What Changed in CSF 2.0?

After more than a decade as the gold standard for cybersecurity risk management, NIST's Cybersecurity Framework received its most significant overhaul since its 2014 debut. Released in February 2024, CSF 2.0 expands scope, restructures core functions, and reflects the evolving threat landscape facing both private and public sector organizations.

The headline change is the addition of a sixth core function: Govern. The original framework covered Identify, Protect, Detect, Respond, and Recover. The new Govern function acknowledges that cybersecurity is fundamentally a business risk management issue — one that requires executive-level oversight, policy frameworks, and organizational accountability.

The Six Core Functions

1. Govern (New)

The Govern function establishes the context and priorities that inform how an organization manages cybersecurity risk. This includes organizational policies, roles and responsibilities, risk management strategy, supply chain risk, and oversight activities. For many organizations, this means formalizing what was previously informal — getting cybersecurity strategy documented, approved, and aligned to business objectives.

2. Identify

Largely similar to CSF 1.1, the Identify function now places greater emphasis on supply chain risk and technology asset management, including cloud services and software bills of materials (SBOM). Organizations should ensure their asset inventories are comprehensive and include third-party dependencies.

3–6. Protect, Detect, Respond, Recover

These four functions have been refined rather than restructured. Key updates include tighter alignment with NIST SP 800-53 controls, new subcategories addressing modern threats such as ransomware and insider risk, and clearer language around continuous monitoring and incident communication.

Key Takeaway: The most impactful addition in CSF 2.0 is the Govern function. Organizations that treat cybersecurity as purely a technical discipline — rather than a business risk issue — will need to rethink how leadership engages with their security program.

Expanded Scope Beyond Critical Infrastructure

CSF 1.0 was originally designed for critical infrastructure sectors. CSF 2.0 explicitly broadens its applicability to all organizations, regardless of size, sector, or maturity level. This is a significant shift — it signals that NIST intends the framework to serve as a universal language for cybersecurity risk management across commercial enterprises, nonprofits, and government entities alike.

For organizations that have not yet formally adopted CSF, this is a good time to start. Even a lightweight mapping of current controls to the six core functions will reveal meaningful gaps and provide a structured roadmap for improvement.

Implementation Tiers: A Clarified Mental Model

CSF 2.0 clarifies that the four implementation tiers (Partial, Risk-Informed, Repeatable, Adaptive) are not maturity levels in the traditional sense — they describe how an organization integrates cybersecurity risk management into its overall risk management practices. An organization doesn't need to be at Tier 4 to be well-protected; the right tier depends on the organization's risk appetite and threat environment.

Profiles and Community Profiles

CSF 2.0 introduces the concept of Community Profiles — sector-specific baseline configurations developed collaboratively by industries, regulators, and NIST. These profiles will make it significantly easier for organizations in healthcare, finance, defense, and other regulated sectors to implement the framework in a way that also satisfies sector-specific compliance requirements.

NIST has already published community profiles for electric utilities and is developing additional profiles for other critical sectors. Organizations should monitor NIST's CSF resource library for profiles relevant to their industry.

What Federal Contractors Need to Know

For organizations subject to FISMA, FedRAMP, or CMMC, CSF 2.0 won't replace those specific compliance requirements. However, the updated framework strengthens its alignment with NIST SP 800-53, which underpins all three of those regulatory programs. Mapping your CSF 2.0 profile to SP 800-53 controls will help ensure that your compliance programs work together rather than in silos.

DoD contractors pursuing CMMC Level 2 should note that CMMC's practices map directly to NIST SP 800-171, which in turn aligns with SP 800-53 Moderate controls. Adopting CSF 2.0's Govern function will support the organizational maturity requirements that CMMC assessors increasingly scrutinize.

Practical Steps to Adapt Your Security Program

  1. Conduct a gap analysis against CSF 2.0. Map your current controls to the updated subcategories, paying particular attention to the new Govern function categories.
  2. Engage executive leadership. The Govern function requires documented risk management strategy, roles, and oversight. This can't be delegated entirely to the IT or security team.
  3. Update your Current and Target Profiles. If you already have CSF profiles in place, refresh them to reflect the six-function structure and any new subcategories relevant to your organization.
  4. Review supply chain risk management practices. CSF 2.0 places significantly more emphasis on third-party and supply chain risk. Ensure your vendor risk management program addresses the new SCRM categories.
  5. Monitor for Community Profiles. Watch for NIST-published profiles for your sector, which may become de facto compliance baselines over time.
CT
Dr. Carlos A. Thomas
Managing Principal, eConsultants, Inc. · CISSP, CISA, PMP, ISO 27001 Lead Auditor

Need help adapting to NIST CSF 2.0?

Our team can conduct a CSF 2.0 gap analysis and help you build a roadmap that satisfies both the framework and your specific regulatory obligations.

Schedule a Consultation Back to Blog

Related Articles

CMMC 2.0
CMMC

CMMC 2.0 Final Rule: A Practical Guide for DoD Contractors

 FedRAMP Rev 5
FedRAMP

FedRAMP Rev 5 Baselines: Key Changes and How to Prepare