The CSF 2.0 FAQ

Have questions about CSF 2.0? NIST has a CSF 2.0 FAQ, one of the hidden gems from the recent launch. It already answers the two questions I'm personally hearing:

1. What's changed in the CSF Core from 1.1 to 2.0? The top of the FAQ summarizes the major changes. It also provides pointers to three forms of a crosswalk between 1.1 and 2.0. My personal favorite of the three is the one here: https://csrc.nist.gov/extensio... That will generate you a spreadsheet containing the CSF 2.0 Core, Implementation Examples, and Informative References, which include the 1.1/2.0 crosswalk entries. As NIST releases more CSF 2.0 crosswalks and mappings, such as for NIST SP 800-53r5, they'll be added as new Informative References when you regenerate the spreadsheet.

2. Why are there gaps in the numbering for the CSF 2.0 Subcategories? The gaps are intentional. Each gap indicates a CSF 1.1 Subcategory that was not carried over to CSF 2.0. The contents of those Subcategories were merged into other Subcategories. Wherever you see the same Subcategory identifiers used in 1.1 and 2.0, you'll know that the Subcategory has largely stayed the same. If there were major changes to a 1.1 Subcategory, it won't have the same ID in 2.0. Reusing identifiers could have caused a lot of confusion. Unfortunately, *not* reusing identifiers has inadvertently caused confusion.

NIST's CSF 2.0 FAQ has lots of other handy info, and I strongly recommend checking it out if you'll be using the CSF.

Send me your high-level CSF 2.0 questions, and I'll do my best to answer them in my future blog posts.