Skip to content
OnticBeta
Tier 2 — Industry Standard

NIST Cybersecurity Framework (CSF) 2.0 — Oracle Source

Publisher

National Institute of Standards and Technology (NIST), U.S. Department of Commerce

Version

v1

Last verified

February 15, 2026

Frameworks

NIST CSF 2.0

Industries

Applies to all industries

NIST CSF 2.0 - Overview

The NIST Cybersecurity Framework (CSF) 2.0 is a voluntary, risk-based cybersecurity framework that helps organisations of any size or sector understand, assess, prioritise, and communicate cybersecurity risks. Version 2.0, released in February 2024, expands the framework from its original critical-infrastructure focus to all organisations and reorganises the Core around six Functions: Govern, Identify, Protect, Detect, Respond, and Recover. These Functions, with their associated Categories and Subcategories, describe desired cybersecurity outcomes in a technology- and vendor-neutral way and are supported by Profiles and Tiers to structure implementation and improvement over time. nvlpubs.nist

NIST CSF 2.0 - What It Is

CSF 2.0 consists of three main components: the Core, Profiles, and Tiers. rubrik

  • The CSF Core organises cybersecurity outcomes into six Functions (GV, ID, PR, DE, RS, RC), 22 Categories, and 106 Subcategories, each phrased as an outcome such as “Asset vulnerabilities are identified and documented”. saltycloud
  • Organisational Profiles describe the alignment of an organisation’s cybersecurity activities with the Core Outcomes for a given scope (enterprise, business unit, system, or use case), enabling gap analysis between Current and Target Profiles. nvlpubs.nist
  • Tiers describe the degree to which an organisation’s cybersecurity risk management practices exhibit the characteristics of being Partial, Risk-Informed, Repeatable, or Adaptive; they are not maturity scores but context for how rigorously Profiles are implemented and governed. rubrik

NIST provides a “CSF 2.0: Resource & Overview Guide” and online portfolio with Informative References, Implementation Examples, and Quick Start Guides that show how CSF outcomes map to detailed standards (e.g., NIST SP 800‑53, ISO 27001) and concrete practices. nist

NIST CSF 2.0 - Who It Applies To

NIST explicitly positions CSF 2.0 as applicable to all organisations, not just U.S. critical infrastructure operators. It is intended for: nist

  • Organisations of any size (small, medium, large), sector (public, private, non-profit), and geography seeking a common language and structure for cybersecurity risk. nist
  • Stakeholders including senior executives and boards, risk managers, CISOs, security teams, internal audit, regulators, and customers who need to communicate about cyber risk and capabilities. cybelangel
  • Entities that must align with or demonstrate due care under other frameworks (NIS2, ISO 27001, sectoral rules) and want a unifying, crosswalkable cyber risk backbone. mdpi

While CSF 2.0 remains voluntary guidance, many regulators, sectoral agencies, and customers increasingly reference it as “good practice” or as an organising framework for regulatory or contractual expectations. debevoisedatablog

NIST CSF 2.0 - What It Requires - Core & Functions

At minimum, CSF 2.0 expects organisations to use the Core to define cybersecurity outcomes and to structure risk management around the six Functions. saltycloud

Functions

  • Govern (GV) — Establish and monitor the organisation’s cybersecurity risk management strategy, expectations, and policy; integrate cyber into enterprise risk management. arcticwolf
  • Identify (ID) — Understand assets, business environment, and cybersecurity risks to support risk-informed decisions. nvlpubs.nist
  • Protect (PR) — Implement safeguards (access control, training, data security, hardening, resilience) to limit or contain the impact of potential events. saltycloud
  • Detect (DE) — Develop and implement activities to identify the occurrence of cybersecurity events in a timely manner. nvlpubs.nist
  • Respond (RS) — Take action regarding detected incidents, including analysis, containment, communication, and mitigation. optiv
  • Recover (RC) — Maintain plans for resilience and restore any capabilities or services impaired due to cybersecurity incidents. thoropass

Each Function is broken into Categories (e.g., GV.RM – Risk Management Strategy, ID.AM – Asset Management, PR.AC – Identity Management & Access Control) and Subcategories that specify more detailed outcomes but remain control‑agnostic. saltycloud

