Write-up Assignment
Jayden Hood
Professor Duvall
CYSE-200T
9/21/25
NIST CSF 1.1 vs 2.0: Key Differences
BLUF (Bottom Line Up Front):
In 2024, NIST released CSF 2.0, a major update to its widely adopted Cybersecurity Framework. This revision broadens the framework’s applicability to all organizations, introduces a new Govern function, and enhances guidance to better address modern cybersecurity risks, including supply chain security, cloud, IoT, and ransomware.
✅ What Stayed the Same in NIST CSF 2.0
1. Core Functions (5 Original)
- Identify, Protect, Detect, Respond, Recover remain foundational.
- Still form the core cybersecurity lifecycle for managing risk.
2. Profiles
- Organizations still use Current and Target Profiles.
- Helps tailor the framework to specific needs and goals.
3. Voluntary & Non-Prescriptive
- CSF 2.0 is still voluntary and flexible, not a compliance mandate.
- Allows broad adoption across sectors and organization sizes.
4. Risk-Based Approach
- Risk remains central to all framework functions and decisions.
- Enables prioritization based on impact and likelihood.
🔐Key Differences
| Area | CSF 1.1 | CSF 2.0 |
| Supply Chain Risk Why did it need to change? Events like SolarWinds uncovered third-party vulnerabilities. CSF 2.0 helps with the management of these threats by integrating them with governance and operations. | Mentioned, but not central | Stronger emphasis in Govern function and integrated throughout |
Modern Threat Focus Why was this change needed? Threats have evolved. CSF 2.0 helps organizations respond to today’s complex and fast-changing attack landscape. | Limited mention of cloud, IoT, or ransomware | Updated to address cloud security, zero trust, nation-state threats, and emerging tech risks |
Continuous ImprovementWhy was the change needed? Cybersecurity maturity has no end point. CSF 2.0 encourages iteration, monitoring progress, and regular updating. | Less emphasized | Encourages ongoing evaluation, metrics, and continuous improvement |
Core Functions Why was this change needed?Good cybersecurity starts with leadership. The new role specifies roles, strategy, and management | 5 Functions: Identify, Protect, Detect, Respond, Recover | 6 Functions: Adds Govern to emphasize leadership, roles, oversight, and risk strategy |
Implementation Guidance Why was this change needed? Far too many organizations found CSF 1.1 too theoretical. CSF 2.0 offers practical tools for easier adoption. | Less practical guidance; no examples | Includes implementation examples, quick-start guides, and reference tools |
Terminology & Title Why was this change needed? The update includes its broader use across industries and nations—not just U.S. critical infrastructure. | Called “Framework for Improving Critical Infrastructure Cybersecurity” | Renamed to “Cybersecurity Framework” — broader and more inclusive |
🛡️Why the Update Matters
1.Stronger Governance
- Cybersecurity is now recognized as a strategic business risk, requiring leadership involvement, clear roles, and executive accountability.
2. Broader Adoption
- CSF 2.0 is designed for organizations of all sizes and sectors, not just critical infrastructure—making it more inclusive and globally relevant.
3. Enhanced Supply Chain Security
- With rising third-party and vendor-related threats, the framework places greater emphasis on supply chain risk management (SCRM) and resilience.
4. Alignment with Modern Threats
- CSF 2.0 addresses today’s threat landscape more effectively, including cloud security, zero trust, ransomware, IoT, and OT vulnerabilities.
