The U.S. NIST (National Institute of Standards and Technology) released two new NIST Cybersecurity Framework (CSF) 2.0 quick-start guides (QSG), adding to an expanding portfolio of implementation resources that offer tailored pathways for different audiences to engage with CSF 2.0. One document positions cybersecurity risk as a core component of enterprise risk management and integrates it with workforce planning to improve how organizations assess, communicate, and respond to threats, while the other explains what informative references are and how they support achieving the outcomes of CSF 2.0.
NIST published the final version of NIST Special Publication (SP) 1308, NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick-Start Guide, which draws on concepts and practices from enterprise risk management, cybersecurity risk management, and workforce management to help organizations improve communication about cybersecurity risks, plan workforce decisions, and implement risk-informed responses. Currently available, the document identifies that cybersecurity risks are one of many types of risk that all organizations should manage and integrate into their broader enterprise risk management (ERM) strategy.
“Potential negative impacts to organizations from cybersecurity risks include higher costs, data loss, operational disruptions, lost revenue, reputational damage, and reduced innovation,” according to the document. “In addition to negative risks, positive risks—where an enterprise asset may constitute an opportunity to realize a benefit or positive impact—should also be considered. The NIST Cybersecurity Framework (CSF) 2.0 provides guidance for managing cybersecurity risks by helping organizations understand, assess, prioritize, and communicate consistently about cybersecurity efforts, including those related to the cybersecurity workforce.”
NIST also published the Initial Public Draft of SP 1347, NIST Cybersecurity Framework 2.0: Informative References Quick‑Start Guide, which explains what informative references are and how they support achieving the outcomes of the CSF 2.0. The guide also introduces readers to NIST tools available for accessing, viewing, and using informative references for cybersecurity risk management, including direct download, the CSF 2.0 Reference Tool, and the Online Informative References Program. The draft contains two sample use cases and provides an overview of how artificial intelligence tools can support reference data use. SP 1347 is available for a 45‑day public comment period, closing May 6.
The NIST SP 1308 identified that, as the first step to ‘Scope the Organizational Profile,’ it sets the high-level facts, assumptions, and constraints that shape the Profiles and anchor the entire effort. It begins by convening cross-functional stakeholders with the authority to gather risk and workforce data, define priorities, and act on risk decisions, ensuring cybersecurity risks are aligned with the enterprise mission and supported by a realistic budget and operational context.
The step involves appointing accountable leaders across the board, executive, cybersecurity, enterprise risk, and workforce functions while establishing a clear timeline, reviewing organizational goals and priorities, and conducting or revisiting the business impact analysis to identify critical assets and their potential exposure. It also requires putting change management and executive sponsorship in place to enable coordination across teams, and mapping third-party dependencies, including the capabilities of their workforce, to ensure the scope reflects the full risk landscape.
For the next step on ‘Gather the information needed to prepare the Organizational Profile,’ the NIST SP 1308 said that having a clear picture of the organization’s current cybersecurity risk management, enterprise risk management, and workforce context enables leadership to focus on the risks that matter most to the mission and respond with precision.
From a risk management perspective, this includes defining risk appetite and tolerance to set acceptable boundaries, reviewing business impact analysis registers and enterprise risk profiles, and assessing third-party risks, including the capabilities of vendor workforces.
On the cybersecurity side, organizations draw on regulatory requirements, laws, and standards, along with internal policies, risk registers, and key risk and performance indicators, while also factoring in emerging threats that demand new skills. From a workforce standpoint, this requires visibility into staffing structures, current and unfilled roles, existing skill sets and certifications, as well as recruiting and training programs, supported by frameworks such as the NICE Framework to CSF 2.0 crosswalk.
Moving forward to ‘Create the Organizational Profile,’ the NIST document defines an organization’s current and target cybersecurity posture in terms of outcomes aligned to the CSF Core, enabling teams to understand, tailor, assess, and prioritize cybersecurity activities based on mission objectives, stakeholder expectations, threat exposure, and regulatory requirements. It distinguishes between a Current Profile, which captures the outcomes the organization is already achieving and the extent of their effectiveness, and a Target Profile, which outlines the prioritized outcomes needed to meet future risk management goals while accounting for changes such as new technologies, evolving threats, and regulatory shifts.
