What Is The NIST Cybersecurity Framework 2.0?

The NIST Cybersecurity Framework is a collection of best practices and guidelines for the mitigation of cybersecurity risks.

It is based on historical experience in cryptography, and data security, and current expertise related to longstanding and current risks to data for a wide range of businesses, government, and other organizations.

According to IBM.com, NIST provides a thorough taxonomy of known cybersecurity outcomes and methodologies that have proven useful in the management and assessment of said outcomes.

NIST also provides comprehensive guidance for the protection of civil liberties and privacy as they relate to cybersecurity.

The program as a whole is part of presidential Executive Order #13636, which was put into effect on February 12, 2013.

In that year there were a series of workshops to draft and establish a uniform code of standards and best practices until the final 1.0 version of NIST was released in February 2014.

We are now looking at the imminent implementation of the 2.0 version framework.

This update is a long-awaited response to a plethora of growing cyber threats affecting individuals, businesses, corporations, NGOs, and governments all over the world.

It represents a milestone in the evolution of the ongoing front against bad actors in the digital world.

Now, let’s take a closer look at what NIST 2.0 will mean for you.

The Core Objectives of The NIST Cybersecurity Framework 2.0

The overall purpose of NIST 2.0 is to put forth standards that not only make cyber risk mitigation more practicable but also to provide a standard of terms and communication.

This should enhance the value of problem-solving efforts as experts and users work together to understand ongoing cybersecurity events in real time.

The following objectives can and do apply to both the state of cybersecurity on the world stage as a whole, as well as to specific cyber threats as they arise on the organizational level.

Understand and Assess

The first objective is to understand and assess the global playing field of cybersecurity.

To do this, we want to look at prominent threats and threat types.

We want to assess what attacks and attack vectors are most threatening.

We also want to maintain a view of longstanding threats and describe how they relate to emerging threats.

Having done this, we want to determine and measure existing gaps in cybersecurity.

Thus far, we should understand the dangers and the vulnerabilities.

From there, we want to design and shift policy, and business posture, and retool and adapt technological answers to both threats and gaps.

At this point, we should have a clear view of the cybersecurity field of play and what moves we may and should make within it.


With the benefit of operational clarity, we may now decide which threat types and vulnerabilities we are most concerned about.

We will develop defenses for the attacks that are strongest and most likely to strike our organizations successfully.

Further, we want to identify which vulnerabilities are most prominent and sensitive.

In this way, we protect ourselves most efficiently and economically possible.

Because no data security plan is invulnerable, prioritization is critical.


The final objective of NIST 2.0 is to facilitate meaningful communication between users and IT experts and between organizations.

It is meant to create a common language so that when professionals, users, and other interested parties communicate on these topics, they can understand each other.

This will give executives access to clearer guidance on key cybersecurity concepts, making decision-makers better able to develop valuable policies.

Who Should Use The NIST Cybersecurity Framework 2.0

One of the most common questions we hear on this topic is, “Who should use NIST 2.0?”

A knee-jerk response to that question would probably be “everyone.”

However, attempting to adopt the framework might be excessive for the average person.

However, any organization that deals with the personal and payment data of customers not only should adhere to NIST 2.0 guidelines, but liability issues and federal regulations could make it a necessity.

A quick review of the rationale for cybersecurity insurance explains this.

For these reasons, we believe that NIST 2.0 represents best practices for all business entities of all sizes, sectors, and industries.

Anyone concerned with cybersecurity within an organization would be remiss not to at least understand the NIST 2.0 framework.

All IT professionals should be conversant in its guidelines, language, and objectives.

To fall short in this is to risk professional incompetence.

Further, stakeholders, executives, risk managers, lawyers, auditors, and other decision-makers who lack a strong grasp of the concepts contained in the latest version of NIST, are likely to miss key opportunities to protect assets and expand partnerships.

Evolution of The NIST Cybersecurity Framework

As stated, NIST was drafted into law with Executive Order 13636 in early 2013.

Following that historic event in the digital world, its development from 1.0 to 2.0 has been as follows:

Executive Order #13636 – Feb 12, 2013

Signed by President Obama on February 12, 2013, the order outlined objectives for establishing a cybersecurity framework to protect critical infrastructure.

RFI – Developing a Framework to Improve Infrastructure Cybersecurity: February 26, 2013

Conversations intended to gather lessons from industry to understand which standards had been in use, and how effective they were.

1st Cybersecurity Framework Workshop: April 3, 2013

A strictly online broadcast from the Department of Commerce to garner interest, raise awareness, and provide insight.

2nd Cybersecurity Framework Workshop: May 29-31, 2013

One of several workshops leading to the Framework’s release, strategically held in locations around the country to promote attendance.

