article

NIST Cybersecurity Framework and NIST Cybersecurity Framework 2.0

An explanation of the NIST Cybersecurity Framework with NIST Cybersecurity Framework 2.0 updates

The National Institute of Standards and Technology, usually called NIST, is an agency that is part of the U.S. Department of Commerce. NIST provides guidelines on managing cybersecurity risk for information systems.

A multi-year collaborative effort, the NIST Cybersecurity Framework (NIST CSF) was released in 2014 under an executive order from President Barack Obama. A subsequent executive order, issued in 2017 by President Donald Trump, made compliance with the NIST CSF mandatory for all federal government agencies and all entities in their supply chain.

“To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

NIST core mission

The NIST Cybersecurity Framework was initially to improve the security of U.S. critical infrastructures, defined as the assets, systems, and functions deemed vital. It defines 16 critical infrastructure sectors, including:

The U.S. government subsequently adopted the NIST Cybersecurity Framework as a mandatory standard to regulate security for all federal information systems in 2017.

While not mandatory for non-federal agencies and providers, the best practices, standards, and recommendations set forth in the NIST Cybersecurity Framework are also widely used to identify, detect, and respond to cyber attacks.

In addition, guidelines in the framework are also used to prevent and recover from an attack. Using the NIST Cybersecurity Framework helps non-federal organizations ensure the optimal security of systems and assures the public of their commitment to security.

The framework describes outcomes to prioritize and mitigate cybersecurity risk. Categories and subcategories include more specific technical and management outcomes that support security practices and incident response plans.

Updates to NIST CSF 2.0

Version 2.0 represents the first major update to the NIST Cybersecurity Framework. It was released in February 2024. Key drivers for the update were a desire to:

  • Align and integrate with other NIST frameworks, such as the NIST Privacy Framework, NIST Risk Management Framework (RMF), and the NIST Secure Software Development Framework (SSDF)
  • Broaden the applicability of the NIST CSF from critical infrastructure to all organizations regardless of sector, size, or maturity level
  • Emphasize supply chain risk, cybersecurity governance, and implementation
  • Enable organizations to customize the framework to suit their needs and prioritize actions based on risk, then transition from planning to action more easily

Journey to NIST CSF 2.0

The journey to NIST CSF 2.0 reflects a decade of evolving cybersecurity challenges and lessons learned. NIST CSF 2.0 supports a more holistic, risk-informed approach to cybersecurity. Though it is not specifically designed to strengthen cyber resilience, it can help organizations understand and evaluate their cyber resilience and better align security efforts with business objectives.

Identify, protect, detect, respond, recover, and govern

The five core functions established in the original NIST Cybersecurity Framework did not change between Version 1.0 and Version 2.0. They remain Identify, Protect, Detect, Respond, and Recover. NIST CSF 2.0 includes a new core function, Govern. The new Govern function was added to emphasize the importance of governance in managing cybersecurity risk.

Govern

Establish, communicate, and monitor cybersecurity risk management strategy , expectations, and policy. Included in this function are:

  • Organizational context (GV.OC)
  • Risk management strategy (GV.RM)
  • Roles, responsibilities, and authorities (GV.RR)
  • Policy (GV.PO)
  • Oversight (GV.OV)
  • Cybersecurity supply chain risk management (GV.SC)

Identify

Identify and assess cybersecurity risks to systems, assets, data, and resources. Included in this function are:

  • Asset management (ID.AM)
  • Risk assessment (ID.RA)
  • Improvement (ID.IM)

Protect

Controls and procedures are applied to safeguard the organization’s assets. Included in this function are:

Implementation tiers of NIST CSF

The NIST Cybersecurity Framework Implementation section includes four tiers that describe the degree to which an organization has implemented NIST controls and how closely its cybersecurity risk management practices follow the guidelines.

  • Tier One—Partial
    At Tier One, organizations may not have cybersecurity coordination or processes. Tier One organizations do not prioritize cybersecurity.
  • Tier Two—Risk-informed
    Organizations at Tier Two of the NIST Cybersecurity Framework are aware of some risks and plan to respond to them to meet compliance requirements. However, despite these efforts, Tier Two organizations may not be aware of or addressing all security concerns quickly enough.
  • Tier Three—Repeatable
    Tier Three organizations have clearly defined and regularly repeatable cybersecurity processes. These organizations have executive support for implementing risk management and cybersecurity best practices. Organizations that have reached Tier Three are prepared to address cybersecurity risks and threats as well as identify and remediate vulnerabilities in their environments.
  • Tier Four—Adaptive
    At the top tier of the NIST Cybersecurity Framework, Tier Four organizations proactively implement and upgrade cybersecurity measures. These organizations use advanced adaptive cybersecurity practices to continuously assess risky behaviors and events to help protect from or adapt to threats before they happen.

