NIST Cybersecurity Framework 2.0
The 2024 update to the NIST CSF added the Govern function alongside Identify, Protect, Detect, Respond, and Recover — providing a common language for organizational cybersecurity risk management.
Primary source
NIST Cybersecurity Framework 2.0 →https://www.nist.gov/cyberframework
Verified May 23, 2026 · This is the authoritative regulator URL. The summary below is a research aid; the linked source controls.
Additional sources
The NIST Cybersecurity Framework (CSF) 2.0 was published in February 2024. It is the successor to CSF 1.1 (2018) and substantially broadens the framework's audience to all organizations, not only critical infrastructure.
CSF 2.0 organizes cybersecurity outcomes into six Functions:
- Govern (GV) — new in 2.0 — establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy.
- Identify (ID) — understand current cybersecurity risks to the organization.
- Protect (PR) — safeguards to manage cybersecurity risks.
- Detect (DE) — find and analyze possible cybersecurity attacks and compromises.
- Respond (RS) — take action regarding a detected cybersecurity incident.
- Recover (RC) — restore assets and operations affected by a cybersecurity incident.
Each Function has Categories, which contain Subcategories. CSF 2.0 includes implementation examples and informative references mapping each Subcategory to NIST SP 800-53 controls and other standards.
NIST SP 800-66 Revision 2 maps the HIPAA Security Rule to CSF Subcategories. A practice using CSF as the organizing framework for its security program can produce both the CSF organizational profile and the HIPAA Security Rule documentation from a single source — reducing duplicative documentation effort.
Use this in your workspace
D3rx assembles the documentation linked to this regulation, walks the practical decisions in plain English, and stores the artifacts against the .gov sources cited above. It is an administrative research aid, not a substitute for counsel.
Related regulations
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- RegulationNIST SP 800-66 Revision 2: HIPAA Security Rule Cybersecurity Resource GuideNIST's 2024 update to the implementation guide for the HIPAA Security Rule, mapping the rule's standards to NIST Cybersecurity Framework subcategories and current cybersecurity practices.
- RegulationNIST SP 800-63B: Digital Identity Guidelines (Authentication and Lifecycle Management)Federal authentication framework defining three Authenticator Assurance Levels (AAL1, AAL2, AAL3), authenticator types, and lifecycle requirements.
- RegulationHIPAA Security Rule: General Rules (45 CFR 164.306)Required objectives — confidentiality, integrity, and availability of ePHI — plus the flexibility provisions that govern how covered entities select and implement specific safeguards.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- GlossaryAccess ControlsTechnical policies and procedures that allow only authorized persons or software programs to access ePHI.
- SRAHIPAA Contingency Plan for a Small PracticeWhat the Security Rule contingency plan standard at 45 CFR 164.308(a)(7) actually requires, including data backup, disaster recovery, emergency mode operation, and testing — for a small practice.
- ComplianceHealthcare Incident Response Plan — Template + Tabletop ExerciseA 2026 healthcare incident response plan template aligned to 45 CFR 164.308(a)(6) and NIST SP 800-61 Rev. 3, with a tabletop exercise script for small practices.
- ComplianceHIPAA Contingency Plan Template — 45 CFR § 164.308(a)(7)2026 HIPAA contingency plan template — 45 CFR § 164.308(a)(7) data backup, DRP, emergency mode, testing, and applications/data criticality analysis.
Last reviewed May 23, 2026 · Citation verified May 23, 2026
Research aid, not legal advice. This summary is an administrative research aid prepared by D3rx. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text follow the primary source link at the top of this page. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.