Preliminary Cybersecurity Framework Released: July 1, 2013

This event captured info from the initial RFI and the previous workshops, presenting it in a standardized format to articulate data security state thoughts and comments.

3rd Cybersecurity Framework Workshop: July 10-12, 2013

Held at the University of California in San Diego, this workshop focused on discussing the preliminary Framework and what might be included moving forward.

Discussion of Preliminary Cybersecurity Framework Released: August 28, 2013

Expanded on material included in the 1st Draft by folding in comments and info gathered in the previous event.

4th Cybersecurity Framework Workshop: September 11-13, 2013

Held at the University of Texas at Dallas, at this workshop participants were asked to review the latest draft of the Framework and discuss revisions.

Comments on the Preliminary Framework: October 29, 2013

Here, the project released an RFC and asked for comments on the then-most recent iteration of the Framework.

5th Cybersecurity Framework Workshop: November 14-15, 2013

This workshop was held at North Carolina State University in Raleigh, NC on November 14-15, 2013. Breakout sessions were held for SMBs, discussing how the Framework should be used for business data security purposes.

Framework 1.0 Publication: February 12, 2014

One year after Executive Order 13636 was released, NIST officially released the 1.0 version of the Framework.

The Current Iteration

As you can see from the history of its development, 2.0 is the product of a massive push to revamp, revitalize, and extensively upgrade the way organizations, and the business community as a whole respond to the rising tide of digital threats.

It was drafted based on more than a year’s worth of feedback from the cybersecurity community at large and conversations between leading experts in the field from all around the world.

It is the first major complete renovation of the original NIST standards released in 2014, and it is expected to change the way we deal with risks, threats, and attackers across all corporate data networks.

Explanation of NIST Cybersecurity Framework Core

The functions, categories, and subcategories, of NIST guidelines are designed to guide all organizational and corporate cybersecurity efforts in the following ways:

  • Govern: NIST 2.0 is designed to guide cybersecurity efforts broadly and uniformly such that actions performed in one location are likely to be repeatable in another location with similar needs.
  • Identify: The identification of threats, vulnerabilities, and the tools/techniques to best implement/defend against them is an essential feature of NIST 2.0.
  • Protect: Guarding sensitive data, the people who own that data, and the assets connected to it could be said to be the primary objective of the project.
  • Detect: The detection of threats and vulnerabilities, in contrast to the identification of these things, is also essential. Detection indicates the presence of a threat or vulnerability, allowing for defensive action to be taken even before identification is complete.
  • Respond: NIST 2.0 governs not only the intelligence phases of security efforts but the response phase as well. Recover: Finally, the recovery phase is an indispensable part of cybersecurity efforts. NIST 2.0 offers guidance on how to reestablish that which has been lost while avoiding the reinstantiation of the previous vulnerabilities.

It should be borne in mind that the Framework core is a guide and not a checklist.

Those who use it should always be prepared to use their best judgment, knowing that the world of data security is always in flux and never fixed.

All cybersecurity efforts should be customized to the needs of the organization, budgetary limitations, and the reality of the organization’s unique risk profile.

To this end, talented, experienced, and expert-level IT personnel with the ability to improvise are not to be replaced by the guidelines by any means.

Why Small Businesses In Pennsylvania Should Care About Cybersecurity

In 2020, Pennsylvania was the leader in data breach losses across all business categories with ransomware attacks as the most outstanding type of successful threat.

There is also a significant lack of regulatory protections for small businesses in this area.

For this reason alone, small businesses have a pronounced interest in adopting the new NIST guidelines.

Short of this, there is little to protect Pennsylvania SMBs.

NIST 2.0 can complement your existing cybersecurity provisions.

Perhaps more importantly, the Framework is exceedingly cost-effective and a key means of giving stakeholders the confidence they need to stay on board.

It is also an indispensable way to attract new clients and customers in a climate of growing attacks against customer data.

Next Steps For Small Businesses In Pennsylvania

To move forward, and enhance your profile as a data-secure online vendor, we recommend considering the new Framework for its maturity, robustness, and for the wealth of expertise that has gone into its formulation.

Take advantage of the wealth of resources it makes available to early adopters, and its proven ability to secure the trust of stakeholders and clients in your organization.

To learn more, get in touch today.

Our experts make understanding the new NIST provisions simple with ongoing guidance and resources.

Give your IT team and decision makers the tools and the knowledge they need to build a robust anti-cyber-threat toolkit and harden your organization against code-based, cultural, and other attack vectors with NIST 2.0.

Let Graffen make you a NIST 2.0 leader in your industry.