Released February 26, 2024, the NIST Cybersecurity Framework version 2.0 is the most significant update to the framework in its 11-year history. It added a new function, expanded its scope from critical infrastructure to every organization, and deepened its focus on governance and supply chain risk. Here's what it is, how it works, and why it matters to your organization.
The NIST Cybersecurity Framework (CSF) is a voluntary framework published by the National Institute of Standards and Technology that gives organizations a structured way to manage cybersecurity risk. It is organized around outcomes, not prescriptive technical controls, which is what makes it broadly applicable across industries, sizes, and technical maturity levels.
CSF 2.0 organizes those outcomes into 6 Functions, which break down into Categories, which break down further into Subcategories. Each subcategory describes a specific security outcome an organization should aim to achieve. The framework does not tell you exactly how to achieve it; it tells you what good looks like, and you determine how to get there based on your environment and risk tolerance.
This is what separates CSF from frameworks like NIST SP 800-171 or PCI DSS. Those are prescriptive: do these specific things. CSF is outcome-based: achieve these results, by whatever means fit your organization.
CSF 2.0 is not a regulation. No law requires private-sector organizations to adopt it. But it is referenced by cyber insurance underwriters, used as a baseline in federal procurement, and increasingly expected in enterprise vendor risk assessments. "Voluntary" does not mean irrelevant.
The original NIST Cybersecurity Framework was published in February 2014, created at the direction of Executive Order 13636, which directed NIST to work with the private sector to develop a framework for reducing cybersecurity risk to critical infrastructure. The initial release targeted sectors like energy, water, financial services, and communications.
CSF 1.1 followed in April 2018, with relatively modest updates: better supply chain risk management language, a new section on self-assessment, and clarifications to several categories. The core structure, five functions (Identify, Protect, Detect, Respond, Recover), remained unchanged.
By 2022, it was clear that a more substantial revision was needed. The threat landscape had shifted dramatically, software supply chain attacks (SolarWinds, Log4Shell) had become front-page news, and organizations of all sizes were using the framework, not just critical infrastructure operators. NIST launched a public revision process in 2022, collected thousands of comments, and released CSF 2.0 on February 26, 2024.
The most visible change in CSF 2.0 is the addition of a sixth function: Govern. The original five functions focused on technical and operational activities. Govern addresses the organizational foundation that makes everything else work: leadership commitment, risk strategy, accountability structures, and policies.
The organizational context and governance that enables all other cybersecurity activities. Covers organizational context, risk management strategy, roles and responsibilities, policy, oversight, and supply chain risk management. This is the "who owns this and why does it matter" function.
Understand your assets, risks, and business context. Asset management, risk assessment, risk management strategy, and improvement planning. You cannot protect what you do not know exists.
Implement safeguards to limit the impact of a cybersecurity event. Identity management, awareness training, data security, platform security, and technology infrastructure resilience.
Develop the ability to identify cybersecurity incidents when they occur. Continuous monitoring, adverse event analysis, and detection processes. The faster you detect, the less damage an incident causes.
Take action when an incident is detected. Incident management, incident analysis, incident response reporting and communication, and incident mitigation. Having a plan matters more than the plan being perfect.
Restore impacted capabilities and services after a cybersecurity incident. Incident recovery plan execution and communication. How quickly you can return to normal operations determines the real business impact of any breach.
Each function is given a two-letter identifier (GV, ID, PR, DE, RS, RC) that flows into the category and subcategory naming convention. For example, GV.OC refers to the Organizational Context category within Govern. GV.OC-01 through GV.OC-05 are the specific subcategory outcomes within that category.
The CSF 2.0 core is organized as a three-level hierarchy:
The framework document also provides Informative References for each subcategory, mapping CSF outcomes to specific controls in other frameworks like NIST SP 800-53, ISO/IEC 27001, CIS Controls, and COBIT. This mapping is what makes CSF useful as a translation layer between different compliance requirements.
