Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Cybersecurity Insights
a NIST blog
It has been one year since the release of the NIST Cybersecurity Framework (CSF) 2.0! To make improving your security posture even easier, in this blog we are:
Sharing new CSF 2.0 resources;
Taking a retrospective look at some resources and applications you may have missed; and
Highlighting ways you can stay involved in our work, helping us help you implement better cybersecurity.
NIST’s subject matter experts have worked over the last year to continue expanding the CSF 2.0 implementation resources to help you secure your enterprise. Stakeholders are a very important force behind NIST’s cybersecurity and privacy programs. We want to recognize and express gratitude to all who provide direct feedback to NIST, implement the CSF, or promote awareness of the CSF and its resources in service of helping organizations of all sizes and sectors improve their cybersecurity posture.
What’s New in 2025?
The CSF team is excited to announce additional resources designed to provide different audiences with tailored pathways to implement a stronger cybersecurity posture using CSF 2.0, making the Framework easier to put into action.
Ensuring cybersecurity risk management is supporting the organization’s mission and objectives
One of the major updates to CSF 2.0 is the focus on cybersecurity governance to highlight the importance of ensuring cybersecurity capabilities support the broader mission through Enterprise Risk Management (ERM). A NIST publication series that helps practitioners better understand the close relationship between cybersecurity and ERM is the NIST IR 8286 series. The publications have been updated to align more closely with the CSF 2.0 and other updated NIST guidance, with three of them now seeking public comment:
NIST IR 8286, Integrating Cybersecurity and Enterprise Risk Management — View the publication and submit comments by April 14, 2025.
NIST IR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management — View the publication and submit comments by April 14, 2025.
NIST IR 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight — View the publication and submit comments by April 14, 2025.
Other publications in the NIST IR 8286 series that have recently been updated include:
NIST IR 8286B, Prioritizing Cybersecurity Risk for Enterprise Risk Management
NIST IR 8286D, Using Business Impact Analysis to Inform Risk Prioritization and Response
Making It Easier for Practitioners to Work with Multiple NIST Frameworks
Mappings are tools that can help practitioners minimize the time and effort involved in working with multiple frameworks to manage cybersecurity risks.
- For those who use the CSF 2.0 and are also engaged in the implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA), NIST released a draft mapping of NIST SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (RMF), to the CSF 2.0. View more details here.
- For those who want to connect the CSF 2.0 with your cybersecurity workforce efforts, NIST released a mapping of the v1.0.0 NICE Framework Components associated with NIST Special Publication 800-181 revision 1: The Workforce Framework for Cybersecurity to the CSF 2.0. View more details here.
Improving your ability to address the persistent threat of ransomware
Ransomware can attack organizations of all sizes, in any sector. On January 13, 2025, the NIST National Cybersecurity Center of Excellence (NCCoE) published an initial public draft of NIST Interagency Report (NIST IR) 8374 Revision 1, Ransomware Risk Management: A Cybersecurity Framework 2.0 Community Profile, to help organizations gauge readiness to counter ransomware threats, mitigate potential consequences of a ransomware event, and to develop a ransomware countermeasure playbook. View the publication and submit comments by March 14, 2025.
Supporting U.S. allies around the globe establish a stronger cybersecurity posture
As a result of widespread international use, in addition to the current CSF 2.0 translations, additional CSF 2.0 resources have been translated into a number of languages, including French, Portuguese, and Spanish, with more expected in the near future. View our December 2024 Cybersecurity Insights blog to learn more about our recent international cybersecurity and privacy efforts. Translations of NIST documents helps expand the use of our cybersecurity and privacy resources globally and help improve U.S. company engagement in global markets.
Want to keep learning? Register for the CSF 2.0 webinar series
The CSF team is launching a CSF 2.0 Webinar Series in 2025 to provide substantive deep-dives into specific CSF 2.0 topics to provide practical, actionable information and resources to help organizations better manage cybersecurity risks using the CSF 2.0. The planned webinars include:
March 20, 2025 (2:00 - 3:00 PM EST): Implementing CSF 2.0—The Why, What and How. Register here.
May 20, 2025 (2:00 - 3:00 PM EST): Deep Dive into the CSF 2.0 Govern Function. Save the date! Registration will open in the coming months.
August 20, 2025 (2:00 - 3:00 PM EST): Deep Dive into the CSF 2.0 Ransomware Profile. Save the date! Registration will open in the coming months.
View all upcoming and past events on our CSF 2.0 event page.
A look back at the last year
This has been a busy year for the CSF team. Below are a few additional updates you may have missed:
NIST published the CSF 2.0 on February 26, 2024— the first major update of NIST’s landmark cybersecurity guidance since its creation in 2014. The CSF 2.0 immediately enabled millions of U.S. organizations already using the CSF to better manage cybersecurity risks, helping to improve the Nation's cybersecurity and protect Federal Government networks.
Published along with the CSF 2.0 was a catalogue of new resources to help implementers get the most out of the Framework. The CSF isn’t a singular document. Instead, it is a collection of actionable resources that help organizations better understand, assess, prioritize and communicate their cybersecurity risks.
The NCCoE launched a new NIST Frameworks Resource Page, which is a repository of guidance for creating Community Profiles and additional materials to support applying NIST Frameworks. Several organizations have already come together to publish CSF 2.0 community profiles, such as for the financial services sector and for the telecommunications industry.
The NIST Small Business Cybersecurity Corner page launched the CSF 2.0 page to feature small business-focused CSF 2.0 resources.
During National Cybersecurity Awareness Month in October 2024, the CSF team announced a CSF 2.0 resource expansion, which included new videos, translations, finalized Quick Start Guides, and new mapping tools.
CSF 2.0 became the most downloaded publication of all NIST’s 20,000+ publications, highlighting its popularity and use.
The CSF team regularly participated in virtual and in-person events across the U.S. and around the globe to share CSF 2.0 resources and engage with stakeholders.
As a result of widespread international use, 15 different CSF 2.0 resources were translated into French, German, Korean, Polish, Portuguese, and Spanish.
On April 24, 2024, NIST was awarded the Ecosystem Champion Award at the inaugural edition of the Cyber Policy Awards, hosted by The Institute for Security and Technology (IST) in partnership with the Center for Cybersecurity Policy and Law. This award recognizes an individual, small group, or organization whose efforts have led to broad structural and long-lasting positive impacts on the cyber ecosystem.
Stay Involved
There are many ways you can engage with the CSF team to get more involved in our efforts to help organizations of all sizes and sectors improve their cybersecurity risk management, including:
- Submit Your CSF 2.0 Resources. We are in the process of collecting publicly available CSF 2.0 resources to launch a new CSF 2.0 contributor’s library. Resources can include, but are not limited to: approaches, methodologies, implementation guides, mappings to the Framework, case studies, educational materials, CSF 2.0 document templates, CSF 2.0 resource centers, or CSF 2.0 Community Profiles. Upon submission, your resource will be evaluated on whether it is freely available for others to use, accurate, comprehensive, and is not an advertisement for a product or service. If you would like your free resource considered for inclusion on the page, email cyberframework [at] nist.gov (cyberframework[at]nist[dot]gov).
- Subscribe to our email updates. Sign up for email alerts via the email subscription page.
- Email us. Send questions or comments to cyberframework [at] nist.gov (cyberframework[at]nist[dot]gov).
- Follow @NISTcyber on X.
