NIST CSF 2.0 Changes

The evolution to NIST CSF 2.0

The National Institute of Standards and Technology (NIST) published the Cybersecurity Framework 2.0 in February 2024, marking the first major revision since the framework's original release in 2014 and its minor update to version 1.1 in 2018. CSF 2.0 reflects a decade of real-world usage, stakeholder feedback, and lessons learned from the evolving cybersecurity landscape.

The update was driven by several factors: the need to address governance gaps that organizations encountered when implementing the original framework, the expanding scope of cybersecurity risk beyond critical infrastructure, the growing importance of supply chain security, and the desire to improve the framework's usability for organizations of all sizes and maturity levels.

The new Govern function

The most significant structural change in NIST CSF 2.0 is the addition of a sixth core function: Govern (GV). This function elevates cybersecurity governance from a subcategory within the Identify function to a standalone function that underpins all five original functions.

Why governance was elevated

In NIST CSF 1.1, governance was addressed through the Identify function's Governance category (ID.GV). In practice, organizations often treated governance as a secondary concern, focusing on technical controls in the Protect and Detect functions while neglecting the management structures needed to sustain those controls. CSF 2.0 addresses this by making governance an explicit, top-level function that informs and directs all other cybersecurity activities.

Govern function categories

The Govern function includes the following categories:

Organizational context (GV.OC) - Understand the organizational mission, stakeholder expectations, and legal and regulatory requirements that influence cybersecurity risk management. This category ensures that cybersecurity strategy aligns with business objectives.

Risk management strategy (GV.RM) - Establish and communicate the organization's cybersecurity risk management priorities, constraints, risk tolerance, and appetite. This was previously under the Identify function but is now positioned as a governance responsibility, reinforcing that risk management strategy is a leadership decision.

Roles, responsibilities, and authorities (GV.RR) - Define and communicate cybersecurity roles, responsibilities, and authorities across the organization. This includes ensuring that cybersecurity responsibilities are assigned at appropriate levels and that personnel have the authority and resources to fulfill their roles.

Policy (GV.PO) - Establish, communicate, and enforce cybersecurity policies that are informed by the organizational context and risk management strategy. Policies should be reviewed and updated regularly to remain current with evolving threats and business changes.

Oversight (GV.OV) - Use results from cybersecurity risk management activities to inform and adjust the organization's strategy. This creates a feedback loop where operational cybersecurity data informs governance decisions, which in turn shape operational priorities.

Cybersecurity supply chain risk management (GV.SC) - Identify, establish, manage, monitor, and improve supply chain cybersecurity risk management processes. This category was significantly expanded from its position in CSF 1.1 and is discussed in detail below.

Impact on existing programs

Organizations that built their cybersecurity programs around the original five functions will need to restructure their framework profiles to incorporate the Govern function. In many cases, the activities described in the Govern function are already being performed but may not be formally documented or consistently applied. The elevation to a standalone function provides an opportunity to formalize and strengthen governance practices.

Expanded scope beyond critical infrastructure

NIST CSF 1.0 was originally developed under Executive Order 13636 with a primary focus on critical infrastructure sectors (energy, healthcare, financial services, etc.). While it was always available for any organization to use, its framing and examples were oriented toward critical infrastructure.

NIST CSF 2.0 explicitly broadens the framework's intended audience to all organizations, regardless of size, sector, or cybersecurity maturity. This change is reflected in several ways:

The framework's title dropped "for Improving Critical Infrastructure Cybersecurity" in favor of broader applicability
Examples and guidance address the needs of small and medium-sized organizations alongside large enterprises
Implementation guidance recognizes that organizations at different maturity levels need different levels of prescriptiveness

This expanded scope also makes NIST CSF 2.0 more relevant internationally, as organizations outside the United States increasingly adopt the framework as a voluntary standard for cybersecurity risk management.

Enhanced supply chain risk management

Supply chain cybersecurity risk management received significantly more attention in CSF 2.0 compared to its predecessor. The new Govern function includes a dedicated category (GV.SC) with multiple subcategories addressing supply chain risk.

Key supply chain changes

Dedicated governance category - Supply chain risk management is now a governance responsibility with explicit leadership oversight, rather than a technical concern buried within the Identify function.

Expanded subcategories - CSF 2.0 includes specific subcategories for:

Establishing supply chain risk management strategy and policies
Integrating supply chain risk into enterprise risk management
Conducting due diligence on suppliers and third-party partners
Monitoring supplier cybersecurity practices throughout the relationship lifecycle
Planning for supply chain disruptions and compromises
Including cybersecurity requirements in contracts and agreements

Supply chain risk in all functions - Beyond the Govern function, supply chain considerations are woven into the other five functions. For example, the Identify function addresses identifying and prioritizing suppliers, the Protect function covers securing supply chain interactions, and the Respond function addresses responding to supply chain incidents.

