NIST CSF 2.0: What IT compliance managers need to know in 2025

The National Institute of Standards and Technology (NIST) cybersecurity framework (CSF) 2.0 offers a common language and structure to help improve companies’ cybersecurity posture.

It’s an improvement over versions 1.0 and 1.1, in large part because it expands the scope of its recommendations to help all businesses, not just those in critical infrastructure. In addition, CSF 2.0 adds a new core function, Govern, which underpins every aspect of enterprise cybersecurity.

In this piece, we’ll break down the basics of NIST CSF 2.0, examine its core functions, and explore what compliance managers need to know about NIST CSF 2.0 in 2025.

What is NIST CSF 2.0?

NIST CSF 2.0 is an evolution of CSF 1.0 and CSF 1.1. Where previous versions focused on companies operating in the critical infrastructure space, CSF 2.0 now explicitly aims to help all organizations, according to the NIST. By using standardized language that can be applied to any cyber risk, NIST CSF 2.0 is suitable for organizations of all sizes, including enterprises, mid-market companies, and small businesses alike.

Overview and purpose

As noted by the official NIST CSF 2.0 guidelines, the framework “provides guidance to industry, government agencies, and other organizations to manage cybersecurity risk.” The CSF itself is not intended as a checklist or a rigid set of procedures. Rather, it defines a set of ongoing practices designed to strengthen and mature security programs over time. It serves as a structured improvement framework, helping organizations evaluate their current state, identify gaps, and build resilience against emerging threats.

Key updates in version 2.0

The NIST cybersecurity framework 2.0 includes several key updates.

First is the expansion of the framework to include all organizations, as noted above. In addition, version 2.0 includes a new function — Govern — which underpins all five functions of CSF 1.0.

The new version also recommends two new best practices: the creation of organizational profiles and community profiles.

Organizational profiles

Organizational profiles detail current cybersecurity efforts and describe security goals. These internal-facing profiles help identify areas for improvement and track the progress of these improvements over time.

Community profiles

Community profiles are public-facing profiles that help identify common cyber threats or interests across multiple organizations. These organizations may share the same sector or industry, or leverage similar technology stacks to achieve their goals.

By using community profiles, businesses can create a shared knowledge model that allows them to learn from companies dealing with similar issues, and in turn provide insight for other organizations.

Core functions of NIST CSF 2.0

There are five core functions of NIST CSF 2.0, plus a sixth that was added in version 2.0:

Identify

Identify focuses on improving enterprise risk management by understanding the relationship between current assets and cybersecurity. These assets include data, hardware, software, systems, physical facilities, and people. They also include suppliers, due to the growing risk of third-party compromise. As a result, cybersecurity supply chain risk management is a key component of the CSF identify function.

For example, if attackers can breach third-party payment providers used by e-commerce companies, they may be able to move laterally across the business network and access critical data owned by your organization.

The more you know about what’s happening across your current assets, the better prepared you are to create an effective cybersecurity strategy.

Protect

The second CSF core function, Protect, speaks to the actions taken by companies to reduce their cybersecurity risk. Common actions include the deployment of identity and access management (IAM) solutions, the implementation of multifactor authentication (MFA), or the integration of strong encryption practices to enhance data security.

Protect also covers physical security measures such as cameras and access controls.

Detect

Detect looks to identify potential attacks and compromises as soon as possible. This may include the use of threat intelligence software, behavioral analysis solutions, and automated tools that can detect and report possible indicators of compromise (IoC).

An example of detection in action is an unexpected login, either at a time or place that is abnormal for employees. If staff normally work 9 a.m. to 5 p.m., Monday through Friday, but systems record login attempts at 4 a.m. multiple nights in a row, this may be an indicator of compromise.

Respond

Respond covers the actions taken by companies when cybersecurity incidents are detected. The goal of incident response is to minimize the impacts of a breach or compromise. This core function includes incident management, analysis, mitigation, reporting, communication, and the creation of incident response plans.

