On February 26, 2024, the National Institute of Standards and Technology (NIST) released the NIST Cybersecurity Framework 2.0 (CSF 2.0). CSF 2.0 represents the first major update to the Cybersecurity Framework, which was first released in February 2014. CSF 2.0 provides an increased focus on entities’ governance functions and broadens the CSF’s scope. For companies subject to state and federal standards demanding “reasonable security,” CSF 2.0 is particularly important because it could very well become the de facto standard of care under various cybersecurity and data privacy laws.

Focus on Governance

CSF 2.0 builds on the five high-level functions from CSF 1.0 (Identify, Protect, Detect, Respond, and Recover) by introducing a new core function—Govern. This function focuses on ensuring that an organization’s cybersecurity risk management strategy, expectations, and policies are established, communicated, and monitored. In particular, this new core function emphasizes that an organization’s cybersecurity framework must be (i) based on the organization’s individual circumstances, goals, and risk appetite; (ii) well established and communicated within the organization to ensure compliance and continuity; and (iii) continually reviewed and improved.

Continue reading “NIST Releases Cybersecurity Framework 2.0”