What is NIST CSF 2.0?

NIST Cybersecurity Framework 2.0, released February 2024, is a voluntary framework for managing cybersecurity risk. It provides six core functions (Govern, Identify, Protect, Detect, Respond, Recover) that any organization can use to assess and improve its cybersecurity posture. It is widely referenced by regulators, auditors, and industry standards across all sectors.

Is NIST CSF 2.0 mandatory?

NIST CSF is voluntary. However, many regulatory frameworks and industry standards reference it as a benchmark for cybersecurity maturity. Organizations that map their programs to NIST CSF are in a stronger position during audits and regulatory examinations across financial services, healthcare, manufacturing, and other regulated industries.

What industries use NIST CSF 2.0?

NIST CSF 2.0 is used across all industries. It is referenced by SEC and FINRA for financial services, HHS for healthcare (alongside HIPAA), DOE for energy, and is the basis for many cyber insurance underwriting questionnaires. It provides a common language for cybersecurity regardless of industry.

Updated February 2024

NIST CSF 2.0: the framework regulators and auditors reference

Q: What changed from NIST CSF 1.1 to 2.0?

The biggest change is the Govern function, added as a sixth core function to make cybersecurity governance a board-level topic. CSF 2.0 also broadened its scope beyond critical infrastructure to all organizations, added more supply chain risk management coverage, included implementation examples, and introduced formal organizational profiles (Current vs. Target).

NIST CSF is the most widely recognized cybersecurity framework in the world. Regulators reference it, auditors benchmark against it, and cyber insurance underwriters use it to evaluate your posture. Six functions, clear structure, and it maps to any industry-specific regulation. BlackSheep tracks your progress across all six.

Start Free Trial Explore the 6 functions

$249/month · All frameworks included · No credit card to start

Why organizations across every industry adopt NIST CSF

Regulatory alignment

Regulators across financial services, healthcare, energy, and government reference NIST CSF when evaluating cybersecurity programs. Using it shows your program is built on a recognized standard.

Client & partner confidence

Clients, partners, and vendors increasingly ask about your cybersecurity framework. NIST CSF provides a common language that demonstrates maturity without overcommitting.

Cross-regulation bridge

CSF maps to industry-specific requirements — whether that's HIPAA, PCI DSS, SOC 2, CMMC, or financial regulations. Build once, apply everywhere.

Gap identification

Current state vs. framework expectations tells you exactly where you are and where you need to be. No guessing, no ambiguity.

The 6 core functions

CSF 2.0 organizes cybersecurity outcomes into six functions.
Govern is new in 2.0 and wraps around the other five.

Govern

New in 2.0

Set and monitor your cybersecurity risk management strategy, policies, roles, and expectations. The other five functions roll up to Govern.

Key areas

Organizational context and risk strategy
Roles, responsibilities, and authorities
Cybersecurity policy
Oversight and reporting
Supply chain risk management

Common implementations

Board/executive oversight, documented policies, CISO/security leadership designation, third-party risk governance

Identify

Understand your current cybersecurity risks. Know what you have, what it's worth, and what could go wrong.

Key areas

Asset management
Risk assessment
Improvement (lessons learned)

Common implementations

Asset inventory, risk-based program design, vulnerability assessments, penetration testing

Protect

The safeguards you put in place to manage cybersecurity risks. Access controls, training, data security, and infrastructure resilience.

Key areas

Identity management and access control
Awareness and training
Data security
Platform security
Technology infrastructure resilience

Common implementations

MFA, role-based access, encryption at rest and in transit, security awareness training, endpoint protection

Detect

Spot and analyze possible cybersecurity attacks and compromises. Continuous monitoring, adverse event analysis.

Key areas

Continuous monitoring
Adverse event analysis

Common implementations

SIEM/log monitoring, intrusion detection, audit trails, anomaly detection, security event correlation

Respond

Take action when a cybersecurity incident is detected. Management, analysis, containment, and communication.

Key areas

Incident management
Incident analysis
Incident response reporting
Incident mitigation

Common implementations

Incident response plan, breach notification procedures, forensic investigation, stakeholder communication

Recover

Restore operations after a cybersecurity incident. Recovery planning and communication.

Key areas

Incident recovery plan execution
Incident recovery communication

Common implementations

Business continuity, disaster recovery, backup and restoration, post-incident review and improvement

Where does your organization fall?

CSF defines four tiers. They are not maturity levels. A small organization at Tier 2 with good documentation can be better positioned than a larger one claiming Tier 3 without evidence.

Tier 1

Partial

Ad hoc, reactive. Cybersecurity risk management isn't formalized. Limited awareness of organizational risk.

Tier 2Realistic target

Risk Informed

Risk management practices are approved by management but may not be organization-wide policy. Awareness of risk without a coordinated approach.

Tier 3Realistic target

Repeatable

Practices are formally approved, expressed as policy, and consistently implemented. Organization-wide approach with defined review processes.

Tier 4

Adaptive

Cybersecurity practices adapt based on lessons learned and predictive indicators. Risk management is part of the culture.

Common questions about NIST CSF 2.0

If it's voluntary, why bother?

Because your regulators, auditors, and cyber insurance carriers aren't voluntary — and they reference NIST CSF when evaluating your program. Mapping to a recognized framework is the easiest way to demonstrate your cybersecurity program is reasonably designed, regardless of which industry-specific regulation applies to you.

Do we need to be Tier 4?

No. Tier 4 (Adaptive) is aspirational for most organizations and overkill for many. Tier 2 or Tier 3 is realistic. What matters more than the tier number is whether you can document where you are, where you're headed, and what you're doing to close gaps.

Does adopting NIST CSF mean we automatically comply with our industry regulations?

No. CSF is a framework for organizing your program, not a compliance checklist. But it maps well to most regulatory requirements. If your cybersecurity program is built on CSF, meeting specific regulatory requirements is easier because the structure is already there.

What changed from 1.1 to 2.0?

The Govern function was added as a sixth core function, making cybersecurity governance a board-level topic. The scope expanded past critical infrastructure to cover all organizations. Supply chain risk management got more attention, and NIST added implementation examples to make the framework less abstract.

How do we get started?

Start with a Current Profile: document what your organization does today across the six functions. Then define a Target Profile based on your risk tolerance and regulatory obligations. The gap between the two tells you what to work on. BlackSheep automates this with scoring across all six functions.

Deep dives

What Changed from NIST CSF 1.1 to 2.0 (and What It Means for Your Program)

New Govern function, broader scope, implementation examples. What to update.

The NIST CSF 2.0 Govern Function: Why It Matters More Than the Other Five

6 governance categories and how organizations should implement them.

Related frameworks

SEC Reg S-P

CSF's Respond and Recover functions map directly to Reg S-P's incident response requirements.

NYDFS 23 NYCRR 500

New York's prescriptive cybersecurity regulation. Every 500 requirement maps to a CSF subcategory.

DOL EBSA Cybersecurity Guidance

Cybersecurity best practices for ERISA-covered retirement plan fiduciaries.

FINRA Cybersecurity

Core cybersecurity controls for broker-dealers and FINRA-registered firms.

When the auditor asks about your cybersecurity framework, what will you show them?

BlackSheep maps your program to NIST CSF 2.0 with scoring across all six functions. See where your gaps are in 30 minutes. Templates are already built. You fill in what applies to your organization.

$249/month. Every framework included. Works for any industry.

Start Free Trial

30-day money-back guarantee. If it doesn't save you time in the first month, you pay nothing.