Is Your Org Ready for the NIST Cybersecurity Framework?

It’s up to security and risk management leaders to ensure the organization is prepared to adopt NIST CSF 2.0.

By Craig Porter | January 10, 2025

How the NIST Cybersecurity Framework has evolved

In February 2024, the National Institute of Standards and Technology (NIST) published version 2.0 of its Cybersecurity Framework (CSF 2.0) with four key changes:

Govern is now a core function, realigning categories from organizational context; risk management strategy; roles, responsibilities and accountability; policy; oversight; and supply chain risk management.
Scope has expanded beyond critical infrastructure and government to all types and sizes of organizations, lowering the barriers to entry for new adopters.
Supply chain risk management is emphasized, requiring internal and external accountability.
Privacy considerations are a greater focus based on the identification of areas of overlap with the NIST Privacy Framework.

Download Guide: Deliver Cybersecurity Business Value Faster

Learn 12 ways to maintain agility, responsiveness and speed in your cybersecurity program.

Work Email Person Type

By clicking the "Continue" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

Contact Information

All fields are required.

First Name Last Name Job Title Person Type

Job Function Job Role

Back

By clicking the "Continue" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

Company/Organization Information

All fields are required.

Company/Organization Business Street Address City

Postal CodeOptional Country/Region/Territory State/Province/Region

Back

By clicking the "Submit" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

NIST CSF 2.0 requires four major shifts

Use the NIST Cybersecurity Framework to reduce your organization’s cybersecurity risk and evolve your cybersecurity strategy.

Support Govern at the core

CSF 2.0 creates an impetus to align the cybersecurity risk management strategy, expectations and policies strategy with the broader goals of the organization. This realignment may require both a technical and cultural shift.

To prepare, formalize governance committee members and cadence, establish a RASCI (responsible, accountable, supportive, consulted and informed) matrix with clear accountabilities, and connect security initiatives to business priorities and cybersecurity risk strategy.

NIST provides a quick-start guide to integrating cybersecurity risk management into enterprise risk management, including a Cybersecurity Risk Register that enables organizations to identify, manage and monitor relationships between enterprise risks and elements of a CSF-based cybersecurity program.

Prioritize supply chain risk management

The Supply Chain Risk Management (C-SCRM) category has shifted under the Govern function, providing enhanced guidance on managing supply chain risks. This references subcategories to address to ensure that cyber supply chain risk management processes are identified, established, managed, monitored and improved by organizational stakeholders, reflecting the increased dependence on cross-functional partners.

Address privacy risks

CSF 2.0 acknowledges that privacy and cybersecurity threats are best managed together and can be used in tandem with the NIST Privacy Framework. Consider reassessing your cybersecurity governance structure and adapting it to encompass the different processes (such as cyber risk management, privacy and supply chain risk management) to ensure these considerations are aligned with the organization’s strategic goals.

Assess current and future states with organizational profiles

The CSF 2.0 references “Organizational Profiles,” which describe an organization’s current and/or target cybersecurity posture in terms of cybersecurity outcomes from the CSF Core. Meeting the new standards may require organizations to update cybersecurity policies to ensure they align with the new functions and changes in the NIST Cybersecurity Framework. Evaluate your current practices against the new function and categories to identify gaps, set targets for improvement and create a roadmap to achieve your goals.

Are you a CIO or IT leader at a midsize enterprise?

See how your peers are navigating AI adoption, vendor decisions and evolving business demands — with tools tailored to your role:

Explore our resources for midsize enterprises
Check out a curated list of Gartner’s most popular research being utilized by your peers

NIST Cybersecurity Framework FAQs

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (CSF) is the National Institute of Standards and Technology’s (NIST) landmark guidance document for reducing cybersecurity risk. In February 2024, NIST published CSF 2.0 with several key changes, including making Govern a core function, emphasizing supply chain risk management, increasing the focus on privacy and expanding its applicability to all types and sizes of organizations.

How can organizations prepare for NIST Cybersecurity Framework 2.0?

To prepare for NIST CSF 2.0, ensure that your cybersecurity program considers governance and risk as a core function, aligns cybersecurity priorities to business objectives and outcomes, includes supply chain risk management, and connects privacy and cybersecurity risks.

Attend a Conference

Experience IT Security and Risk Management conferences

With exclusive insight from Gartner experts on the latest trends, sessions curated for your role and unmatched peer networking, Gartner conferences help you accelerate your priorities.

View Conference Calendar

8 – 10 Dec 2025

Gartner Identity & Access Management Summit

Grapevine, TX

Learn More