What is the NIST CSF 2.0?
The NIST Cybersecurity Framework is a framework published by the National Institute of Standards and Technology, the US standards agency. Originally designed for critical infrastructure, it has become one of the most widely used cybersecurity frameworks in the world, precisely because it is simple, flexible and non-prescriptive.
Rather than mandating specific controls, it offers a structure to organize and communicate cybersecurity activities, from the technical floor up to the board.
Why it matters for your organization
The NIST CSF provides a common language between technical teams and leadership. Its six functions let you summarize a complex posture into a readable picture, useful for prioritizing investment and reporting on risk.
It also acts as a backbone for aligning multiple frameworks: many organizations map ISO 27001, SOC 2 or their regulatory obligations onto the CSF functions to avoid managing everything in silos.
The six functions
- Govern: define strategy, roles and risk management.
- Identify: understand your assets, risks and dependencies.
- Protect: put security controls in place.
- Detect: spot security events and anomalies.
- Respond: react effectively to an incident.
- Recover: restore capabilities after an incident.
Where organizations most often fall short
A common mistake is treating the CSF as a checklist to tick, when its value comes from comparing a current profile against a target profile. Without that measured gap, the framework stays descriptive and guides no decision. The Govern function, new in 2.0, is still often neglected in favor of the technical functions.