3 Major Changes in NIST's First-Ever Update to the CSF

Cybersecurity News

Since its release in 2014, NIST's CSF quickly rose to become the number one cybersecurity framework in the world.
Over the last decade, it's been downloaded millions of times across 185 countries and translated into a dozen languages. At Silent Breach, we've found that our CSF Compliance Audit remains one of the most popular choices for companies seeking to build a successful cybersecurity program.

However, cybersecurity operates within an extremely fluid and dynamic environment. Since 2014, our digital infrastructure has undergone tremendous change, malicious actors have developed novel strategies, and innovative technologies continue to be developed.

To keep up, NIST has released a draft of their first ever update to the CSF: CSF 2.0.

Importantly, the new CSF not only responds to present challenges, but seeks to preempt future usage as well.

Here are the top three changes included in the new framework.


While the NIST framework has always been colloquially known as the Cybersecurity Framework, or CSF, its official name is actually the “Framework for Improving Critical Infrastructure Cybersecurity.” This is because the original CSF was specifically geared toward addressing cybersecurity vulnerabilities in critical industries such as banking and power plants. Based on the framework's popularity as well as industry feedback, NIST has now expanded the scope of the guidance framework to include all industries. Indeed, NIST signaled this by explicitly changing the official name to The Cybersecurity Framework.


In the spirit of making the Framework more accessible and flexible, NIST has included what they've called Profiles. Companies can create Profiles which tailor the CSF to their particular circumstances or requirements. Complex organizations, or those who would like to monitor the cybersecurity maturity of various use cases or economic sectors, can create multiple Profiles. As an example, here is a NIST-supplied Profile for Electric Vehicle Extreme Fast Charging Infrastructure.


Finally, and perhaps most importantly, the CSF 2.0 includes an entirely new pillar. The original version famously divided the main cybersecurity functions into 5 segments: identify, protect, detect, respond and recover. Now there is a sixth: govern. In the past, cybersecurity was traditionally seen as a technical challenge which could be handled close to its source by the IT team. In recent years, however, many security leaders have pointed out that company policies, training, prioritization, resource allocation and oversight are far more critical than previously understood. In essence, cybersecurity is now considered to be a major organizational risk, akin to legal and financial risks, and must therefore be supported by a company-wide governance approach.

The full draft of the Cybersecurity Framework (CSF) 2.0 can be viewed and downloaded here.

For help with understanding how the new changes apply to your organization or for help with implementing CSF 2.0, please contact a Silent Breach expert for a custom same-day quote.

Similar Reads:
Top 10 Challenges Facing CISOs in 2023
10 Most Exploited Vulnerabilities of 2022, according to CISA
Transforming Cybersecurity with Predictive Breach Detection

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.