25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

NIST Cybersecurity Framework 2.0 Released

Posted By on Feb 27, 2024

The National Institute of Standards and Technology (NIST) has finalized version 2.0 of the NIST Cybersecurity Framework. This is the first major update of the framework since its creation in 2014.

The NIST Cybersecurity Framework is a voluntary cybersecurity model that was developed for use by critical infrastructure entities to help them better understand, manage, and reduce cybersecurity risks and protect their networks and data. While the initial focus of the framework was on improving cybersecurity for critical infrastructure, the Cybersecurity Framework has been adopted by organizations of all types and sizes all around the world.  Version 2.0 has been developed to be used by all audiences, industry sectors, and organization types. NIST said version 2.0 can be used by “the smallest schools and nonprofits to the largest agencies and corporations — regardless of their degree of cybersecurity sophistication.”

A 6th pillar – Govern – has been added to the NIST CTF. Source: NIST

NIST released the draft version of the updated Cybersecurity Framework in the summer of 2023 and received many comments from stakeholders. In the final version, NIST has expanded the core guidance and developed resources to provide tailored pathways into the Cybersecurity Framework and make it easier to put into action. Rather than being a single document, version 2.0 consists of a suite of resources that can be customized and used individually or in combination over time as each organization’s cybersecurity needs and capabilities change.

The original Cybersecurity Framework was built around five key pillars – identify, protect, detect, respond, and recover. One of the major updates in version 2.0 is the addition of a 6th pillar – Govern. The govern function aims to help organizations incorporate cybersecurity risk management into broader enterprise risk management programs, and ensure that they establish a cybersecurity strategy with oversight by the C-Suite. Organizations are encouraged to develop organizational profiles to prioritize cybersecurity actions that will help them achieve certain outcomes or desired states, and those profiles will also help inform the continuous improvement of cybersecurity practices. The updated framework also expands on the supply chain risk management outcomes introduced in version 1.1, most of which have been grouped under the govern function.

NIST has also released a new CSF 2.0 reference tool that simplifies how the Cybersecurity Framework can be implemented and allows users to browse, search, and export data in human- and machine-readable formats. The latest version also includes a searchable catalog of informative references that show how current actions map into the Cybersecurity Framework. Quick-start guides are also provided to help small businesses, enterprise risk managers, and organizations looking to secure their supply chains. NIST is planning to further enhance the resources in the framework and to help NIST achieve this, users are requested to share examples and successes, which NIST will use to amplify their experiences to help others.

“In an era where cyber threats are increasingly pervasive, the frameworks that companies rely on must continually evolve as they are an important foundation that companies build upon in the move from cyber security to cyber resilience,” Robert Booker, Chief Strategy Officer, HITRUST, told The HIPAA Journal. Booker contributed to the development of the NIST Cybersecurity Framework 2.0 and explained the importance of the new govern function and the improved integration with other resources. “ The addition of the Govern Function to the NIST Cyber Security Framework provides a vital and previously missing piece to the NIST Cybersecurity Framework important to critical elements such as risk management. Given that the NIST Cybersecurity Framework is designed for maximum flexibility, the important goal of Cyber Resilience requires not only the now expanded NIST Cybersecurity Framework but important supporting tools including robust Risk Management and control specifications achievable from qualified Informative References such as those available through HITRUST.”

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

The HIPAA Journal

HIPAA Training

That Lowers Breach Risk

Our HIPAA training goes beyond basic rule coverage by targeting the mistakes that drive most incidents, using real-world, relatable examples drawn from over ten years of our HIPAA breach reporting.

View The HIPAA Journal Training

The Gold Standard in HIPAA Training

by The HIPAA Journal Team

CEUs & Certificates | Completion Tracking

View HIPAA Training for Individuals