NIST CSF 2.0 - What It Requires - Govern (GV)

The major innovation in CSF 2.0 is the Govern Function, which elevates cybersecurity governance and explicitly frames cyber as an enterprise risk that senior leadership must manage alongside finance, compliance, and reputation. nist

Key Category themes (as described in NIST and practitioner guidance): cyrisma

  • GV.OC – Organisational Context: Mission, stakeholders, legal/regulatory obligations, and risk context for cybersecurity are understood and documented.
  • GV.RM – Risk Management Strategy: Cyber risk appetite, tolerance, prioritisation criteria, and objectives are defined, approved, communicated, and aligned to enterprise risk management. csecurity.kubg.edu
  • GV.SC – Cybersecurity Supply Chain Risk Management: Governance processes address third‑party and supply-chain cyber risk across the lifecycle (selection, contracting, monitoring, offboarding). nist
  • GV.RA – Roles, Responsibilities, and Authorities: Cybersecurity roles, responsibilities, and decision rights are defined, assigned, and resourced; accountability is clear across lines of defence. arcticwolf
  • GV.PO – Policies, Processes, and Procedures: Cybersecurity policies and processes are approved, communicated, enforced, and periodically reviewed for effectiveness. kudelskisecurity
  • GV.OV – Oversight: Leadership and oversight bodies monitor cyber risk, review performance, and drive continuous improvement; cyber risk is regularly discussed alongside other enterprise risks. csecurity.kubg.edu

Govern outcomes must be treated as continuous activities that shape all other Functions, not as a one‑time design exercise. nvlpubs.nist

NIST CSF 2.0 - What It Requires - Other Functions

Identify (ID)

Identify requires organisations to establish an understanding of systems, assets, data, and capabilities, and their associated risks. Core outcomes include: saltycloud

  • Asset management and inventories (hardware, software, data, services). nvlpubs.nist
  • Understanding business environment, mission, and dependencies.
  • Risk assessment, risk register maintenance, and prioritisation.
  • Identifying improvement opportunities for policies, governance, and controls.

Protect (PR)

Protect requires safeguards to ensure delivery of critical services and limit incident impact. saltycloud

Outcomes cover:

  • Identity management and access control (including privileged access). balbix
  • Awareness and training for staff and stakeholders.
  • Data security (encryption, integrity, lifecycle management).
  • Platform and infrastructure protection, secure configuration and maintenance.
  • Protective technologies supporting least privilege and zero trust.

Detect (DE)

Detect requires timely discovery of anomalies and events. optiv

Outcomes include:

  • Continuous monitoring for cybersecurity events.
  • Detection processes that correlate and analyse anomalies.
  • Tuning of detection mechanisms as threats and systems evolve.

Respond (RS)

Respond requires the ability to take action on detected incidents. optiv

Outcomes include:

  • Response planning, roles, and runbooks.
  • Communications and coordination (internal/external, including regulators).
  • Analysis, containment, and mitigation activities.
  • Lessons learned feeding back into Govern and Identify.

Recover (RC)

Recover requires restoring capabilities and services and improving resilience. thoropass

Outcomes include:

  • Recovery planning and tested procedures (backups, continuity, disaster recovery).
  • Improving architectures and processes post‑incident.
  • Communications with stakeholders during and after recovery.

NIST CSF 2.0 - Governance Implications

CSF 2.0 embeds cybersecurity within enterprise governance and ERM, not as a siloed technical function. The Govern Function expects boards and executives to: csecurity.kubg.edu

  • Treat cyber risk as a major source of enterprise risk comparable to financial or legal risk. arcticwolf
  • Establish clear risk appetite and tolerance, and align investments in people, process, and technology accordingly. ijefm.co
  • Oversee supply‑chain cyber risk as part of procurement and vendor management governance, including contractual requirements and ongoing assurance. nist

The Profiles and Tiers mechanisms give boards and risk committees a way to understand current posture, target state, and progress over time, and to evidence integration of cyber into enterprise risk management. For AI systems specifically, CSF 2.0 provides the security and operational risk backbone that AI-specific frameworks (NIST AI RMF, ISO 42001, EU AI Act) assume: identity, access, logging, monitoring, incident response, and recovery remain governed by CSF even when AI-specific risks are handled by other oracles. zengrc