Recover

Once the response is complete, the next step is recovery. This includes the restoration of service and, where possible, the restoration of data using a detailed recovery plan. The goal is to get as close as possible to normal operations and do so in the smallest amount of time possible.

Govern

The Govern function was added in NIST CSF 2.0. It focuses on understanding organizational context across all other functions and prioritizes the creation of comprehensive risk management and continuous monitoring strategies.

As the circle diagram above makes clear, this is a cyclical process, not a serial one. Identification doesn’t stop when recovery happens. Instead, companies simply start the process again. The Govern function is depicted as a loop because it applies to all aspects of the NIST CSF 2.0 framework.

Benefits of using NIST CSF 2.0

The primary benefit of using NIST CSF 2.0 to inform cybersecurity practices is that it offers a clear framework to follow. While it does not describe how companies should achieve security goals, it provides a simple structure to help evaluate current environments, identify possible risks, and take steps to limit the impact of these risks.

Applying NIST CSF 2.0 to daily operations also provides benefits like these:

Risk-based approach

CSF 2.0 takes a risk-based approach to security practices. This allows companies to align infosec operations with key business risks and take targeted action to limit these risks.

Consider the third-party risks mentioned above. If a financial institution uses a third party to store and manage some of its lending and client data, the breach of this third party could lead to regulatory non-compliance, in turn subjecting the financial firm to fines or sanctions.

A CSF 2.0 risk assessment would pinpoint this risk as a high priority, allowing firms to act before breaches occur.

Regulatory alignment

Using NIST CSF 2.0 as a starting point also helps companies map security operations to other standards such as ISO 27001, SOC 2, and the Cyber Maturity Model Certification (CMMC).

It’s worth noting that, unlike standards such as SOX, HIPAA, or PCI DSS, NIST CSF 2.0 compliance is not mandatory for private companies. Ensuring alignment with the new standard, however, both improves security posture and is worthwhile for any company that does business with government agencies such as the Department of Defense (DoD) or the Department of Transportation (DoT).

How to implement NIST CSF 2.0

With a broader approach to cybersecurity practices and a focus on continual improvement, companies may find themselves unsure of where to start when it comes to NIST CSF 2.0 implementation.

A three-step approach can help:

Step 1: Conduct a gap assessment

Understanding and assessment

First is understanding and assessment, which is the process of evaluating current cybersecurity posture, identifying potential gaps, and assessing how these gaps can be addressed.

Before you deploy new security controls and practices, you need to know where they will be most effective. This is the role of a gap assessment: identifying the current state of your cybersecurity posture and identifying the most likely path(s) of compromise.

Example: Consider a midsize enterprise adopting CSF 2.0. Understanding might look like identifying and developing an inventory of all IT assets in use, such as hardware, networking devices, and applications in use. Assessment then involves a structured evaluation of those assets against the CSF 2.0 Core outcomes to identify risks.

This is where Profiles come into play. Organizations start by defining their Current Profile, which reflects how existing practices align with the CSF Core outcomes. They then establish a Target Profile, describing the desired outcomes that match business needs, risk appetite, and regulatory expectations. In some cases, a Community Profile can also be used as a reference point — these profiles may be sector- or industry-specific examples published by NIST or peer groups, which may serve as a basis for shaping the organization’s own Target Profile. Examples of Community Profiles are available and can be found on the NIST CSF website.

To help compare current and target states, organizations can then apply the CSF Implementation Tiers. These Tiers (ranging from Partial to Adaptive) are benchmarks that describe how risk is currently managed by the organization, and how it is ideally intended to be managed in the future.

Example: The midsize enterprise maintains a spreadsheet of IT assets, but it’s updated irregularly. In this case, the organization may describe its Current Profile as Risk Informed (some process awareness but inconsistent execution). To ensure the inventory is consistently maintained and validated through a repeatable methodology year after year, they may set their Target Profile as Repeatable (a documented process carried out consistently, on a defined schedule).

