Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

What is NIST CSF 2.0? (and How Schellman Can Help with Your Assessment) Blog Feature
JEFF SCHIESS

By: JEFF SCHIESS

Print/Save as PDF

What is NIST CSF 2.0? (and How Schellman Can Help with Your Assessment)

Cybersecurity Assessments | Federal Assessments

In today’s ever-evolving cyber threat landscape, maintaining robust cybersecurity isn’t just a regulatory requirement—it’s a business imperative, and there are multiple avenues organizations can take to do so.  

Aligning with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) represents just one. And while there are plenty of good reasons to go this route—particularly for those in the financial sector—there are some things you should know about the latest version of the NIST CSF and how it will affect any third-party assessment you choose to pursue. 

As experienced NIST CSF assessors who perform a wide range of cybersecurity audits, we’re positioned to provide that information. In this article, we’ll detail the NIST CSF, including its latest version 2.0, why financial institutions should take a harder look at this standard, and how Schellman can facilitate a frictionless assessment of your compliance so that you can deliver assurances where you need to.

 

What is the NIST CSF? 

Originally published in 2014 after a presidential order to improve the cybersecurity of critical infrastructure in the United States, the NIST CSF is a set of guidelines intended to help organizations create and maintain a flexible risk management system. Rather than prescribing specific controls for you to implement, the initial NIST CSF was focused on securing five key functions of cybersecurity: 

  1. Identify - Understand organizational risks. 
  2. Protect - Implement safeguards. 
  3. Detect - Identify cybersecurity incidents. 
  4. Respond - Take swift action in the event of a breach or similar incident. 
  5. Recover - Restore capabilities and services. 

With its flexible, outcomes-based approach to cybersecurity—that’s now been bolstered further by the introduction of version 2.0—this framework can serve organizations of all sizes and industries. 

What were the Updates in NIST CSF 2.0? 

Though the NIST CSF was previously updated in 2018—version 1.1—NIST CSF 2.0 was released in 2024 to help businesses evolve their cybersecurity from a niche concern to a central element of organizational resilience and risk management. To achieve this goal, several changes were made to the standard, including: 

  • Broader Applicability: Though it was initially geared to aid critical infrastructure industries—such as energy, transportation, and healthcare, etc.—organizations of all types are targets for cybercriminals, and so NIST introduced more flexible language that would make the CSF more accessible to everyone, including small- and medium-sized organizations.  
  • Extended Privacy and Supply Chain Risk Management Information: For similar reasons—and because of the growing complexity of supply chains as well as the ripple effect of attacks on them— NIST CSF 2.0 includes: 
    • Newly extended data privacy protection guidelines; and  
    • Detailed control recommendations for managing cybersecurity risks from third-party vendors. 
  • New “Govern” Function: We mentioned that NIST sought to help organizations consider cybersecurity in a new, more important light and that the original version of the CSF focused on five functions—NIST CSF 2.0 now has six, and this new one is intended to help companies transform cybersecurity from an IT issue to a boardroom priority through this new function and its guidelines regarding: 
    • Formalization of cybersecurity policies;  
    • Assignment of relevant roles to create a clear accountability structure; and  
    • Definition of oversight, so that cybersecurity can more easily be integrated into every level of the organization as well as greater business decision-making.   
  • Updated Implementation Examples: NIST CSF 2.0 added more concrete examples and expanded the framework’s implementation guidance—i.e., it transformed what were abstract concepts into actionable steps—so that more organizations will be more able to apply the framework within their specific contexts both practically and cost-effectively.  

 

Why the Financial Sector Should Consider Implementing NIST CSF 2.0 

Altogether, these changes make NIST CSF 2.0 a more flexible, scalable framework that can enhance organizational cybersecurity posture while allowing you to meet industry standards and regulatory requirements—something that could be of particular topical use for financial institutions. 

Why?  

The Federal Financial Institutions Examination Council (FFIEC) is sunsetting its Cybersecurity Assessment Tool (CAT) in August 2025. As such, the sector will need to pivot toward more comprehensive frameworks to safeguard its operations and reputation. In this, NIST CSF 2.0 presents a great option. 

