NIST Cybersecurity

Framework 2.0:
RESOURCE &
OVERVIEW GUIDE

NIST Special Publication https://doi.org/10.6028/NIST.SP.1299

NIST SP 1299 February 2024
 NIST CSF 2.0:
RESOURCE & OVERVIEW GUIDE

WHAT IS THE CSF 2.0…AND POPULAR WAYS TO USE IT?

The NIST Cybersecurity Framework (CSF) 2.0 can help organizations manage and reduce their cybersecurity
risks as they start or improve their cybersecurity program. The CSF outlines specific outcomes that
organizations can achieve to address risk. Other NIST resources help explain specific actions that can be
taken to achieve each outcome. This guide is a supplement to the NIST CSF and is not intended to replace it.

The CSF 2.0, along with NIST’s supplementary resources, can be used by organizations to understand,
assess, prioritize, and communicate cybersecurity risks; it is particularly useful for fostering internal and
external communication across teams — as well as integrating with broader risk management strategies.

The CSF 2.0 is organized by six Functions — Govern, Identify, Protect, Detect, Respond, and Recover.
Together, these Functions provide a comprehensive view for managing cybersecurity risk. This Resource &
Overview Guide offers details about each Function to serve as potential starting points.

The CSF 2.0 is comprised of:

• CSF Core - A taxonomy of high-level cybersecurity outcomes that can help any organization manage its
cybersecurity risks.
• CSF Organizational Profiles - A mechanism for describing an organization’s current and/or
target cybersecurity posture in terms of the CSF Core’s outcomes.
• CSF Tiers - Can be applied to CSF Organizational Profiles to characterize the rigor of an organization’s
cybersecurity risk governance and management practices.
 NIST CSF 2.0:
RESOURCE & OVERVIEW GUIDE

EXPLORE MORE CSF 2.0 RESOURCES

View and create mappings between CSF 2.0 and other documents.
Informative Do you want to submit your mappings to NIST documents and have
References them displayed on our site? Please follow the link to the left or email
[email protected] if you have any questions.

Browse and download the CSF 2.0 Core & mapped content. CPRT
Cybersecurity provides a centralized, standardized, and modernized mechanism for
& Privacy managing reference datasets (and offers a consistent format for
Reference Tool accessing reference data from various NIST cybersecurity and privacy
(CPRT) standards, guidelines, and frameworks).

View and download notional examples of concise, action-oriented steps

Implementation to help achieve the outcomes of the CSF 2.0 Subcategories in addition to
Examples the guidance provided in the Informative References.

CSF 2.0 Access human and machine-readable versions of the Core (in JSON and
Reference Tool Excel). You can also view and export portions of the Core using key
search terms.

Additional Resources Include:

Community Profiles and Profile templates (help organizations put the CSF into practice)
Search tools (simplify and streamline as you look for specific information)
Concept papers (learn more about various CSF topics)
FAQs (see what others are asking and get answers to top questions)

Explore the suite of NIST’s CSF 2.0 Resource Repository

 NIST CSF 2.0:
RESOURCE & OVERVIEW GUIDE

NAVIGATING NIST’s CSF 2.0 QUICK START GUIDES (QSG)

QSG Type Description Explore

Provides SMBs, specifically those who have

Small Business modest or no cybersecurity plans in place, with
See the QSG
(SMB) considerations to kick-start their cybersecurity
risk management strategy.

Creating and Using Provides all organizations with considerations

Organizational for creating and using Current and/or Target See the QSG
Profiles Profiles to implement the CSF 2.0.​

Explains how any organization can apply the CSF

Tiers to Organizational Profiles to characterize
Using the CSF Tiers See the QSG
the rigor of its cybersecurity risk governance
and management practices.

Draft Cybersecurity Helps all organizations to become smart

Supply Chain Risk acquirers and suppliers of technology products
See the QSG
Management and services by improving their C-SCRM
(C-SCRM) processes.

