NIST CSF continues to evolve with new governance on AI.
In 2024, the National Institute of Standards and Technology (NIST) published NIST CSF 2.0, marking a major update to its 2014 Cybersecurity Framework. Originally designed for critical infrastructure, the revised version expands its guidance to organizations of all sizes and sectors.
This evolution underscores the growing recognition of cybersecurity as a fundamental business risk rather than a straightforward IT issue.
The numbers lay this out. According to the nonprofit Identity Theft Resource Center (ITRC), there were 3,322 publicly reported data theft compromises in 2025.
In December 2025, NIST extended CSF 2.0 with a draft Cyber AI Profile to address AI-specific risks, securing AI components, using AI for defense, and thwarting AI-boosted attacks.
NIST CSF 2.0 latest expansion addresses AI threats
IBM reported that in 2025, 97% of organizations that reported an AI-related security incident lacked proper AI access controls.
The Cyber AI Profile (draft) extends the core principles of NIST CSF 2.0 to address the unique risks and opportunities introduced by AI. CSF 2.0 reframed cybersecurity as a business-level risk with expanded governance, supply-chain oversight, and broader application across industries, and the AI profile adapts the same functions to account for AI-specific threats such as model manipulation, data poisoning, and unintended system behavior.
The draft emphasizes stronger governance and accountability around AI, including data sourcing, model training, deployment, and monitoring. It also highlights the need for transparency, risk assessment, and continuous validation of AI systems to ensure they behave as intended.
The Cyber AI Profile acts as a practical overlay to CSF 2.0, helping organizations integrate AI risk into existing cybersecurity programs while maintaining alignment with NIST principles and broader enterprise risk strategies.
NIST CSF 2.0 overview: Key updates and core functions
A decade since its first edition, NIST updated its cyber advice to match the modern threat landscape.
In brief:
· “Govern” promoted to core function
· Sector-agnostic language with a fresh mapping to global standards
· More resources to get organizations started
· Expanded focus on supply chain outcomes
1. Govern function
Once a category of the Identify function, Govern has been added alongside the existing five: Identify, Protect, Detect, Respond, and Recover. Govern determines the steps organizations can take to achieve and prioritize the outcomes of the other five functions.
CSF-compliant boards must now arrange cybersecurity oversight and policies, as well as maintain continuous oversight of supply chain risk to avoid repeats of major breaches, like the 2020 SolarWinds attack.
2. Universal scope
Compared to CSF 1.1’s stress on protecting critical, national infrastructure, CSF 2.0’s language is sector-agnostic, making it applicable to diverse industries from manufacturing to financial services.
Its profile maps cleanly onto similar cybersecurity frameworks like ISO 27001, PCI DSS, and SOC 2, which means multinationals now have a much better chance of harmonizing programs instead of juggling multiple overlapping standards at once.
3. Implementation toolkit and guides
NIST has published a litany of guides and checklists tailored to different framework domains, components, and business sizes. Among them is a 30-page book detailing implementation examples along with the outline of CSF 2.0 itself.
This guidance includes categories like risk management strategy, policies, and oversight designed to shrink consultant hours relative to the original framework and accelerate time-to-value.
4. Sharper supply chain scrutiny
The Verizon 2025 Data Breach Investigations Report found that 30% of breaches were linked to third parties, twice as much as in 2024. NIST CSF 2.0 places a much greater emphasis on supplier controls for each function, reinforcing directives like the EU’s Digital Operational Resilience Act (DORA) and White House Executive Order 14028 on “Improving the Nation’s Cybersecurity.”
The business benefits of NIST CSF 2.0 alignment
Cybersecurity spending has traditionally been viewed as a necessary operating expense—essential but rarely considered a strategic outlay. NIST CSF 2.0 flips this narrative, given how carefully targeted controls can actually drive revenue, protect cash flow, and even potentially unlock new markets.
This is not an immediate flip, of course. Change has been brewing for some time.
In 2017, professional IT services provider By Light won a U.S. Department of War contract worth $59.5 million, even though a competitor underbid it by almost $3 million. The final evaluation noted only one decisive edge: The company “proposed to incorporate the voluntary NIST CSF on top of its compliance with the baseline cybersecurity requirements.”
