Interactive Guide to the NIST Cybersecurity Framework 2.0

Introduction

The NIST Cybersecurity Framework (CSF) 2.0 is a flexible, outcomes-based framework designed to help organizations of any size and sector manage and reduce cybersecurity risks. Published in February 2024, it represents a significant update from its predecessor by shifting its scope to be applicable to all organizations, not just critical infrastructure. This guide provides a structured, interactive overview of the CSF 2.0, its key components, and a step-by-step guide for implementation.

The Six Core Functions

The CSF 2.0 is built around six core functions that provide a high-level, strategic view of an organization's cybersecurity risk management lifecycle. These are designed to work together in a continuous, iterative process. Click on each function to learn more.

A Holistic View of the Framework

The radar chart below visualizes how the six functions are interconnected, forming a comprehensive and balanced approach to cybersecurity risk management. Each function represents a critical pillar in a robust security program.

Key Components of the Framework

The CSF 2.0 is composed of three primary components that work together to help organizations define, assess, and improve their cybersecurity posture. Explore each component below.

1. The Core

The Core is a taxonomy of high-level cybersecurity outcomes, organized in a hierarchy to provide a common language for managing risk.

Functions
Categories
Subcategories

2. Implementation Tiers

The Tiers describe the maturity and rigor of an organization's cybersecurity risk management practices. They are a way to characterize your program, not a model to be climbed. Click a Tier to see its description and get AI-powered advice on how to improve.

Select a tier on the left to view its details.

3. Organizational Profiles

A Profile is a snapshot of an organization's cybersecurity posture, used to compare a "Current" state to a "Target" state to identify and prioritize areas for improvement.

Current Profile

Describes the cybersecurity outcomes the organization is currently achieving.

Target Profile

Describes the desired cybersecurity outcomes based on risk appetite, business needs, and legal requirements.

How to Use the CSF 2.0: A Simple Guide

Implementing the CSF 2.0 is a strategic process. The following steps provide a roadmap for using the framework to improve your cybersecurity posture. Click each step for more details.

Select a step above to view details.

Key Resources

NIST provides a wealth of resources to support the adoption and use of the CSF 2.0. Below are some of the most important ones to get you started.