NIST Cybersecurity Framework 2.0 Released

On February 26, 2024, the National Institute of Standards and Technology (NIST), an agency within the U.S. Department of Commerce, released Version 2.0 of its Cybersecurity Framework (CSF), the first major update since its 2014 release.[1] Version 2.0 emphasizes the importance of governance by adding a sixth Core Function to the framework. In addition, Version 2.0 expands the CSF beyond critical infrastructure, promotes secure supply chains, and includes a new suite of additional guidance to assist with implementation.

NIST: A Standard for Managing Cybersecurity Risk

The NIST CSF is the landmark guidance on reducing cybersecurity risk. It was released as part of a broader federal initiative to improve cybersecurity and has served as benchmark for large companies and organizations since it was first published. It aims to help organizations understand, reduce, and communicate about cybersecurity risk.

While the NIST CSF may be adopted voluntarily, it has been incorporated into government policies and mandates both within and outside the United States. Companies regularly use the NIST CSF to navigate complex and overlapping cybersecurity regulatory regimes. By way of illustration, Connecticut and Ohio’s data breach statutes provide safe harbors to companies that follow the NIST CSF.

It is important to note that it is challenging for any company to reach total compliance with the NIST CSF. Instead, the NIST CSF is an aspirational maturity model. Companies that inaccurately boast full compliance with the NIST CSF could face regulatory scrutiny. For instance, self-reported compliance with the NIST CSF is key evidence in the SEC’s enforcement action against SolarWinds.

Version 2.0: Accessible and Modernized

Before last week, the NIST CSF had not been substantially updated since 2014. Version 2.0 supports the White House’s National Cybersecurity Strategy and is the culmination of years of coordination with stakeholders and industry players. It offers a robust, workable framework that expands the CSF’s guidance on managing cybersecurity risk.

Key updates in Version 2.0 target governance, expansion beyond critical infrastructure, and supply chain vulnerabilities.

Adding An Emphasis On Governance

CSF version 1.0 was organized around five key functions that parallel the life cycle of managing cybersecurity risk: identify, protect, detect, respond, and recover. These functions are divided into categories and subcategories that offer granular guidance on CSF’s recommendations. Version 2.0 adds a sixth overarching function: “govern.” The “govern” function provides outcomes to inform what an organization can do to achieve and prioritize the previous five functions in the context of its mission and stakeholder expectations. These initiatives target the organization’s stakeholders and decisionmakers to make sure they are invested in and foster accountability regarding cybersecurity risk assessment and compliance. 

This added emphasis on governance targets the development and execution of organizations’ cybersecurity strategy. Version 2.0 emphasizes cybersecurity as a major source of risk that senior leadership must consider along with traditional risks such as financial, supply chain, reputational, and physical. Buy-in from senior leadership is essential and must be communicated throughout the organization.

Accessibility for Entities Beyond Critical Infrastructure

While Version 1.0 focused on critical infrastructure such as hospitals and power plants, Version 2.0 addresses a broad array of sectors, including industry, nonprofit organizations, schools, and local government entities—regardless of their level of cybersecurity sophistication.

To help these organizations navigate their cybersecurity risk, Version 2.0 is accompanied by a suite of resources designed to meet these entities where they are and help them navigate and implement the framework. These online resources complement the NIST CSF and include a community page to learn from other users’ success stories, quick-start guides designed for specific industries and users such as small businesses and enterprise risk managers, and a reference tool to simplify applying the NIST CSF. Organizational profiles on the NIST website will help organizations compare where they are versus where they could be depending on their size and industry. Version 2.0 describes desirable outcomes but does not prescribe these outcomes or how they can be achieved. The “how” is available via these online tools.

Supply Chain Risk Management

Version 2.0 addresses the reality that cybersecurity supply chains rely on complex, global, and interconnected supply chains with multiple levels of outsourcing between public and private entities. Supply chain risk management is thus a critical part of every organization’s cybersecurity risk planning. Version 2.0 includes supply chain risk management guidelines in the cybersecurity and governance function (G-SCRM). NIST also released a related guide on supply chain risk management in 2022.

Conclusion

Version 2.0 of the NIST CSF ushers in a more broadly applicable and tailored framework to manage cybersecurity risk. Its expansion into industries beyond critical infrastructure render it more applicable across industries and organizational structures, and may lead to a heightened expectation that organizations at all levels of cybersecurity sophistication implement its guidelines.

With regulations in the works requiring audits of organizations’ cybersecurity programs, bringing cyber policies into line with NIST CSF may assist in avoiding regulatory scrutiny.[2] Jenner & Block stands ready to assist clients in developing robust cybersecurity programs using a compliance, risk, and governance model.

Related Capabilities

© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.

NIST Cybersecurity Framework 2.0 Released

On February 26, 2024, the National Institute of Standards and Technology (NIST), an agency within the U.S. Department of Commerce, released Version 2.0 of its Cybersecurity Framework (CSF), the first major update since its 2014 release.[1] Version 2.0 emphasizes the importance of governance by adding a sixth Core Function to the framework. In addition, Version 2.0 expands the CSF beyond critical infrastructure, promotes secure supply chains, and includes a new suite of additional guidance to assist with implementation.