Steps to implement NIST CSF

Implementing the NIST Cybersecurity Framework involves a series of strategic and operational steps. The process is designed to be flexible so that it can be used by organizations of all sizes and sectors. The main steps to implement the NIST CSF are:

  1. Establish leadership and governance, including:
    o Identifying key stakeholders and getting executive buy-in
    o Defining roles and responsibilities for cybersecurity governance
    o Setting cybersecurity policies, risk tolerance, and objectives aligned with business goals
  2. Understand the organization’s context, including:
    o Identifying critical assets, data, systems, and business processes
    o Understanding internal and external threats, vulnerabilities, and legal/regulatory requirements
  3. Create a CSF Profile, which includes:
    o Describing the organization’s cybersecurity current state and target state
    o Reviewing applicable Community Profile for guidance
  4. Conduct a gap analysis, including:
    o Comparing the current profile to the target profile
    o Identifying gaps in the CSF functions, categories, and subcategories
  5. Develop and implement an action plan, including:
    o Creating a roadmap with milestones, timelines, roles, and responsibilities
    o Implementing security controls, process changes, or technology updates to close identified gaps
    o Using the Implementation examples provided in the NIST CSF for guidance
  6. Measure and monitor, including:
    o Defining metrics and KPIs to track progress toward the Target Profile
    o Conducting continuous monitoring of threats, vulnerabilities, and control effectiveness.
    o Adjusting strategies and controls as the organization and threat landscape evolve
  7. Communicate and review regularly, including:
    o Sharing progress and updates with executives, stakeholders, and teams
    o Periodically reassessing the NIST CSF Profile, especially after significant business or IT changes, security incidents, and regulatory updates

Getting started with the NIST Cybersecurity Framework

The NIST Cybersecurity Framework is one of the most widely employed cybersecurity frameworks in the U.S. However, it takes effort to implement. In addition to understanding the core functions and developing an implementation plan, it is also important to review the relevant Community Profile and examples of other NIST CSF implementations.

NIST Cybersecurity Framework use cases

Common use cases for the NIST Cybersecurity Framework (CSF) include using it to guide:

  • Risk management—how to identify, assess, and prioritize cybersecurity risks to enable informed decision-making and resource allocation
  • Cybersecurity program development—a foundation for building or enhancing a cybersecurity program, aligning security activities with business objectives
  • Compliance and regulatory alignment—cybersecurity practices mapped to various standards (e.g., NIST SP 800-53, ISO/IEC 27001) to streamline compliance efforts
  • Supply chain risk management—how to evaluate and manage third-party and vendor risks
  • Communication—a common language supports clear communication between technical teams, executives, and stakeholders
  • Continuous improvement—an outcome-driven approach to measure progress, adapt to changing threats and mature their cybersecurity posture over time

NIST Cybersecurity Framework examples

In addition to the NIST Cybersecurity Framework, NIST has produced more than 200 special publications focusing on specific cybersecurity risk management areas, such as risk assessments, identity access control, managing protective technology, and responding to cybersecurity events or incidents. Examples of the most frequently used NIST Cybersecurity Framework publications include the following.

NIST Special Publication (SP) 800-30

NIST SP 800-30, a Guide for Conducting Risk Assessments, provides guidance for cyber risk assessments and management. It includes controls and control baselines based on industry recommendations and standards. NIST SP 800-30 also helps organizations present cyber risk in a way that leadership teams can understand.

NIST Special Publication (SP) 800-37

NIST SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, describes the Risk Management Framework (RMF). It also provides guidelines for applying the RMF to information systems and organizations. NIST SP 800-37 includes a detailed, six-step process for managing security and privacy risks.

NIST Special Publication (SP) 800-53

NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, provides the controls required to implement the NIST Cybersecurity Framework. NIST SP 800-53 has over 1,000 controls across twenty control families.

By implementing the security controls set forth in NIST 800-53, organizations meet Federal Information Security Modernization Act (FISMA) security requirements. In addition, implementing NIST 800-53 controls meets Federal Information Processing Standard Publication 200 (FIPS 200) requirements, which are mandatory for all federal agencies and entities in their supply chain.

NIST Special Publication (SP) 800-122

NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), provides recommendations for handling PII (Personally Identifiable Information). It offers practical, context-based guidance for identifying PII.

NIST SP 800-122 also guides determining what level of protection is appropriate for each instance and recommends safeguards. In addition, NIST SP 800-122 provides direction for developing response plans for breaches involving PII.

