The NIST Cybersecurity Framework (CSF) 2.0 - NIST Feb. 2024

ID 23906 | 30.04.2025 / In allegato

The Cybersecurity Framework (CSF) 2.0 is designed to help organizations of all sizes and sectors — including industry, government, academia, and nonprofit — to manage and reduce their cybersecurity risks. It is useful regardless of the maturity level and technical sophistication of an organization’s cybersecurity programs. Nevertheless, the CSF does not embrace a one-size-fitsall approach.

Each organization has both common and unique risks, as well as varying risk appetites and tolerances, specific missions, and objectives to achieve those missions. By necessity, the way organizations implement the CSF will vary.

Ideally, the CSF will be used to address cybersecurity risks alongside other risks of the enterprise, including those that are financial, privacy, supply chain, reputational, technological, or physical in nature.

The CSF describes desired outcomes that are intended to be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise. Because these outcomes are sector-, country-, and technology-neutral, they provide an organization with the flexibility needed to address their unique risks, technologies, and mission considerations.

Outcomes are mapped directly to a list of potential security controls for immediate consideration to mitigate cybersecurity risks. Although not prescriptive, the CSF assists its users in learning about and selecting specific outcomes.

Suggestions for how specific outcomes may be achieved are provided in an expanding suite of online resources that complement the CSF, including a series of Quick Start Guides (QSGs). Also, various tools offer downloadable formats to help organizations that choose to automate some of their processes.

The QSGs suggest initial ways to use the CSF and invite the reader to explore the CSF and related resources in greater depth. Available through the NIST CSF website, the CSF and these supplementary resources from NIST and others should be viewed as a “CSF portfolio” to help manage and reduce risks.

Regardless of how it is applied, the CSF prompts its users to consider their cybersecurity posture in context and then adapt the CSF to their specific needs. 

Building on previous versions, CSF 2.0 contains new features that highlight the importance of governance and supply chains. Special attention is paid to the QSGs to ensure that the CSF is relevant and readily accessible by smaller organizations as well as their larger counterparts.

NIST now provides Implementation Examples and Informative References, which are available online and updated regularly. Creating current and target state Organizational Profiles helps organizations to compare where they are versus where they want or need to be and allows them to implement and assess security controls more quickly.

Cybersecurity risks are expanding constantly, and managing those risks must be a continuous process. This is true regardless of whether an organization is just beginning to confront its cybersecurity challenges or whether it has been active for many years with a sophisticated, well-resourced cybersecurity team.

The CSF is designed to be valuable for any type of organization and is expected to provide appropriate guidance over a long time. 

National Institute of Standards and Technology NIST.CSWP.29 February 26, 2024  

Collegati

	Descrizione	Livello	Dimensione	Downloads
	The NIST Cybersecurity Framework (CSF) 2.0.pdf NIST 2024	Abbonati Full Plus	1493 kB	2