NIST: A Standard for Managing Cybersecurity Risk

The NIST CSF is the landmark guidance on reducing cybersecurity risk. It was released as part of a broader federal initiative to improve cybersecurity and has served as benchmark for large companies and organizations since it was first published. It aims to help organizations understand, reduce, and communicate about cybersecurity risk.

While the NIST CSF may be adopted voluntarily, it has been incorporated into government policies and mandates both within and outside the United States. Companies regularly use the NIST CSF to navigate complex and overlapping cybersecurity regulatory regimes. By way of illustration, Connecticut and Ohio’s data breach statutes provide safe harbors to companies that follow the NIST CSF.

It is important to note that it is challenging for any company to reach total compliance with the NIST CSF. Instead, the NIST CSF is an aspirational maturity model. Companies that inaccurately boast full compliance with the NIST CSF could face regulatory scrutiny. For instance, self-reported compliance with the NIST CSF is key evidence in the SEC’s enforcement action against SolarWinds.

Version 2.0: Accessible and Modernized

Before last week, the NIST CSF had not been substantially updated since 2014. Version 2.0 supports the White House’s National Cybersecurity Strategy and is the culmination of years of coordination with stakeholders and industry players. It offers a robust, workable framework that expands the CSF’s guidance on managing cybersecurity risk.

Key updates in Version 2.0 target governance, expansion beyond critical infrastructure, and supply chain vulnerabilities.

Adding An Emphasis On Governance

CSF version 1.0 was organized around five key functions that parallel the life cycle of managing cybersecurity risk: identify, protect, detect, respond, and recover. These functions are divided into categories and subcategories that offer granular guidance on CSF’s recommendations. Version 2.0 adds a sixth overarching function: “govern.” The “govern” function provides outcomes to inform what an organization can do to achieve and prioritize the previous five functions in the context of its mission and stakeholder expectations. These initiatives target the organization’s stakeholders and decisionmakers to make sure they are invested in and foster accountability regarding cybersecurity risk assessment and compliance. 

This added emphasis on governance targets the development and execution of organizations’ cybersecurity strategy. Version 2.0 emphasizes cybersecurity as a major source of risk that senior leadership must consider along with traditional risks such as financial, supply chain, reputational, and physical. Buy-in from senior leadership is essential and must be communicated throughout the organization.

Accessibility for Entities Beyond Critical Infrastructure

While Version 1.0 focused on critical infrastructure such as hospitals and power plants, Version 2.0 addresses a broad array of sectors, including industry, nonprofit organizations, schools, and local government entities—regardless of their level of cybersecurity sophistication.

To help these organizations navigate their cybersecurity risk, Version 2.0 is accompanied by a suite of resources designed to meet these entities where they are and help them navigate and implement the framework. These online resources complement the NIST CSF and include a community page to learn from other users’ success stories, quick-start guides designed for specific industries and users such as small businesses and enterprise risk managers, and a reference tool to simplify applying the NIST CSF. Organizational profiles on the NIST website will help organizations compare where they are versus where they could be depending on their size and industry. Version 2.0 describes desirable outcomes but does not prescribe these outcomes or how they can be achieved. The “how” is available via these online tools.

Supply Chain Risk Management

Version 2.0 addresses the reality that cybersecurity supply chains rely on complex, global, and interconnected supply chains with multiple levels of outsourcing between public and private entities. Supply chain risk management is thus a critical part of every organization’s cybersecurity risk planning. Version 2.0 includes supply chain risk management guidelines in the cybersecurity and governance function (G-SCRM). NIST also released a related guide on supply chain risk management in 2022.

Conclusion

Version 2.0 of the NIST CSF ushers in a more broadly applicable and tailored framework to manage cybersecurity risk. Its expansion into industries beyond critical infrastructure render it more applicable across industries and organizational structures, and may lead to a heightened expectation that organizations at all levels of cybersecurity sophistication implement its guidelines.

With regulations in the works requiring audits of organizations’ cybersecurity programs, bringing cyber policies into line with NIST CSF may assist in avoiding regulatory scrutiny.[2] Jenner & Block stands ready to assist clients in developing robust cybersecurity programs using a compliance, risk, and governance model.

Related Capabilities

© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.

News and Insights

Publications

Supreme Court Clarifies Scope of Private Rights of Action Under the Investment Company Act, Private Equity Law Report

Partners Charles Riely, Todd C. Toral, and Martin Glass authored a guest article for Private Equity Law Report examining the US Supreme Court's June 11, 2026, ruling on the scope of private rights of action under the Investment Company Act of 1940.

July 14, 2026

Publications

Emily Loeb Discusses Congressional Oversight Preparedness in Bloomberg Law

Partner Emily Loeb, co-chair of Jenner & Block's Congressional Investigations Practice, spoke with Bloomberg Law article about how companies can prepare for potential oversight exposure ahead of this fall's midterm elections.

July 7, 2026

Publications

In New York Law Journal, The True Lender Doctrine and the OppFi Decision

Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.

July 1, 2026

Event

Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference

On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.

July 1, 2026