common language to describe their security posture, communicate risk to executives, and prioritize improvements without locking into a specific vendor or technology. For a small team it is a starting structure that does not require a large security department; for an executive it is a board-ready way to discuss cyber risk in business terms. The framework describes outcomes, not products, so two organizations can both "do" CSF with very different tooling. The profile mechanism is what makes the framework practical: a current profile is an honest snapshot of today, and a target profile is the agreed destination. The gap between them becomes a prioritized improvement plan that leadership can fund and that teams can execute against, function by function.
Step-by-Step Implementation Guidance
- Establish governance: define roles, risk appetite, and accountability for cybersecurity.
- Identify assets, data, suppliers, and the risks that threaten them.
- Create a current profile describing how well each function is performed today.
- Create a target profile reflecting the desired outcomes given your risk appetite.
- Analyze gaps between current and target profiles and prioritize them.
- Implement protect, detect, respond, and recover improvements against the gaps.
- Measure outcomes and update profiles as the threat landscape changes.
Common Mistakes Teams Make When Ignoring This Practice
- Treating cybersecurity as a tool purchase rather than a governed risk program.
- Skipping the identify function and protecting assets you have not inventoried.
- Focusing only on protection while neglecting detection and recovery.
- Building a target profile no one is accountable for delivering.
- Never re-measuring, so leadership cannot see whether risk is decreasing.
- Confusing the framework's outcomes with a specific product and assuming a single tool delivers them all.
Tools and Techniques That Support This Practice
- NIST CSF 2.0 reference and informative references mapping to controls.
- NIST SP 800-53 and CIS Controls as control catalogs to implement outcomes.
- Risk registers and GRC platforms to track profiles and gaps.
- SIEM and EDR tooling to support the detect and respond functions.
- Backup and disaster recovery tooling for the recover function.
- Maturity-tier and profile templates to record current and target states per function.
How This Practice Applies to Different Migration Types
- Cloud Migration: Use the framework to re-evaluate detection and recovery outcomes in shared-responsibility cloud environments.
- Database Migration: Apply identify and protect functions to classify and safeguard data in its new location.
- SaaS Migration: Assess vendors against the govern and identify functions during third-party risk reviews.
- Codebase Migration: Map secure development outcomes to the protect function as code moves to new platforms.
Checklist
- Defined governance roles and risk appetite
- Inventoried assets, data, and suppliers
- Built a current profile of cybersecurity outcomes
- Built a target profile based on risk appetite
- Prioritized gaps between current and target
- Implemented detect, respond, and recover improvements
- Established a cadence to re-measure outcomes