These profiles are analyzed side by side within a single view to expose gaps between the current state and desired outcomes, forming the basis for risk-informed decision-making. This process involves reviewing CSF Functions, Categories, and Subcategories to evaluate existing practices in the context of enterprise risk strategy, defining target outcomes aligned with priorities and budget constraints, and continuously assessing how workforce roles and capabilities support or hinder risk management objectives, with updates reflecting shifts in both the threat landscape and organizational needs.
The fourth step to ‘analyze gaps between current and target profiles and create an action plan’ takes into account an organization’s current and target cybersecurity posture in terms of outcomes aligned to the CSF Core, enabling teams to understand, tailor, assess, and prioritize cybersecurity activities based on mission objectives, stakeholder expectations, threat exposure, and regulatory requirements. It distinguishes between a Current Profile, which captures the outcomes the organization is already achieving and the extent of their effectiveness, and a Target Profile, which outlines the prioritized outcomes needed to meet future risk management goals while accounting for changes such as new technologies, evolving threats, and regulatory shifts.
These profiles are analyzed side by side within a single view to expose gaps between the current state and desired outcomes, forming the basis for risk-informed decision-making. This process involves reviewing CSF Functions, Categories, and Subcategories to evaluate existing practices in the context of enterprise risk strategy, defining target outcomes aligned with priorities and budget constraints, and continuously assessing how workforce roles and capabilities support or hinder risk management objectives, with updates reflecting shifts in both the threat landscape and organizational needs.
The next step, implementing the action plan and updating the organizational profile, marks the shift from planning to execution. At this point, cybersecurity, enterprise risk, and workforce teams have a grounded understanding of stakeholder expectations, budget realities, priorities, critical assets, and risk exposure, allowing them to act decisively on the most effective workforce and risk responses to address the organization’s highest-impact risks.
This involves convening a cross-functional team to select appropriate workforce responses, which may include upskilling existing employees through training and mentorship, creating or redefining roles, recruiting talent aligned with frameworks such as NICE Workforce Framework for Cybersecurity, or augmenting capabilities through third-party partners.
Workforce management teams then assign cost estimates, timelines, success metrics, and implementation considerations across people, processes, and technology, while also evaluating opportunities where certain risks may present strategic benefits. If workforce-based responses are not feasible, organizations may need to adjust their broader risk strategy by accepting, avoiding, or transferring risk, with final decisions formally reviewed and approved by leadership through updated risk registers.
Moving to the SP 1347 draft, the NIST explains what informative references are and how they support achieving the outcomes of the NIST CSF 2.0. The guide introduces readers to NIST tools available for accessing, viewing, and using informative references for cybersecurity risk management, including direct download, the CSF 2.0 Reference Tool, and the Online Informative References Program. The draft contains two sample use cases and provides an overview of how artificial intelligence tools can support reference data use.
The guide walks through three NIST tools for accessing informative references, each offering a different level of detail and customization. However, the document notes that while NIST conducts limited conformance testing of OLIR submissions, it does not conduct correctness testing on non-NIST submitted mappings, and listing in the catalog does not imply NIST endorsement.
The first is a direct download in Excel format, which provides all published CSF 2.0 informative references in a single spreadsheet with columns for Functions, Categories, Subcategories, Implementation Examples, and Informative References. The second is the CSF 2.0 Reference Tool, a web-based tool that allows users to dynamically filter, view, and export references in Excel or JSON format. The third is the Online Informative References Program (OLIR), the most customizable option, which extends beyond CSF 2.0 to cover other NIST publications and allows cross-reference comparison across multiple frameworks. It also accepts submissions from both NIST and non-NIST entities.
The guide explains how informative references support the development of CSF 2.0 Organizational Profiles, both Current Profiles (what the organization achieves today) and Target Profiles (where it wants to be). The gap between the two drives action planning and continuous improvement over time.
It also includes a dedicated section that covers how AI tools can be used alongside NIST reference data. Key points include the ability to ingest structured exports from NIST tools, perform automated crosswalks, surface alignment patterns not explicitly mapped, and anchor AI reasoning to authoritative identifiers such as CVEs and control IDs to avoid hallucinated mappings.
Last November, the NIST released the second public draft of NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick-Start Guide, following the March publication of the initial public draft of NIST SP 1308. The CSF 2.0 Quick-Start Guide was designed to provide tailored pathways that help different audiences adopt and operationalize the Framework more easily.
