NIST CSF 2.0: unlocking cybersecurity value and strengthening resilience

In an era where cyber threats are growing more sophisticated and persistent, organizations need a flexible and practical approach to manage their cybersecurity risks. That’s where NIST CSF 2.0 – the National Institute of Standards and Technology Cybersecurity Framework 2.0 – comes in.

Released in February 2024, CSF 2.0 marks a significant evolution from its 2014 predecessor. Originally designed for critical infrastructure, the framework now broadens its scope to support all organizations –public or private, large or small – seeking to strengthen their cybersecurity posture.

In the European landscape, NIST CSF 2.0 seamlessly integrates the requirements of DORA, positioning itself as an open standard to ensure compliance. While DORA imposes specific demands on operational resilience within the financial services sector, NIST CSF 2.0 provides a flexible and adaptive framework, enabling organizations to not only meet these regulatory requirements but also continuously evolve their cybersecurity strategies and management maturity. This comprehensive approach offers a helicopter view of an organization’s overall cybersecurity posture, ensuring alignment between cybersecurity practices and overarching business objectives.

During the NIST assessment, management uses the maturity level to set clear targets, with a roadmap from KPMG guiding the organization toward its goals. CSF 2.0 introduces an updated "Govern" function, focusing on leadership and risk oversight, while maintaining the core functions of Identify, Protect, Detect, Respond, and Recover to improve cybersecurity practices. Whether you’re building a security program from the ground up or refining an existing one, CSF 2.0 provides a clear, strategic path forward in today’s evolving digital landscape.

NIST Cybersecurity Framework 2.0 (CSF 2.0)

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is recognized globally as a key standard for organizations across different industries and government sectors in managing and reducing cybersecurity risks. With the release of NIST CSF 2.0, organizations can now better assess their cybersecurity maturity, identify areas for improvement, and implement enhanced processes and controls to reach higher maturity levels. Importantly, many local and sector-specific regulatory authorities refer to or align with NIST CSF, using it as a foundational guide for effective cyber risk management. This broad adoption reinforces its standing as a versatile, trusted framework for cybersecurity worldwide.

The NIST Cyber Security Framework (NIST CSF) is a capability framework developed by the US Government. The NIST CSF provvides a common language to understand, manage and express cyber risks both internally and externally. It can be used to help identify and prioritise actions for reducing cyber security risks and provides a tool for aligning policy, business and technological approaches to manage cyber risk.

Govern

Enables establishing and monitor organization risk management strategy, expectations, and policy.
Identity

Enables the organisation to manage cyber security risk to systems, assets, data, and capabilities in a manner consistent with its risk management strategy and business needs by understanding the business context, the resources that support critical functions, and the related risks.
Protect

Enables safeguards to ensure delivery of critical infrastructure services and support the ability to limit or contain the impact of a potential cyber security event.
Detect

Enables appropriate activities to support the timely discovery of cyber security events.
Respond

Enables appropriate activities to take action regarding a detected cyber security event and contain the potential impact.
Recover

Enables appropriate activities to maintain plans for resilience and to restore any capabilities or services to normal operations in a timely manner to reduce the impact from a cyber security event.

Key benefits of adopting NIST CSF 2.0

Adopting NIST CSF 2.0 offers significant benefits, especially in providing strong support for management. It enables leadership to make informed, strategic decisions while ensuring cybersecurity resilience and compliance with global regulations.

alignment with other regulations

NIST CSF 2.0 serves as a common language that can be easily mapped to various global and local cybersecurity regulations. This makes it a reliable reference framework for meeting mandatory regulatory requirements.

strengthened cybersecurity resilience

NIST CSF 2.0 enables organizations to better prepare for, respond to, and recover from cyber incidents. It fosters a risk-informed culture through a proactive and systematic cybersecurity approach.

supports continuous improvement

NIST CSF 2.0 encourages organizations to regularly assess and refine their cybersecurity posture. This ensures they stay agile and adaptive in a rapidly evolving threat landscape.

KPMG NIST CSF 2.0 assessment methodology

The 4-phased NIST Cybersecurity Risk and Maturity Assessment approach follows a logical sequence to ensure that findings are validated throughout the process and feedback is gathered on an iterative basis. This approach not only ensures alignment with the framework but also actively engages stakeholders at each phase, with a SWOT analysis incorporated to assess the organization's cybersecurity strengths, weaknesses, opportunities, and threats, further enhancing the assessment and improvement strategy.

Additionally, KPMG may incorporate the CMMI Maturity Scoring Approach to assess maturity levels across the NIST 2.0 domains. This approach – standing for Capability Maturity Model Integration, developed by the CMMI Institute – facilitates a thorough evaluation of the organization's cybersecurity maturity within each domain. The resulting cyber maturity score offers a comprehensive overview, highlighting areas for further enhancement and pinpointing specific domains requiring improvement to bolster the organization’s overall cybersecurity posture.

KPMG expertise

From cybersecurity risk assessments to ICT governance model definition, KPMG’s tech & cyber risk consulting specialists have long supported financial institutions in identifying and addressing key gaps by defining roadmaps with both tactical and strategic action plans. Our team has conducted numerous audit and advisory engagements aligned with NIST CSF 2.0, helping clients enhance their cybersecurity maturity and operational resilience. In addition, our professionals hold globally recognized certifications such as CISSP, CISM, CRISC, CISA, ITIL, and ISO/IEC 27001, ensuring deep expertise and trusted guidance in every engagement.

This article was written in collaboration with Imran Abdullayev, Senior IT Auditor and Consultant at KPMG Luxembourg.