By implementing this framework, financial institutions can build a foundational cybersecurity program that will allow them to align cybersecurity strategies with broader business goals and regulatory compliance efforts.

The framework also plays well with others in that it facilitates integration across various cybersecurity compliance requirements by cross-mapping to multiple standards—which NIST refers to as “Informative References”—such as: 

  • HIPAA  
  • SOC 2  
  • PCI DSS  
  • ISO 27001 
  • CRI 
  • NIST 800-53 

How Schellman Can Simplify Your NIST CSF 2.0 Transition & Assessment 

That being said, we understand that—for institutions accustomed to the CAT—a transition to NIST CSF 2.0 may seem daunting. But, here at Schellman, we’re ready to make it smooth, and sustainable in a way that ensures your security, compliance, and the establishment of a strategic, forward-thinking approach you can take into the future. 

We’ll do this through our streamlined approach that’s designed to address every facet in every phase of your NIST CSF 2.0 implementation, which includes: 

  1. In-Depth Crosswalk Analysis 
    Our seasoned experts will work with your team to obtain a comprehensive view of your cybersecurity posture before mapping your controls and processes from the CAT’s requirements to the new NIST CSF 2.0 framework, ensuring no risk or control gap is left unaddressed. 

  2. Independent, Unbiased Evaluation 
    Though there's no requirement that you be assessed for your compliance with the NIST CSF 2.0, when you work with us, our objective evaluation of your efforts to safeguard your organization—with insights free from your internal influences—will further assure your stakeholders and clients of the strength of your cybersecurity posture. 

  3. Customized Assessments 
    Because we know that every organization’s cybersecurity needs are unique, we don’t settle for a “check the boxes” approach—rather, we tailor our NIST CSF 2.0 assessments to consider your organization’s specific controls, risks, and regulatory requirements. 

  4. Enhanced Overall Compliance and Risk Management 
    NIST CSF 2.0 supports a holistic view of risk management that enables better resource allocation and prioritization of high-impact areas, and our team can help you align with its guidelines in a way that complements your existing compliance obligations across various standards to ensure your cybersecurity program strengthens its risk management through NIST CSF while remaining structured to meet your other compliance requirements.  

  5. Educational Support and Long-Term Strategy Development 
    As implementing NIST CSF 2.0 isn’t a one-time project—it’s a commitment to continuous improvement—we extend our offered expertise beyond your initial assessment to the education of your team regarding how to maintain the framework and evolve it to meet emerging challenges. 

With our guidance, your organization will successfully make a smooth transition from the FFIEC CAT tool with minimal disruption. More than that, you’ll also gain our expert insights into critical areas needing improvement, along with a clear roadmap to close any gaps while on your road to strengthened cyber resilience. 

 

Future-Proof Your Cybersecurity with NIST CSF 2.0  

As cybersecurity risks continue to grow, safeguarding your institution’s assets and reputation with NIST CSF 2.0 is not only wise—it’s essential. As we’ve just explained, with the FFIEC CAT’s sunsetting, many financial institutions should consider adopting this holistic, adaptable cybersecurity framework to maintain and fortify their cybersecurity.  

To make that shift easier, consider partnering with Schellman for an independent assessment of your alignment with these guidelines. With our years of expertise and assessment insight, we can help you make your NIST CSF 2.0 journey efficient, effective, and empowering for your team and stakeholders. 

If you’d like to speak further on a potential partnership and exactly how we can help provide additional assurances regarding your cybersecurity and keep your organization ahead of cyber threats and regulatory changes, contact us today. 

About JEFF SCHIESS

Jeff Schiess is a Managing Director with Schellman. Jeff is focused on governance, risk and compliance (GRC) assessments, including performing System Organization Controls (SOC 1 and 2) reporting, Health Insurance Portability and Accountability Act (HIPAA), International Organization for Standardization (ISO) 27001, and NIST CSF. Jeff has worked with Fortune 1000 and publicly traded companies across a wide range of industries, including Software-as-a-Service providers, cybersecurity services, data center hosting providers, financial services, insurance claims processing, and information technology.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.