Details how Enterprise Risk Management

Draft Enterprise
practitioners can utilize the outcomes provided
Risk Management See the QSG
in CSF 2.0 to improve organizational
(ERM) Practitioners
cybersecurity risk management.

…and more to follow in the future.

See the current online QSG repository

 NIST CSF 2.0: RESOURCE & OVERVIEW GUIDE
GOVERN IDENTIFY
The organization’s cybersecurity risk management The organization’s current
strategy, expectations, and policy are established, cybersecurity risks are understood.
communicated, and monitored.

Understand and assess specific cybersecurity needs. Identify critical business processes and assets.
Determine your organization’s unique risks and needs. Consider which of your organization’s activities
Discuss the current and predicted risk environment and absolutely must continue to be viable. For example, this
the amount of risk your organization is willing to could be maintaining a website to retrieve payments,
accept. Seek input and ideas from across the securely protecting customer/patient information, or
organization. Understand what has worked or not ensuring that the information critical to your
worked well in the past and discuss it openly. organization remains accessible and accurate.

Develop a tailored cybersecurity risk strategy. This Maintain inventories of hardware, software, services,
should be based on your organization’s specific and systems. Know what computers and software your
cybersecurity objectives, the risk environment, and organization uses — including services provided by
lessons learned from the past — and from others. suppliers — because these are frequently the entry
Manage, update, and discuss the strategy at regular points of malicious actors. This inventory could be as
intervals. Roles and responsibilities should be clear. simple as a spreadsheet. Consider including owned,
leased, and employees’ personal devices and apps.
Establish defined risk management policies. Policies
should be approved by management and should be Document information flows. Consider what type of
organization-wide, repeatable, and recurring, and information your organization collects and uses (and
should align with the current cybersecurity threat where the data are located and how they are used),
environment, risks (which will change over time), and especially when contracts and external partners are
mission objectives. Embed policies in company culture involved.
to help drive and inspire the ability to make informed
decisions. Account for legal, regulatory, and contractual Identify threats, vulnerabilities, and risk to assets.
obligations. Informed by knowledge of internal and external threats,
risks should be identified, assessed, and documented.
Develop and communicate organizational
Examples of ways to document them include risk
cybersecurity practices. These must be straightforward
registers – repositories of risk information, including
and communicated regularly. They should reflect the
data about risks over time. Ensure risk responses are
application of risk management to changes in mission
identified, prioritized, and executed, and that results
or business requirements, threats, and overall technical
are monitored.
landscape. Document practices and share them with
room for feedback and the agility to change course.
Lessons learned are used to identify improvements.
Establish and monitor cybersecurity supply chain risk When conducting day-to-day business operations, it is
management. Establish strategy, policy, and roles and important to identify ways to further refine or enhance
responsibilities — including for overseeing suppliers, performance, including opportunities to better manage
customers, and partners. Incorporate requirements and reduce cybersecurity risks. This requires purposeful
into contracts. Involve partners and suppliers in effort by your organization at all levels. If there is an
planning, response, and recovery. incident, assess what happened. Prepare an after-
action report that documents the incident, the
Implement continuous oversight and checkpoints. response, recovery actions taken, and lessons learned.
Analyze risks at regular intervals and monitor them
continuously (just as you would with financial risks).
 NIST CSF 2.0: RESOURCE & OVERVIEW GUIDE
PROTECT DETECT
Safeguards to manage the Possible cybersecurity attacks
organization’s cybersecurity and compromises are
risks are used. found and analyzed.

