NIST has released version 2.0 of its Cybersecurity Framework — the most significant update since the original 2014 release. Here's what changed and how it affects your organization.
Major Changes
- New "Govern" function: A sixth core function joining Identify, Protect, Detect, Respond, and Recover. Emphasizes cybersecurity governance, risk management, and supply chain security at the leadership level.
- Expanded scope: Now explicitly applies to ALL organizations, not just critical infrastructure
- Supply chain focus: New categories for third-party risk management
- Measurement: New guidance on measuring cybersecurity program effectiveness
Practical Implications
Federal contractors must align with CSF 2.0 by December 2026. Many cyber insurance providers are updating their requirements to reference CSF 2.0 controls. Organizations pursuing SOC 2 compliance will find significant overlap.
Getting Started
Download the free framework from nist.gov. Conduct a gap analysis against your current program. Prioritize the Govern and Identify functions first — you can't protect what you don't know you have.
