Embedded Files
TWELEVE NEW YORK STATE REGIONAL INFORMATION CENTERS
TRANSITIONING TO NIST CYBERSECURITY FRAMEWORK 2.0 | WHAT’S CHANGING
TRANSITIONING TO NIST CYBERSECURITY FRAMEWORK 2.0 | WHAT’S CHANGING
In February 2026, the New York State Board of Regents adopted amendments to Part 121 of the Commissioner’s Regulations. These amendments require educational agencies to align their data security and privacy policies with the NIST Cybersecurity Framework (CSF) Version 2.0 by September 1, 2026.
As a result, school districts and BOCES must begin transitioning their policies from alignment with NIST CSF 1.1 to NIST CSF 2.0.
WHAT IS THE NIST CYBERSECURITY FRAMEWORK?
WHAT IS THE NIST CYBERSECURITY FRAMEWORK?
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a nationally recognized framework that helps organizations identify, assess, and manage cybersecurity risk. It supports the development of technical, administrative, and procedural controls that protect sensitive data and ensure the reliability and resilience of technology systems.
For New York’s K–12 community, the NIST Cybersecurity Framework serves as a foundational tool that supports districts and BOCES in developing, implementing, and maintaining data security and privacy policies, practices, and plans, as required by Education Law §2‐d and Part 121.
NIST CYBERSECURITY FRAMEWORK 2.0: CORE FUNCTIONS
NIST CYBERSECURITY FRAMEWORK 2.0: CORE FUNCTIONS
NIST CSF 2.0 organizes cybersecurity activities into six core functions that help education organizations manage risk, protect data, and strengthen system reliability and resilience.
NIST CSF 2.0 FUNCTIONS
NIST CSF 2.0 FUNCTIONS
GOVERN (GV) - NEW IN CSF 2.0: Establish and oversee cybersecurity strategy, policy, and risk management.
IDENTIFY (ID): Understand assets, risks, and organizational cybersecurity posture.
PROTECT (PR): Implement safeguards to reduce cybersecurity risk and impact.
DETECT (DE): Identify and analyze potential cybersecurity threats and incidents.
RESPOND (RS): Contain, manage, and communicate cybersecurity incidents.
RECOVER (RC): Restore operations and assets after cybersecurity incidents.
WHY THE GOVERN FUNCTION MATTERS
The addition of the Govern function reinforces that cybersecurity is a shared responsibility across the school community. Administration, technology teams, data system managers, teachers, and support personnel all play a role in working together to protect student information and ensure the reliability of instructional and operational technology.
Page updated
Report abuse