Manage access. Create unique accounts for employees Monitor networks, systems, and facilities continuously
and ensure users only have access to necessary to find potentially adverse events. Develop and test
resources. Authenticate users before they are granted processes and procedures for detecting indicators of a
access to information, computers, and applications. cybersecurity incident on the network and in the
Manage and track physical access to facilities/devices. physical environment. Collect log information from
multiple organizational sources to assist in detecting
Train users. Regularly train employees to ensure they unauthorized activity.
are aware of cybersecurity policies and procedures and
that they have the knowledge and skills to perform Determine and analyze the estimated impact and
general and specific tasks; explain how to recognize scope of adverse events. If a cybersecurity event is
common attacks and report suspicious activity. Certain detected, your organization should work quickly and
roles may require extra training. thoroughly to understand the impact of the incident.
Understanding details regarding any cybersecurity
Protect and monitor your devices. Consider using incidents will help inform the response.
endpoint security products. Apply uniform
configurations to devices and control changes to device Provide information on adverse events to authorized
configurations. Disable services or features that staff and tools. When adverse events are detected,
don't support mission functions. Configure systems and provide information about the event internally to
services to generate log records. Ensure devices are authorized personnel to ensure appropriate incident
disposed of securely. response actions are taken.

Protect sensitive data. Ensure sensitive stored or

transmitted data are protected by encryption. Consider
utilizing integrity checking so only approved changes
are made to data. Securely delete and/or destroy data
when no longer needed or required.

Manage and maintain software. Regularly update

operating systems and applications; enable automatic
updates. Replace end-of-life software with supported
versions. Consider using software tools to scan devices
for additional vulnerabilities and remediate them.

Conduct regular backups. Back up data at agreed-upon

schedules or use built-in backup capabilities; software
and cloud solutions can automate this process. Keep at
least one frequently backed-up set of data offline to
protect it against ransomware. Test to ensure that
backed-up data can be successfully restored to systems.
 NIST CSF 2.0: RESOURCE & OVERVIEW GUIDE
RESPOND RECOVER
Actions regarding a detected Assets and operations affected by a
cybersecurity incident are taken. cybersecurity incident are restored.

Execute an incident response plan once an incident is Understand roles and responsibilities. Understand
declared, in coordination with relevant third parties. who, within and outside your business, has recovery
To properly execute an incident response plan, ensure responsibilities. Know who has access and authority to
everyone knows their responsibilities; this includes make decisions to carry out your response efforts on
understanding any requirements (e.g., regulatory, legal behalf of the business.
reporting, and information sharing).
Execute your recovery plan. Ensure operational
Categorize and prioritize incidents and escalate or availability of affected systems and services; and
elevate as needed. Analyze what has been taking place, prioritize and perform recovery tasks.
determine the root cause of the incident, and prioritize
which incidents require attention first from your Double-check your work. It is important to ensure the
organization. Communicate this prioritization to your integrity of backups and other recovery assets before
team and ensure everyone understands who using them to resume regular business operations.
information should be communicated to regarding a
prioritized incident when it occurs. Communicate with internal and external stakeholders.
Carefully account for what, how, and when information
Collect incident data and preserve its integrity and will be shared with various stakeholders so that all
provenance. Collecting information in a safe manner interested parties receive the information they need,
will help in your organization’s response to an but no inappropriate information is shared.
incident. Ensure that data are still secure after the Communicate to your staff any lessons learned and
incident to maintain your organization’s reputation and revisions to processes, procedures, and technologies
trust from stakeholders. Storing this information in a (following policies already set by the organization). This
safe manner can also help inform updated and future is a good time to train, or retrain, staff on cybersecurity
response plans to be even more effective. best practices.

Notify internal and external stakeholders of any

incidents and share incident information with them —
following policies set by your organization. Securely
share information consistent with response plans and
information-sharing agreements. Notify business
partners and customers of incidents in accordance with
contractual requirements.

Contain and eradicate incidents. Executing a developed

and tested response plan will help your organization
contain the effects of an incident and eradicate it.
Meaningful coordination and communication with
stakeholders can result in a more effective response and
mitigation of the incident.
 U.S. Department of Commerce
Gina M. Raimondo, Secretary
National Institute of Standards and Technology
Laurie E. Locascio, NIST Director and Under Secretary of Commerce for Standards and Technology