NIST Releases Updated Cybersecurity Framework 2.1

The National Institute of Standards and Technology (NIST) has published Cybersecurity Framework (CSF) 2.1, the latest update to the widely adopted risk management framework.

Key Changes in CSF 2.1

New "Adapt" Function

CSF 2.1 introduces a seventh core function — Adapt — alongside the existing Govern, Identify, Protect, Detect, Respond, and Recover. This function emphasizes organizational learning and continuous improvement based on threat landscape evolution.

Enhanced Supply Chain Guidance

The update significantly expands supply chain risk management (SCRM) guidance:

• Supplier risk tiering with measurement criteria
• Software Bill of Materials (SBOM) integration requirements
• Continuous monitoring of third-party risk posture
• Incident notification clauses for supplier agreements

AI & Emerging Technology Considerations

New subcategories address risks from AI systems, including:

• AI model integrity and training data security
• Automated decision-making governance
• AI-specific incident response procedures

Who Is Affected

While voluntary, CSF 2.1 is expected to influence:

• Federal agencies (mandated by EO 14028 successor)
• Critical infrastructure operators
• Organizations subject to SEC cyber disclosure rules
• Any entity using CSF as a risk management foundation

Next Steps

Organizations currently aligned to CSF 2.0 should begin gap analysis against 2.1 requirements. NIST is providing a free online mapping tool to help with transition planning.