The US National Institute of Standards and Technology (NIST) has recently released Version 2.0 of its Cybersecurity Framework (CSF) [3] [7], focusing on international adoption and governance [1].


This major update [5], the first since the framework’s inception in 2014, features a new core structure, resource catalog [2] [5] [6] [7], and scope of application [2]. The framework retains its structure with outcome-based Functions [1], Categories [1] [4], and Subcategories [1] [4], including a new ‘Govern’ pillar to address organizational context [3]. Changes include a renewed emphasis on Supply Chain Risk Management and the movement of informative references to a separate column [1]. Version 2.0 also introduces new categories for incident response management and supply chain risk response [4], along with a catalog of implementation examples for businesses of different types and sizes [4]. The update integrates the framework with other relevant NIST special publications, enhancing accessibility for organizations [3]. This release follows a multiyear process of discussions and public comments to tailor the framework for various audiences and organization types [6], providing customized pathways and resources to address evolving cybersecurity needs and capabilities [6]. The framework is now available for all organizations to manage and reduce cyber risks [3], expanding its scope beyond critical infrastructure to cover all organizations and industries [3]. It offers core guidance and resources to assist organizations of all sizes and sectors in achieving cybersecurity goals, with a particular focus on governance and supply chains [5] [6].


The updated Cybersecurity Framework Version 2.0 by NIST has significant implications for organizations worldwide, providing enhanced guidance and resources to address evolving cybersecurity needs. By focusing on governance and supply chain risk management, the framework offers a comprehensive approach to managing and reducing cyber risks. Organizations of all sizes and sectors can benefit from the framework’s tailored pathways and resources, ensuring a more secure cyber environment for the future.