Why supply chain focus increased

Several high-profile supply chain attacks (SolarWinds, Kaseya, Log4j) demonstrated that third-party risk is one of the most significant cybersecurity challenges facing organizations. CSF 2.0 reflects the reality that an organization's cybersecurity posture is only as strong as its weakest supply chain link.

Improved implementation guidance

NIST CSF 2.0 introduces significant improvements to help organizations put the framework into practice.

Implementation examples

CSF 2.0 provides implementation examples for each subcategory, offering concrete actions that organizations can take. These examples are not prescriptive requirements but rather illustrative guidance that helps organizations, particularly smaller ones, understand what each subcategory looks like in practice.

For example, under the Protect function's data security category, implementation examples might include encrypting data at rest using AES-256, implementing data loss prevention tools, or classifying data based on sensitivity levels. These examples make the framework more accessible to organizations that lack dedicated compliance teams.

Informative references

NIST CSF 2.0 maintains and expands its catalog of informative references that map the framework to other standards, guidelines, and best practices. These references include mappings to:

NIST SP 800-53 (Security and Privacy Controls)
ISO 27001 and ISO 27002
COBIT
CIS Controls
PCI DSS
HIPAA Security Rule

The informative references are now maintained as a separate, regularly updated resource rather than being embedded in the framework document. This allows mappings to be updated as referenced standards evolve without requiring a new version of the CSF itself. See the mapping to other frameworks topic for practical guidance on using these mappings.

Quick start guides

NIST published companion quick start guides alongside CSF 2.0 to help specific audiences get started:

A guide for small businesses that simplifies the framework into actionable steps
A guide for enterprise risk managers that connects CSF 2.0 to enterprise risk management
A guide for creating and using organizational profiles
A guide for supply chain risk management

These guides lower the barrier to adoption for organizations that found the original framework document dense or difficult to operationalize.

Updated tiers and profiles

While the implementation tiers (Partial, Risk Informed, Repeatable, Adaptive) remain conceptually the same in CSF 2.0, they have been updated to incorporate the Govern function. Organizations now assess their tier across six functions rather than five, with governance maturity playing a significant role in the overall tier assessment.

Framework profiles in CSF 2.0 also incorporate the Govern function and benefit from improved guidance on how to create, compare, and communicate profiles. The concept of community profiles -- profiles developed by a sector, industry group, or other community to address shared cybersecurity concerns -- is more prominent in CSF 2.0. Community profiles can serve as starting points that individual organizations customize to their specific needs.

Continuous improvement emphasis

CSF 2.0 strengthens the emphasis on continuous improvement throughout the framework. The Govern function's Oversight category (GV.OV) creates an explicit feedback loop between operational cybersecurity activities and governance decisions. This reinforces that cybersecurity is not a project with a defined end state but an ongoing program that must adapt to changing threats, technologies, and business conditions.

The framework now more clearly articulates the cycle of:

Understanding your current posture (current profile)
Defining your target posture (target profile)
Identifying and prioritizing gaps
Implementing improvements
Measuring results
Adjusting strategy based on outcomes (feeding back into governance)

Transitioning from CSF 1.1 to 2.0

Organizations currently using NIST CSF 1.1 should plan a structured transition to CSF 2.0:

Assess governance maturity - Evaluate your existing governance practices against the new Govern function. Many organizations will find that they are already performing some governance activities but need to formalize and document them.

Update framework profiles - Rebuild your current and target profiles to incorporate the Govern function's categories and subcategories. This is also an opportunity to refresh your assessments of the original five functions.

Expand supply chain coverage - Review and strengthen your supply chain risk management practices against the expanded GV.SC subcategories. This may require new processes for vendor assessment, contract requirements, and ongoing monitoring.

Leverage new resources - Take advantage of the implementation examples, quick start guides, and updated informative references to fill gaps and improve your program.

Update training and communication - Ensure that stakeholders across the organization understand the changes in CSF 2.0, particularly the elevated importance of governance and supply chain risk management. Executive leadership should understand how the Govern function affects their responsibilities.

NIST CSF 2.0 represents a maturation of the framework that reflects how cybersecurity risk management has evolved over the past decade. Organizations that embrace the updated structure, particularly the Govern function and enhanced supply chain coverage, will be better positioned to manage cybersecurity risk in an increasingly complex threat environment.