Why did NIST add the Govern function in CSF 2.0?

NIST added the Govern function because organizations using CSF 1.1 consistently under-invested in governance. Governance was a single category (ID.GV) buried inside Identify, and it rarely got leadership attention. Elevating Govern to a top-level function forces cybersecurity governance onto the executive agenda and acknowledges that sustained cybersecurity outcomes depend on leadership, policy, and risk management strategy.

What are the six categories of the Govern function?

The six Govern categories are Organizational Context (GV.OC), Risk Management Strategy (GV.RM), Roles, Responsibilities, and Authorities (GV.RR), Policy (GV.PO), Oversight (GV.OV), and Cybersecurity Supply Chain Risk Management (GV.SC).

Who is accountable for the Govern function?

The Govern function is owned by senior leadership — typically the CEO, board, CISO, or an executive risk committee. While operational teams contribute evidence and execute policies, accountability for cybersecurity governance cannot be delegated below the executive layer. Boards and audit committees increasingly review Govern function performance as part of their cybersecurity oversight duties.

How does Govern relate to the other NIST CSF functions?

Govern sits above the other five functions. Organizational context, risk appetite, policies, and oversight set in Govern flow downward into how Identify, Protect, Detect, Respond, and Recover are operated. Data from those operational functions flows back up into Govern to adjust strategy and investment.

NIST CSF Govern Function (GV): Categories, Subcategories, and Implementation

What is the NIST CSF Govern function?

The Govern (GV) function is the newest and arguably most consequential addition to NIST CSF 2.0. It represents a fundamental shift in how NIST wants organizations to think about cybersecurity: not as a technical program owned by IT, but as an enterprise risk discipline owned by the executive team and the board.

In NIST CSF 1.1, governance was a single category — ID.GV — tucked inside the Identify function alongside Asset Management, Business Environment, and Risk Assessment. In practice, that placement caused the problem NIST was trying to solve. Organizations treated governance as a box to check during an initial Identify exercise, then drifted into the Protect and Detect functions where the "real" cybersecurity work seemed to happen. Policies got stale, roles and responsibilities were vague, supply chain risk was handled reactively, and leadership had no structured way to set cybersecurity priorities or hold the program accountable.

NIST CSF 2.0 fixes that by pulling governance out of Identify and making it a top-level function that sits above the original five. Govern now frames every other function. It asks: what is the organization's mission? Who are our stakeholders? What is our risk appetite? Who is accountable for cybersecurity outcomes? What policies govern our behavior? How do we oversee our own cybersecurity performance? How do we manage cybersecurity risk in our supply chain?

Govern is where cybersecurity strategy is made. Identify, Protect, Detect, Respond, and Recover are where that strategy is executed.

Why NIST added the Govern function

NIST spent more than a year gathering feedback from thousands of stakeholders before publishing NIST CSF 2.0. The feedback about governance was strikingly consistent:

Executives did not know how to translate cybersecurity risk into business decisions.
Boards were under growing regulatory pressure (SEC cybersecurity disclosure rules, state-level privacy laws, DORA in the EU) to demonstrate cybersecurity oversight, but the original NIST CSF gave them little to oversee.
Supply chain attacks — SolarWinds, Kaseya, Log4j, MOVEit — exposed the limits of treating third-party risk as a subcategory of Identify.
Mature organizations told NIST that their real differentiator was not a specific tool or control; it was the governance fabric that made every other control stick.

By elevating governance, NIST acknowledged that cybersecurity programs fail at the top, not at the bottom. The Govern function gives leadership an explicit mandate and gives practitioners a structured way to request the executive engagement that mature programs require.

The six categories of the Govern function

The Govern function contains six categories. Each category has several subcategories expressed as outcome statements. Below is a concise map.

Category	ID	Focus
Organizational Context	GV.OC	Mission, stakeholders, legal and regulatory requirements, critical dependencies
Risk Management Strategy	GV.RM	Risk appetite, risk tolerance, risk assumptions, and cybersecurity strategy
Roles, Responsibilities, and Authorities	GV.RR	Defined cybersecurity roles, accountability, resources, and performance
Policy	GV.PO	Cybersecurity policies, standards, and procedures that guide the program
Oversight	GV.OV	Monitoring and adjusting the strategy based on performance data
Cybersecurity Supply Chain Risk Management	GV.SC	Third-party, supplier, and software supply chain cybersecurity risk

Organizational Context (GV.OC)

GV.OC sets the frame for everything else. It requires the organization to understand its own mission, stakeholders, objectives, legal and regulatory obligations, and the critical dependencies that must be protected. An e-commerce company, a hospital network, and a defense contractor will have radically different organizational contexts, and therefore radically different cybersecurity priorities. Without a documented GV.OC, cybersecurity decisions devolve into generic best-practice lists disconnected from business reality.

