Cybersecurity risks are a fundamental type of risk for all organizations to manage. Potential impacts to organizations from cybersecurity risks include higher costs, lower revenue, reputational damage, and the impairment of innovation. Cybersecurity risks also threaten individuals’ privacy and access to essential services and can result in life-or-death consequences.
The NIST Cybersecurity Framework (Framework or CSF) 2.0 provides guidance for reducing cybersecurity risks by helping organizations to understand, assess, prioritize, and communicate about those risks and the actions that will reduce them.
Those actions are intended to address cybersecurity outcomes described within the CSF Core. These high-level outcomes can be understood by a broad audience, including executives, government officials, and others who may not be cybersecurity professionals. The outcomes are sector- and technology-neutral, so they provide organizations with the flexibility needed to address their unique risk, technology, and mission considerations. These outcomes can be used to focus on and implement strategic decisions that improve cybersecurity postures (or state) while also considering organizational priorities and available resources.
The CSF Core also includes examples of how each outcome can be achieved along with references to additional guidance. Together these help an organization address its cybersecurity priorities. The CSF also describes the concepts of Profiles and Tiers, which are tools to help organizations put the CSF into practice and set priorities for where they need or want to be in terms of reducing cybersecurity risks.
The CSF is a foundational resource that is adopted voluntarily and through governmental policies and mandates. Its enduring and flexible nature transcends sectors, technologies, and national borders. The updates in CSF 2.0 address changes in technologies and cybersecurity risk.
The CSF should be used in conjunction with other resources (e.g., frameworks, standards, guidelines, and leading practices) to better manage cybersecurity risks and to inform overall management of cybersecurity and other risks at an enterprise level. Supplemental guidance to this Framework will be developed and available on the NIST Cybersecurity Framework website.