The National Institute of Standards and Technology released Cybersecurity Framework 2.0 on Wednesday, adding new guidance on supply chain risk management and expanding the voluntary framework used by thousands of organizations worldwide.
The update represents the first major revision since the framework's 2014 launch. NIST officials said the changes reflect evolving threats and the increasing complexity of modern software supply chains.
Key Changes
CSF 2.0 introduces a sixth core function called "Govern," emphasizing cybersecurity governance and risk oversight at the organizational level. The framework also expands guidance on supply chain security, identity management, and third-party risk.
"Organizations can no longer view cybersecurity as purely a technical issue," said Kevin Stine, NIST's cybersecurity program chief. "Leadership engagement and governance are critical to managing cyber risk effectively."
The framework now includes specific guidance on software supply chain security, addressing vulnerabilities in open-source components and third-party dependencies. This follows high-profile supply chain attacks that compromised thousands of organizations through trusted software vendors.
Industry Adoption
More than 30 percent of U.S. organizations currently use the NIST Cybersecurity Framework, according to a 2024 survey by the Ponemon Institute. Adoption is highest among financial services, healthcare, and critical infrastructure sectors.
Federal agencies must align cybersecurity programs with NIST frameworks under a 2021 executive order. Many states have adopted similar requirements for public sector organizations.
Implementation Guidance
NIST will publish implementation guides and reference architectures over the next six months to help organizations transition to CSF 2.0. The agency recommends organizations review current programs against the updated framework and identify gaps.
Industry groups including the U.S. Chamber of Commerce and the National Association of Manufacturers praised the update. Critics said the framework remains too complex for small and medium-sized businesses with limited cybersecurity resources.
The framework is available at nist.gov/cyberframework. NIST will accept public comments on proposed implementation guides through March 31.