NIST CSF 2.0 Requirements: Complete Guide to the Cybersecurity Framework

Your organization must understand its mission, stakeholder expectations, and legal/regulatory requirements to inform cybersecurity risk management decisions. This means documenting your business context and how cybersecurity supports your objectives.

You must establish and communicate a cybersecurity risk management strategy that includes risk appetite, tolerance levels, and priorities. The strategy must be approved by leadership and regularly reviewed.

Cybersecurity roles, responsibilities, and authorities must be established and communicated. Everyone must know who is accountable for cybersecurity decisions and actions within the organization.

You must establish a supply chain risk management program. This includes identifying critical suppliers, assessing their cybersecurity practices, including security requirements in contracts, and monitoring supply chain risks.

You must inventory and manage all hardware, software, data, and external information systems. You need to know what you have, where it is, and who is responsible for it. This includes discovering and tracking shadow IT.

You must identify, analyze, and prioritize cybersecurity risks. This includes identifying threats and vulnerabilities, assessing likelihood and impact, and determining risk responses. Risk assessments must be conducted regularly and after significant changes.

Improvements to cybersecurity risk management processes, procedures, and activities must be identified across all functions. This includes learning from incidents, assessments, and industry best practices.

Access to assets must be limited to authorized users, processes, and devices. This includes identity proofing, credential management, multi-factor authentication, and access control based on least privilege principles.

All users must be informed and trained to perform their cybersecurity-related duties. This includes security awareness training, role-based training for privileged users, and training for third-party stakeholders.

Data must be managed consistent with your risk strategy to protect confidentiality, integrity, and availability. This includes encryption at rest and in transit, data integrity checking, and data leakage prevention.

The hardware, software, and services of physical and virtual platforms must be managed to protect their confidentiality, integrity, and availability. This includes secure configuration, patch management, and secure development practices.

Security architectures must be managed to protect asset confidentiality, integrity, and availability, and organizational resilience. This includes network segmentation, redundancy, and infrastructure protection.

You must continuously monitor your information systems and assets to identify cybersecurity events and verify the effectiveness of protective measures. This includes network monitoring, endpoint detection, and log analysis.

Anomalies and potential cybersecurity events must be analyzed to determine if they represent actual incidents. This includes correlating events from multiple sources, understanding normal behavior baselines, and determining event impact.

You must have incident response plans that are executed when incidents are detected. This includes triage, containment, eradication, and communication procedures. Incident responders must know their roles and have the authority to act.

Investigations must be conducted to understand the scope and impact of incidents. This includes forensic analysis, root cause determination, and documenting findings. Incidents must be categorized and prioritized.

Response activities must be coordinated with internal and external stakeholders. This includes communicating with affected parties, reporting to regulators as required, and sharing information with ISACs and other organizations.

Recovery plans must be executed during or after an incident to restore systems and services. This includes backup restoration, system rebuilding, and verifying the integrity of restored systems before returning them to production.