Risk Management Strategy (GV.RM)

GV.RM moves risk management strategy from its former home in the Identify function (ID.RM) to the Govern function. The shift is symbolic and operational: risk appetite, risk tolerance, and the overall cybersecurity risk strategy are governance decisions, not operational ones. GV.RM requires leadership to articulate how much cybersecurity risk the organization is willing to accept, how that risk aligns with business objectives, and how risk decisions will be documented.

Roles, Responsibilities, and Authorities (GV.RR)

GV.RR formalizes the organizational structure of cybersecurity accountability. It requires clear assignment of cybersecurity roles — CISO, security engineers, IT operations, HR, legal, internal audit — and defines the authority each role has to make decisions, commit resources, and enforce policy. GV.RR also covers cybersecurity performance management: how the organization reviews cybersecurity talent, rewards strong performance, and addresses gaps.

Policy (GV.PO)

GV.PO governs the cybersecurity policy library itself. Policies must be established, communicated, enforced, and periodically updated. GV.PO asks whether the organization's cybersecurity policies are current, whether employees actually read and follow them, and whether policy exceptions are logged and reviewed. A dusty policy PDF nobody has read since onboarding fails GV.PO even if it technically exists.

Oversight (GV.OV)

GV.OV creates the feedback loop between operational cybersecurity activity and executive decision-making. It requires that the results of cybersecurity activities — incidents, audit findings, risk assessments, control performance — feed back into the risk management strategy and are used to adjust priorities, investments, and policies. Without GV.OV, Govern becomes a one-time documentation exercise instead of a living management system.

Cybersecurity Supply Chain Risk Management (GV.SC)

GV.SC is where NIST CSF 2.0 confronts the modern reality that most organizations' biggest cybersecurity exposures are not in their own infrastructure but in their suppliers, software vendors, managed service providers, and open-source dependencies. GV.SC covers supplier due diligence, contractual cybersecurity requirements, ongoing monitoring of supplier cybersecurity posture, and contingency plans for supplier disruption. GV.SC is one of the largest category expansions in NIST CSF 2.0.

Implementation guidance

A pragmatic path to implementing the Govern function looks like this:

Draft a one-page organizational context statement. Capture mission, critical services, key stakeholders, and top regulatory obligations. This becomes the seed document for GV.OC.
Have leadership sign off on a risk appetite statement. Two or three sentences that describe how much cybersecurity risk the organization is willing to take, expressed in business terms. This anchors GV.RM.
Publish a cybersecurity RACI. Who is responsible, accountable, consulted, and informed for each major cybersecurity activity? This anchors GV.RR.
Take inventory of policies. List every cybersecurity-related policy, its owner, its last review date, and its next review date. Retire policies that are redundant. This anchors GV.PO.
Establish a recurring oversight cadence. Monthly or quarterly, leadership reviews cybersecurity metrics, incidents, risks, and initiative progress. This anchors GV.OV.
Build a third-party risk program. Start with a vendor inventory, tier vendors by criticality, and implement due diligence for the top tier. This anchors GV.SC.

Govern does not require a massive investment up front. It requires a small amount of leadership discipline applied consistently over time.

Common challenges

The Govern function is simple in concept and difficult in practice. Organizations running into trouble with Govern typically hit one or more of the following walls:

Executive disengagement. Govern demands executive attention. If the CEO or board treats cybersecurity as an IT problem, Govern will stall. The fix is structural — schedule standing cybersecurity reviews, tie executive incentives to cybersecurity outcomes, and brief the board with the language of business risk.
Policy sprawl. Many organizations have dozens of overlapping policies nobody reads. GV.PO fails when policies are written for auditors rather than employees. Consolidate, simplify, and translate into the everyday language employees use.
Supplier opacity. GV.SC requires visibility into suppliers you may not fully control. Start with the critical few, get contractual rights to audit and monitor, and add more suppliers over time.
Siloed risk programs. Govern often duplicates work already happening in enterprise risk management, internal audit, or legal. Integrate rather than re-create. GV.RM should draw from the enterprise risk register, not a parallel one.
Metrics without meaning. GV.OV only works if the metrics tell leadership something decision-relevant. Replace vanity metrics (patches installed, tickets closed) with outcome metrics (time to detect, time to recover, risk-adjusted loss).

How episki helps

episki was built to operate the Govern function as a living system rather than a static binder. Organizational context, risk appetite, roles and responsibilities, policies, oversight cadence, and supplier risk are first-class objects in episki, linked to the underlying NIST CSF subcategories and to every other framework the organization cares about. Policy reviews, supplier re-assessments, and oversight meetings become scheduled workflows with owners, due dates, and audit-ready evidence. Leadership sees a real-time Govern scorecard; practitioners see the concrete initiatives that roll up to it.

Ready to operationalize the NIST CSF Govern function without the binder? Start a trial or book a demo and share a Govern function scorecard with your leadership team the same day.

NIST CSF Govern Function