What It Is

NIST Cybersecurity Framework 2.0 (CSF 2.0) is a voluntary, risk-based guideline for managing cybersecurity risks. Developed by NIST, it provides a flexible structure applicable to organizations of all sizes and sectors, emphasizing outcomes over prescriptive controls.

Key Components

• **Six Core FunctionsGovern (new), Identify, Protect, Detect, Respond, Recover—organized into categories (22 total) and subcategories (112).
• **Implementation TiersFour levels (Partial to Adaptive) for assessing risk management sophistication.
• **Framework ProfilesCurrent vs. Target for gap analysis.
• No formal certification; self-attestation and mappings to standards like ISO 27001.

Why Organizations Use It

Enhances risk communication, prioritizes efforts cost-effectively, demonstrates due care, and builds stakeholder trust. Supports compliance (mandatory for U.S. federal), supply chain management, and strategic governance.

Implementation Overview

Start with Current Profile assessment, identify gaps, prioritize via Tiers. Involves policy development, training, monitoring. Suited globally; quick starts for SMEs via templates, scalable for enterprises. No audits required, but tooling accelerates adoption.

What It Is

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is a state regulation granting California residents rights over their personal information handled by businesses. Its primary purpose is to protect consumer privacy through control over data collection, use, sale, and sharing. It uses a rights-based, threshold-driven approach targeting for-profit entities doing business in California.

Key Components

• Consumer rights: know/access, delete, opt-out sale/sharing, correct inaccuracies, limit sensitive PI
• Obligations: notices at collection, privacy policies, DSAR workflows (45-90 days), vendor contracts, security
• Principles: data minimization, non-discrimination, reasonable verification
• Enforcement model: CPPA/AG fines ($2,500-$7,500/violation), private breach actions

Why Organizations Use It

• Mandatory for businesses over thresholds ($25M revenue, 100K+ CA data subjects)
• Mitigates fines, litigation, reputational risks
• Enhances trust, data governance, efficiency, GDPR alignment
• Competitive edge via privacy differentiation

Implementation Overview

• Phased: assess/gap analysis (0-3 mo), policies/contracts (1-4 mo), tech/security (2-6 mo), train/operationalize, audit
• All sizes/industries handling CA data; no certification, ongoing self-audits/documentation (178 words)