NIST Special Publication (SP) 800-125

NIST SP 800-125, Guide to Security for Full Virtualization Technologies, provides recommendations for addressing the security challenges related to full server and desktop virtualization technologies. NIST 800-125 defines virtualization for government use and outlines requirements for securing hardening and provisioning virtual systems.

NIST Special Publication (SP) 800-171

Under NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, compliance is mandatory for every organization contracting with the U.S. Department of Defense (DoD). It covers all nonfederal information systems and organizations that are DoD contractors and process, store, or transmit Controlled Unclassified Information (CUI). Under NIST SP 800-171, these entities must meet the minimum security standards established by the Defense Federal Acquisition Regulation Supplement (DFARS) to retain their DoD contracts.

NISTIR 8170

Another NIST publication, NISTIR 8170, Approaches for Federal Agencies to Use the Cyber Security Framework, details eight approaches for using the NIST Cybersecurity Framework.

  1. Integrate enterprise and cybersecurity risk management by communicating with universally understood risk terms.
  2. Manage cybersecurity requirements using a construct that enables integration and prioritization of requirements.
  3. Integrate and align cybersecurity and acquisition processes by relaying requirements and priorities in common and concise language.
  4. Evaluate organizational cybersecurity using a standardized and straightforward measurement scale and self-assessment criteria.
  5. Manage the cybersecurity program by determining which outcomes necessitate common controls and apportioning work and responsibility for those outcomes.
  6. Maintain a comprehensive understanding of cybersecurity risk using a standard organizing structure.
  7. Report cybersecurity risks using a universal and understandable structure.
  8. Inform the tailoring process using a comprehensive reconciliation of cybersecurity requirements.

DISCLAIMER: THE INFORMATION CONTAINED IN THIS ARTICLE IS FOR INFORMATIONAL PURPOSES ONLY, AND NOTHING CONVEYED IN THIS ARTICLE IS INTENDED TO CONSTITUTE ANY FORM OF LEGAL ADVICE. SAILPOINT CANNOT GIVE SUCH ADVICE AND RECOMMENDS THAT YOU CONTACT LEGAL COUNSEL REGARDING APPLICABLE LEGAL ISSUES.

NIST Cybersecurity Framework FAQ

What are the 6 principles of NIST?

The NIST Cybersecurity Framework is built upon six core principles that guide its application and implementation to ensure robust cybersecurity and risk management.

1. Prioritize—emphasizes the importance of understanding the most critical assets and vulnerabilities within an organization to allocate resources effectively.

2. Assess—involves evaluating existing security measures and identifying gaps or weaknesses that need to be addressed.

3. Implement risk management strategies—mitigate identified risks and establish a proactive culture of security across the organization.

4. Create an information flow—develop a cyclical process of information sharing, both internally and externally, to foster a comprehensive understanding of potential threats and responses.

5. Continuous improvement—regularly update and refine their cybersecurity measures in response to evolving threats and technological advancements.

6. Principle of learning—actively seek to learn from past incidents, industry developments, and best practices and incorporate insights into security protocols to enhance future resilience.

What are the 6 NIST cybersecurity frameworks?

The six major NIST cybersecurity frameworks support different aspects of cybersecurity, privacy, risk, and compliance, and are often used together to build a holistic cybersecurity program.

1. NIST AI Risk Management Framework (AI RMF)—helps organizations manage risks associated with artificial intelligence systems

2. NIST Cybersecurity Framework (CSF)—provides a high-level, flexible approach to managing cybersecurity risks

3. NIST Privacy Framework—functions as a companion to the CSF focused on managing privacy risks

4. NIST Risk Management Framework (RMF)—guides federal agencies and contractors in managing risk

5. NIST Secure Software Development Framework (SSDF)—provides best practices for integrating security into all phases of the software development lifecycle (SDLC)

6. NIST Supply Chain Risk Management Practices—provides guidance on managing cybersecurity risks in the supply chain

What are the 6 steps of NIST?

The 6 steps of NIST refer to the steps in the original NIST Risk Management Framework (RMF) released in 2004. This framework was updated in 2018 NIST, and an additional step was added.

1. Prepare

2. Categorize

3. Select

4. Implement

5. Assess

6. Authorize

7. Monitor

How does the NIST Cybersecurity Framework enhance security?