CSF 2.0 has 106 subcategories, not 110. Organizations sometimes conflate it with NIST SP 800-171 (which has 110 requirements). They are different documents. SP 800-171 is a specific set of security requirements for protecting CUI. CSF 2.0 is a broader governance framework. SP 800-171 requirements map to CSF subcategories, but they are not the same thing.
| Dimension | CSF 1.1 | CSF 2.0 |
|---|---|---|
| Functions | 5 (ID, PR, DE, RS, RC) | 6 (GV added) |
| Target audience | Critical infrastructure | All organizations, all sizes |
| Supply chain | Limited (ID.SC) | Dedicated GV.SC category |
| Profiles | Basic concept introduced | Enhanced with Current/Target distinction |
| Subcategories | 108 | 106 (restructured) |
| Framework alignment | Informative references | Expanded, includes newer frameworks |
| Small business resources | Minimal | Dedicated quick-start guide published |
The addition of Govern is the most strategically significant change in CSF 2.0, and it is worth spending time on because it reflects a broader shift in how the security industry thinks about program maturity.
CSF 1.1 was implicitly bottom-up: identify your assets, protect them, detect problems, respond and recover. This is a technically solid cycle, but it misses the organizational prerequisites that make any of it sustainable. Who decided the risk tolerance? Who is accountable when something goes wrong? Is cybersecurity funded adequately? Does the board understand what it is approving?
These questions are not technical; they are governance questions. And in organization after organization, the answer to all of them is "unclear." Govern exists to address that directly.
The GV function contains six categories:
GV.SC deserves particular attention. Supply chain risk management was a known weakness in CSF 1.1. The SolarWinds breach in 2020 demonstrated exactly how devastating a compromised supplier can be, and CSF 2.0 responded with a dedicated supply chain category that addresses supplier selection, contract requirements, supplier monitoring, and incident response coordination with third parties.
One of the most practical CSF 2.0 improvements is the enhanced Profiles concept. A CSF Profile is a structured description of cybersecurity outcomes aligned to the framework categories, specific to your organization's priorities, risk tolerance, and resources.
CSF 2.0 formalizes the distinction between two profile types:
The gap between your Current Profile and Target Profile is your prioritized work list. This is far more useful than a generic checklist because it forces you to be explicit about your risk decisions: you might decide that certain subcategories are not relevant to your business model, or that others require immediate attention because of a specific threat or regulatory requirement.
NIST also published a set of Community Profiles in 2024, including templates for small businesses, enterprise IT environments, and specific sectors. These give organizations a starting point rather than building a profile from scratch.
CSF 2.0 retains the four-tier maturity model from earlier versions:
The tiers describe your overall program maturity, not your performance against any specific subcategory. Most small and mid-size organizations operate at Tier 1 or Tier 2. Tier 3 is a realistic target for organizations with a dedicated security function. Tier 4 is primarily achieved by large enterprises with mature security operations centers and continuous monitoring programs.
Higher tiers are not always the goal. NIST explicitly states that not every organization needs to reach Tier 4. The appropriate tier depends on your industry, threat exposure, regulatory requirements, and business risk tolerance. A small accounting firm and a defense contractor have very different appropriate targets.
CSF 2.0 is designed to integrate with, not replace, other frameworks and regulations. NIST publishes crosswalk mappings that show how CSF subcategories align to controls in:
In practice, CSF 2.0 is most useful as a communication and governance layer on top of more prescriptive frameworks. If you are CMMC-bound, you implement SP 800-171 requirements because your contract requires it. You use CSF to communicate your security program status to executives, customers, and insurers in language they understand.
The CSF 2.0 document states explicitly that the framework is intended for "organizations in any sector or community." This is a deliberate expansion from CSF 1.1's critical infrastructure focus. In practice, CSF 2.0 is most relevant to:
Understanding the framework is step one. Here's how to actually implement each of the six functions - practical breakdowns of every category, common mistakes, and what evidence looks like in practice.
Mapping your security program to CSF 2.0 starts with having the right policy and procedure foundation in place. Our NIST CSF 2.0 Complete Kit gives you professionally written, framework-aligned policies covering all six functions - Govern, Identify, Protect, Detect, Respond, and Recover - plus an Organizational Profile template to track your current and target states. Everything you need to stand up a documented CSF 2.0 program, bundled at one price.
Get the Complete CSF 2.0 Kit →Prefer individual items? Govern Policy Bundle ($57) · Full Policy Bundle ($119) · Org Profile Template ($37)
No spam. Practical guidance on building your security program and new resources when we publish them.