NIST CSF 2.0 - Enforcement Penalties

The CSF is a non‑regulatory framework: it does not itself create legal obligations or penalties. However, regulators, supervisors, and customers increasingly use CSF alignment as evidence of “reasonable” cybersecurity risk management: nist

  • U.S. federal agencies and sectoral regulators reference CSF in guidance and examination expectations; failure to meet CSF‑like outcomes can contribute to findings under sectoral laws (e.g., GLBA, HIPAA, state privacy/breach laws). mdpi
  • EU NIS2 and sectoral regimes (e.g., DORA) have similar governance and risk management expectations; CSF can be used to structure internal programs that then satisfy EU obligations, where penalties can be significant administrative fines. linkinghub.elsevier
  • Customers and partners embed CSF‑aligned requirements in contracts and security questionnaires; misalignment can result in lost business or contractual non-compliance. cybelangel

Thus, while there is no “CSF fine”, not using CSF (or an equivalent framework) can undermine defensibility after incidents, in supervision, or in litigation.

NIST CSF 2.0 - Intersection With Other Frameworks

CSF 2.0 is explicitly designed as a hub framework, to be mapped to and used alongside other standards. cyberhaven

Key intersections:

  • NIST SP 800‑53 & RMF — CSF Subcategories map to specific SP 800‑53 controls; NIST’s Risk Management Framework (SP 800‑37) can be used to operationalise CSF outcomes for federal systems. scrut
  • ISO 27001 / ISO 27002 — CSF Core outcomes align closely with ISO 27001:2022 Annex A and ISO 27002 controls; many organisations use CSF for risk framing and ISO 27001 for certifiable ISMS implementation. mdpi
  • NIS2 / DORA — CSF’s governance, risk management, and incident response outcomes can be mapped to NIS2 Directive and DORA requirements, serving as an internal organising framework. zenodo
  • SOC 2 — CSF outcomes related to security, availability, and processing integrity can be mapped to SOC 2 Trust Services Criteria, simplifying control libraries and evidence reuse. mdpi
  • NIST AI RMF & ISO 42001 — For AI systems, CSF provides the cyber risk backbone (access control, monitoring, incident response), while NIST AI RMF and ISO 42001 add AI‑specific risk management and management‑system requirements. obsidiansecurity
  • COBIT / COSO ERM — CSF can be integrated with COBIT 2019 and COSO ERM to provide cyber‑specific views within broader IT governance and enterprise risk frameworks. arxiv

This makes CSF 2.0 the natural cross‑industry security oracle in your library: other oracles (HIPAA, PCI DSS, GDPR, NIST AI RMF, ISO 27001, DOJ ECCP) can reference CSF Functions/Categories for generic cyber obligations and focus their own text on domain‑specific requirements.

NIST CSF 2.0 - Recent Updates

CSF 2.0 is the first major update since the original 2014 framework and the 1.1 revision. debevoisedatablog

Key updates:

  • New Govern Function that formalises governance, risk strategy, roles, policies, oversight, and supply‑chain risk as a first‑class Function. arcticwolf
  • Expanded scope from “critical infrastructure” to all organisations, explicitly positioning CSF as global, cross‑sector guidance. nist
  • Updated and expanded Core with revised Categories and Subcategories reflecting current practices and emerging technologies, including cloud, OT, and supply‑chain risk. kudelskisecurity
  • Refined Tiers with clearer descriptions emphasising integration into enterprise risk management and continuous improvement. cybersecuritytribe
  • Enhanced resource ecosystem, including the CSF 2.0 Resource & Overview Guide, Quick Start Guides (e.g., for small businesses, enterprise risk), and updated Informative References. industrialcyber

Research and industry practice are now focusing on applying CSF 2.0 to specific sectors (maritime, manufacturing, space, smart contracts), building maturity models, and integrating CSF with ERM and AI‑governance frameworks—confirming its role as the backbone of modern cyber risk governance. ieeexplore.ieee

← Oracle LibraryChat with Goober →