The Cybersecurity Framework (CSF) 2.0 is designed to help organizations of all sizes and sectors — including industry, government, academia, and nonprofit — manage and reduce their cybersecurity risks. The NIST Cybersecurity Framework helps organizations protect critical systems and data by helping to increase security awareness and preparedness. This flexible model supports security improvements by helping organizations better:

  • Communicate new requirements throughout the organization
  • Determine current levels of implemented cybersecurity measures by creating a profile
  • Identify new potential cybersecurity standards and policies to enhance cybersecurity
Is there a NIST Cybersecurity Framework certification?

There is no certification for the overall NIST Cybersecurity Framework, but there is a NIST cybersecurity implementation certification. This certification attests to an organization’s ability to use NIST best practices to implement the structure, governance, and policy required to support robust cybersecurity.

What are the three parts of the NIST Cybersecurity Framework?

There are three parts to the NIST Cybersecurity Framework: Core, Implementation, and Profiles and Tiers. The objective of these is to provide a strategic view of the cybersecurity risks in an organization.

  • CSF Framework Core—a set of cybersecurity activities, desired outcomes, and applicable references (not a defined checklist). These are divided into four categories
    1. Functions—Govern, Identify, Detect, Protect, Respond, and Recover
    2. Categories—specify the items (e.g., implement software updates, install antivirus and antimalware programs, and have access control policies to carry out the “protect” function)
    3. Subcategories—items associated with the categories (e.g., turning on auto-updates on systems to support the “implement software updates” category)
    4. Informative sources—supporting documentation explains how to perform the tasks set forth in the various functions, categories, and subcategories
  • CFS Profiles—describe an organization’s current and target cybersecurity measures and help define requirements for strategic security roadmaps and include:
    o Current Profile—specifies Core outcomes
    o Target Profile—specifies desired outcomes
    o Community Profile—a composite profile created for various sectors to facilitate goal setting and realization
  • CFS Tiers—describe the degree to which an organization has implemented NIST controls
    o Tier One—Partial
    o Tier Two—Risk-informed
    o Tier Three—Repeatable.
    o Tier Four—Adaptive
What are NIST Special Publications?

NIST Special Publications provide detailed specifications in subject areas, often to clarify a topic. NIST has hundreds of special publications that include guidelines, recommendations, and reference materials. They fall into three categories:

1. SP 500 — Information technology (relevant documents)

2. SP 800 — Computer security

3. SP 1800 — Cybersecurity practice guides

Is compliance with the NIST Cybersecurity Framework mandatory?

Compliance is required for federal agencies and any entity in the supply chain of a federal agency. For all other entities, it is recommended but is optional.

What is the connection between NIST SP 800-53 and FISMA?

Compliance with NIST SP 800-53, Security and Privacy Controls for Federal Information Systems, helps organizations meet the Federal Information Security Modernization Act (FISMA) requirements with a nine-step checklist.

1. Categorize the data and information systems that need to be protected.

2. Develop an applicable security control baseline for the minimum controls required to protect that information.

3. Assess the security controls to determine the extent to refine the baseline controls and ensure that they are implemented correctly, operating as intended, and meeting the organization’s security requirements.

4. Document the design, development, and implementation details for the baseline controls in a security plan.

5. Implement security controls.

6. Monitor the performance of the implemented controls.

7. Determine risk based on an assessment of the security controls.

8. Authorize the information system for processing based on a determination that any identified risks are acceptable.

9. Conduct continuous monitoring of the security controls in the information system and environment to manage effectiveness, changes to the system or environment, and compliance.

What is the ISO 27001 framework?

The ISO 27001 framework is an international standard designed to establish, implement, maintain, and continually improve an information security management system (ISMS) within an organization. This comprehensive framework sets forth a systematic approach to managing sensitive company information so it remains secure. It includes policies, processes, and controls involving people, processes, and technology in managing risks related to information security.

What is the difference between ISO 27001 and the NIST Cybersecurity Framework?

Three differences between NIST and ISO 27001 are:
1. Certification
The NIST Cybersecurity Framework is a self-certified framework that does not require outside certification. ISO 27001 offers globally recognized certification based on a third-party audit.
2. Cost
The NIST Cybersecurity Framework is free. Organizations are charged a fee to access ISO 27001 documentation.
3. Use cases
The NIST Cybersecurity Framework is best for organizations creating a cybersecurity risk management strategy , addressing specific vulnerabilities, or responding to data breaches. ISO 27001 is best for organizations with a mature cybersecurity program that pursue ISO certification to bolster their security credibility.

Date: April 12, 2025Reading time: 12 minutes
Security

Get started

See what SailPoint identity security can do for your organization

Discover how our solutions enable modern enterprises today to meet the challenge of ensuring secure access to resources without compromising productivity or innovation.

Request a demoContact us