Cybersecurity Insights

a NIST blog

Celebrating Two Years of CSF 2.0!

February 24, 2026

By: Stephen Quinn

Share

Facebook Linkedin X.com Email Celebrate this milestone with us!

Email us at csf [at] nist.gov or tag @NISTcyber on X telling us what your favorite CSF 2.0 resource is (or how your organization has benefitted from implementing the CSF 2.0).

Credit: NIST Today marks two years since the publication of the Cybersecurity Framework (CSF) 2.0!

Published in 2024, the CSF 2.0 included the addition of a Govern Function, increased emphasis on cybersecurity supply chain risk management, updated categories and subcategories to address current threat and technology shifts, and expansion into a suite of resources designed to make the CSF 2.0 easier to consume and put into practice—enabling organizations to better manage and reduce their cybersecurity risk.

The CSF 2.0 has been widely embraced by millions of organizations of all sizes and sectors around the globe and continues to be the most downloaded NIST technical publication (with over 3 million views and downloads, to date). The team has been hard at work the last two years engaging with thousands of stakeholders and continuing to produce practical, actionable resources. Last year, we published a blog highlighting accomplishments from the CSF 2.0’s first year. Below are some highlights from this past year.

Elevating Cybersecurity as a Strategic Business Decision
We expanded the focus on cybersecurity governance to highlight the importance of ensuring cybersecurity capabilities support the broader mission through Enterprise Risk Management (ERM). The NIST IR 8286 series, which was updated in 2025 to align more closely with the CSF 2.0 and other updated NIST guidance, helps practitioners better understand the close relationship between cybersecurity and ERM.

Streamlining Working with Multiple Frameworks and Guidelines

Informative References highlight connections between the CSF and other frameworks, standards, and guidelines. There were seven new CSF 2.0 informative references published in the last calendar year:

| PCI DSS 4.0.1 | CIS Controls 8.1 |
| NIST Special Publication 800-53r5 Revision 5.2.0 | Cyber Governance Code of Practice |
| NIST Special Publication 800-171,R3 | NICE Framework Components v2.0.0 |
| ISO/IEC 27001:2022 | View all CSF 2.0 Online Informative References |
Get involved: The NIST Online Informative Reference (OLIR) Program encourages subject matter experts to review and contribute to the OLIR portfolio.  If you would like to participate, please consult NISTIR 8278A Rev. 1 National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers.

Using the CSF 2.0 to Address Community Cybersecurity Risk Management

A Community Profile is a baseline of CSF outcomes that is created and published to address shared interests and goals among several organizations. Several draft community profiles were added to the CSF 2.0 Resource Center this past year for public comment:

| Cybersecurity Framework Profile for Artificial Intelligence | Incident Response Recommendations for CSF 2.0 | Cybersecurity Framework 2.0 Manufacturing Profile |
| Cybersecurity Framework (CSF) 2.0 Semiconductor Manufacturing Community Profile | Foundational PNT Profile | Ransomware Risk Management for CSF 2.0 |
| | Transit Cybersecurity Framework Community Profile | |
Get Involved: The NIST National Cybersecurity Center of Excellence (NCCoE) plays a significant role in helping communities implement NIST Frameworks. The NCCoE’s Resources for Applying NIST Frameworks page serves as a repository of information and tools for creating Community Profiles. We also welcome your feedback on Community Profiles when they are out for public comment.

Getting Started with CSF 2.0

Credit: NIST If you haven’t migrated your cybersecurity risk management strategy to the CSF 2.0, there’s no time like the present. Where can you start?

• Familiarize yourself with the CSF 2.0 in PDF form or dynamically in the CSF 2.0 Tool.

• View our library of CSF 2.0 Quick Start Guides.

• Review the Cybersecurity Framework 1.1 to 2.0 Core Transition Changes Overview Supplemental Spreadsheet.

• Watch or listen to the webinar recording, “ Implementing CSF 2.0: The Why, What, and How.”

Stay Involved!

• Review submission criteria and submit publicly available CSF 2.0 resources to be considered for inclusion in the CSF 2.0 Community-Submitted Resources Library.

• Subscribe to our email updates. Sign up for email alerts via the email subscription page.

• Email us. Send questions or comments to csf [at] nist.gov (csf[at]nist[dot]gov).

• Follow us.  Follow @NISTcyber on X.

About the author

Mr. Stephen Quinn joined the National Institute of Standards and Technology (NIST) in 2004 and serves as a senior computer scientist in the Information Technology Laboratory (ITL). Mr. Quinn is the lead author for Integrating NIST risk management project work within the paradigm of Enterprise Risk Management (ERM). He is also program manager for the National Checklist Program and the National Online Informative Reference (OLIR) programs at NIST. He is a co-originator of the NIST Security Content Automation Protocol (SCAP).

Stephen was named to the “Federal 100” by the trade publication Federal Computer Week (FCW) and received the Department of Commence Gold Medal Award for his work in automating security protocols for applications. He also received the Federal CIO Council Leadership award for related work.

Prior to joining NIST, Steve worked in the private sector as a consultant to the Department of Defense and large commercial outsourcings with Wall Street banking firms and insurance companies. Specifically, he comes from an operational background, having owned two companies that provided service offering for vulnerability assessments, designing security architectures, code development, risk management, certifications and accreditations, and ST&Es. His research experience and practitioner experience includes managing and remediating risks specific to computer viruses/malware, intrusion detection systems (IDSs), vulnerability/misconfiguration identification, categorization, and remediation.

Comments

Add new comment

Your name Comment Required *

Plain text

• No HTML tags allowed.
• Web page addresses and email addresses turn into links automatically.
• Lines and paragraphs break automatically. CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions. Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.

Search

Put exact phrase in quotes (e.g., "information technology")

Email Alerts

Sign up below to receive Cybersecurity Insights blog updates.

Enter Email Address

Stay Connected

X (Twitter) GovDelivery

Categories

-- Choose -- Events and Workshops Implementation Measurement Science Multi Factor Authentication Partnerships Publications