Step 2: Develop a roadmap

Prioritization

Prioritization is next — determining which problems are the most pressing and determining how to address these problems.

In the example above, further assessments reveal multiple issues across legacy network controllers and software. Prioritization evaluates the potential impact of each risk and helps determine the focus of security efforts. For example, an issue with customer-facing applications may pose a lower risk than weaknesses in mission-critical manufacturing software.

Prioritization helps develop a roadmap. Once you know where you’re at risk, you can design a strategy to address these risks in order of priority. The bigger the risk, the more important the fix.

This means if your assessment reveals an unlikely permission escalation issue with internal networks — but also uncovers public-facing data entry fields that can be manipulated to gain admin-level access — the second problem is your bigger priority.

Step 3: Use available resources

Don’t reinvent the cybersecurity wheel. Instead, lean on available expert resources to jumpstart your CSF 2.0 efforts. In addition to the resources noted above, NIST offers both a searchable catalog of its references and the Cybersecurity and Privacy Reference Tool (CPRT), which is a browsable and downloadable set of NIST guidance documents.

Step 4: Communicate

Communication looks to create a common language that allows teams to easily exchange information about security risks, needs, and goals both inside and outside the organization.

While NIST CSF 2.0 specifies what companies should look for in security, it does not specify how these outcomes are achieved. This is because every company has a unique security posture. Using a combination of internal expertise and additional resources, businesses can align NIST guidance with security outcomes.

Not sure where to find CSF 2.0 help? Start with these NIST webpages:

• Informative references
• Implementation examples
• Quick-start guides
• Community profiles and organizational profile templates

Common challenges and pitfalls

No cybersecurity effort is entirely smooth sailing. The same is true of NIST CSF 2.0 implementation. Here’s a look at two common challenges — and what companies can do to limit their impact.

Resource limitations

Both budget and staffing issues can make it challenging to carry out in-depth security assessments and apply effective measures to limit your risk.

Here, it’s worth considering outsourced expertise, whether this takes the form of virtual CISOs, on-site staffing, or 24/7 technical support.

Integration with existing programs

Legacy tools may also impact your ability to implement CSF 2.0 best practices. If your current governance, risk, and compliance (GRC) frameworks depend on tools that were never designed to handle always-on connections, or were purpose-built for your organization, they may create a roadblock to CSF adoption.

To solve this challenge, companies are often best served by deploying third-party platforms capable of automating security tasks and creating comprehensive risk reports.

How AuditBoard supports NIST CSF 2.0 adoption

With AuditBoard, your business is better prepared to adopt NIST CSF 2.0. In addition to expert support — 81% of our success and service teams are former risk, compliance, and audit practitioners — our solution offers key benefits such as:

Framework mapping

You can’t fix what you can’t see. AuditBoard solutions offer built-in templates to help you map current cybersecurity frameworks, track cybersecurity events, compare them to ideal cybersecurity outcomes, and take action to reduce total risk.

Real-time dashboards

Security happens at speed. New vulnerabilities are constantly emerging, and tools once thought safe may suddenly be exposed thanks to new updates or additional features.

AuditBoard’s real-time dashboards let you track the effectiveness of security programs in real time. In addition, these dashboards ensure you’re better equipped to demonstrate compliance in the event of a legal challenge or regulatory audit.

See how AuditBoard simplifies NIST CSF 2.0 adoption with automated framework mapping, real-time dashboards, and reporting. Start your demo today.

About the authors

Sonia Yu, CISA, CEH, is a Senior Compliance Analyst at AuditBoard. Prior to joining AuditBoard, Sonia was a cybersecurity consultant at Moss Adams, where she audited and advised information security programs across various industry sectors in meeting compliance with PCI-DSS, HITRUST, HIPAA, and NIST cybersecurity frameworks.