The fact that superior cybersecurity was a major factor in securing a contract worth millions proves that a well-run framework now plays a crucial role in boosting win rates and profit margins.
Compared to the project’s additional investments, implementing CSF 2.0 was worth at least $1.4 million, or 2.5% of the contract—for By Light, a credible early sign that cybersecurity resilience can factor into best-value scoring.
A comprehensive global study by ESI ThoughtLab revealed that greater overall investment in cybersecurity can generate a ROI of 179%. This is an average across three key areas—people, process, and technology.
CSF adoption naturally lowers the cost of failure. A risk-led approach to security helps organizations maintain a mature, resilient, adaptable security posture, an attitude which is reflected in market attitudes.
The 2024 Healthcare Cybersecurity Benchmarking Study, for example, reveals that organizations in their sector that use CSF as their primary cybersecurity framework report one third slower growth in cyber insurance premium payments.
Even when not required by contract, adopting CSF can strengthen stakeholder trust. Seven out of ten security leaders adopt it as best practice, not just by necessity.
How NIST CSF aligns with Zero Trust
Any deny-by-default architecture maps naturally to CSF outcomes. The latest Govern function embeds the mindset that breaches are all but inevitable. “Protect” and “Detect” ingest telemetry from features like allowlists. “Respond” and “Recover” leverage isolation and rollback techniques.
While technically it’s possible to achieve all of these by deploying elaborate tool-chains, it’s much simpler to automate these steps using default-deny controls. For instance, ThreatLocker® features like Application Allowlisting and Data storage access control comply with the strict access control and auditing required by frameworks like NIST 800-171 Rev. 2, when properly configured.
Future-proofing with NIST CSF
The influence of NIST’s Cybersecurity Framework now extends far beyond the original 2014 remit of version 1.1. Partly, this is the result of knowledge gleaned from greater usage. In 2017, an executive order mandated CSF as a standard for all federal government agencies, as well as their supply chain entities—a change that established CSF as the de facto standard for U.S. government cybersecurity.
While private sector organizations are generally free to adopt or ignore CSF as they see fit, contractors that handle sensitive government data or who work with federal agencies may be required to be CSF-compliant. This is especially true for defense contractors, who regularly encounter CSF through the Cybersecurity Maturity Model Certification (CMMC) 2.0 “Advanced” framework.
CMMC Level 2 complies with all 110 requirements from NIST SP 800-171. Level 3 (“Expert”) also incorporates additional controls from NIST SP 800-172. Healthcare organizations have also benefited from the formal “crosswalk” that maps Health Insurance Portability and Accountability Act (HIPAA) requirements to the CSF, developed as part of a partnership between NIST and the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Federal regulators have even encouraged the HHS to demonstrate adoption of “recognized security practices” like CSF in the wake of cybersecurity breaches to avoid financial penalties.
And, as in the case of By Light, even when CSF is not a strict requirement, government uptake has created a ripple effect with private organizations choosing to align their standards with federal requirements.
The framework’s reach also extends beyond the U.S. The EU’s DORA five “pillars”—ICT risk management, incident management, operational resilience testing, third-party risk management, and information sharing—are closely aligned with CSF’s key functions.
Aligning with NIST CSF gives organizations a strategic advantage
The latest version of NIST’s Cybersecurity Framework is more than a simple grocery list of sophisticated security terms. It’s a strategic lens through which cybersecurity spend can be seen as directly linked to revenue, contract value, and increased brand trust.
Boards and CISOs that fully embrace the new CSF Govern function, quantify their ROI, and streamline adoption will have a significant edge over those who treat cybersecurity as just another cost center.
The modern reality is that cyber risk has become business risk. Deployed correctly, NIST CSF 2.0 can hand leaders the playbook to transform that danger into a competitive advantage. And when Zero Trust principles are upheld, the process of following CSF 2.0 becomes a natural transition.
Read about NIST CSF 2.0 and more cybersecurity insights and strategies in Cyber Hero Frontline.
