The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CFS) 2.0 was launched in late February of this year with the first significant revisions to its decade old initial framework1. It is difficult to overstate the importance of sharing and re-sharing practices and standards that can help keep organizations and individuals alike safe from threat actors seeking to access and steal sensitive information. This article will provide an overview of the basic, fundamental principles of the NIST CFS and offer some insight into the value of the program’s revisions for businesses.
The NIST CFS is built around six core functions, which are designed to provide a high-level, strategic view of an organization’s management of cybersecurity risk.
Within this component, there is primary attention paid to general risk management and a deep organizational understanding of the “roles, responsibilities, and authorities” involved in any facet of the cyber program. A particular focus is on the organization’s “policy, oversight, and inclusion [as it relates to] the supply chain”3.
The goal of the NIST CSF is to address critical infrastructure resulting in a framework that is flexible to be used across all industries. This lends itself to being applicable for organizations of varying sizes as well. Integrating these principles into an organization’s overall risk management processes and promoting a culture of shared responsibility for cybersecurity can provide a broader and more efficacious program. There are no one-size fits all blanket programs, which means the provided guidance might come across as vague.
Ultimately, for an organization to have the most robust, effective, and integrative cybersecurity posture, it would require a comprehensive audit of policies, procedures, roles, responsibilities, controls, and other aspects performed by an experienced, and likely outside an objective, vendor to identify more precisely any gaps or vulnerabilities in the current program. From there a more robust program can be established, with considerations for scalability and flexibility encouraged by the NIST framework.
The language and guidance within release 2.0 is more focused on ensuring cybersecurity programs are tailored to organizational needs and current infrastructure as opposed to trying to establish—or create the appearance of— a copy and paste system. The past 10 years of technological improvements, including artificial intelligence, and the increased sophistication of threat actors, have provided enough evidence of the need for highly individualized response to increasingly targeted attacks.
As such, the updated Framework includes clearer guidance on the need to and importance of establishing opportunities for enhanced integration. Given the sheer impossibility of having organizations develop, implement, and manage every component of their specific cybersecurity program, there is a tremendous need to work cooperatively and establish complementary software and other related resources. The purpose of this flexibility, per the NIST release is so “an organization may choose to handle risk in one or more ways — including mitigating, transferring, avoiding, or accepting negative risks and realizing, sharing, enhancing, or accepting positive risks — depending on the potential impacts and likelihoods.” NIST has adapted its guidance to reflect today’s threat and technological landscapes more closely. How specifically an organization integrates with other services or solutions is still up to that organization.
Since its release in 2014, the world has become exponentially more digitally interconnected with most organizations having migrated much of their data and operational resources to the cloud. Additionally, more organizations are now integrated with the global supply chain—either directly or through a third-party vendor—which means access to sensitive data has never been more available to those with the necessary credentials. Given both the sensitivity and criticality of the global supply chain, NIST has included a renewed focus on security functions for the supply chain and data privacy in general.
Furthermore, NIST has acknowledged that cybersecurity is not a static state. Organizations that do not consistently assess and identify vulnerabilities within their cyber program are opening the door to threat actors who have shown no indication of slowing down their cadence of attacks.
In a sense, the value of the Framework stems from its adaptable nature: because every organization is unique in its structure, security staff, software configuration, and personnel knowledge, the best cyber program is custom to this environment. Michelle “Nikki” Ingram , AVP and Head of Cyber Advisory Services SpearTip / Zurich Resilience Solutions articulates the value of NIST 2.0 for all organizations concerned about their cyber resilience. She notes that the “NIST CSF gives an organization a framework on which to develop a cyber security risk management program and the flexibility to adapt it to their unique needs, all of which supports demonstrating their due diligence and adapting to an ever-evolving threat landscape.” The Framework is valuable because it captures categories that, when developing such a program, need to be considered for security enhancements. The U.S. Federal Government has increasingly emphasized the importance of cybersecurity, and NIST’s 2.0 CFS is a key part of those efforts.
Practically speaking, while NIST standards are voluntary, the U.S. Federal Government often requires businesses to follow these guidelines if they want to do business with it, especially for contracts involving sensitive information or critical infrastructure. For example, the United States Department of Defense (DoD) has implemented the Cybersecurity Maturity Model Certification (CMMC) program, which requires defense contractors to be certified against a set of cybersecurity practices and processes based on NIST standards4.
However, the specifics can vary depending on the agency and the nature of the work. Not all agencies may require strict compliance with NIST CFS, but demonstrating a robust commitment to cybersecurity can only be beneficial when seeking to do business, whether it be with one individual or a department of the federal government.
Anyone looking for a handbook detailing step-by-step how to precisely implement a robust, effective, or financially feasible cybersecurity program may be disappointed. While the NIST 2.0 CFS is not that, what it is provides any organization seeking to improve its current posture an excellent framework against which to assess and measure it. To achieve cyber maturity, an organization should consult with an experienced team of cybersecurity professionals to build the best possible program based on the specific needs of that organization.
If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
©2025 SpearTip, LLC. All rights reserved.