The National Institute of Standards and Technology’s Cybersecurity Framework 2.0 is a voluntary, risk-based framework designed to help organizations of all sizes and in all sectors manage their cybersecurity risk.
The original NIST framework was launched in 2014 and has been guiding CISOs in their approach to managing risks and reporting to the board since then. This framework remained largely static, until 2024 when the guidance was reviewed and updated.
In CSF 2.0, the change was more than cosmetic. The scope of the framework has widened to bring a broader range of organizations under NIST’s remit. Another key strategic development is moving cybersecurity from the periphery to the center of the conversation. Cybersecurity is not an afterthought but must be at the center of all the decisions you make.
In this article, we’ll explore what NIST CSF 2.0 looks like in practice, and what this means for your organization.
What is NIST CSF?
The NIST CSF is a voluntary, risk-based framework that provides organizations with a shared language to understand, assess, prioritize, and talk about cybersecurity risk. It doesn’t tell you what solutions your organization needs, but it explains the outcomes that a strong security program should deliver and what you should be mindful of. The framework leaves the implementation down to you.
It was precisely this flexibility that led to NIST’s adoption. Rather than stifling organizations to adopt measures that weren’t relevant to them, it allows organizations to do what’s best for them. Since its inception, the CSF has been referenced by numerous public and private sector organizations, as well as acting as the backbone for much auditing, reporting, and due diligence processes.
The NIST framework was originally published in 2014 in response to a White House executive order, with a slight evolution in 2018, becoming 1.1. Since then, there has been very little change, until 2.0 came into effect in 2024.
The framework is structured around three pillars. The Core (the functions, categories, and subcategories that describe security outcomes), Organizational Profiles (how you describe your current and target security posture), and Tiers (how you express the rigor of your risk management). Version 2.0 touches all three.
The Main Changes
Governance
The original CSF centered on five functions: identify, protect, detect, respond, and recover. Version 2.0 adds a sixth function: Govern. This sits above the preceding five, rather than alongside. This function asks organizations to decide who owns the cybersecurity risk in your organization, how these decisions get made, and who is accountable.
These changes mainly affect senior security leaders, with NIST having defined cybersecurity as an enterprise risk, which should be led and resourced at the executive level, rather than remaining part of the technical workstream.
This shift in emphasis is a significant one, and the data backs it up. IBM’s Cost of a Data Breach report found that 63% of organizations have no governance policies to manage AI or shadow AI. It goes on to say that these systems are more likely to be breached, and more expensive when this happens. Perhaps the report’s starkest warning is that the average global cost of a breach is $4.44 million. This is a risk that sits with the board, not an individual SOC team.
Scope
While the original framework was designed to protect US critical infrastructure, 2.0 expands its remit to cover every size and sector. This results in a change of language that allows smaller organizations to adapt the regulations to their settings.
On top of this, NIST provides quick start guides and implementation examples that help to lower the barrier of entry for teams without a dedicated GRC function.
It’s important to note that NIST CSF 2.0 doesn’t lower the standards, but it provides a more accessible ramp to protect your organization.
Emphasis On Supply Chain Risk
One of the most concerning trends we’ve seen in recent years is the rise of supply chain attacks. These take two forms. In some cases, attackers compromise a smaller, less well-defended supplier to reach the larger organizations that depend on it. In others, a single breach at one major organization ripples outward and brings its entire network of suppliers to a standstill.
The 2025 Jaguar Land Rover attack is a stark example of the second. Attackers breached JLR’s own IT systems, and once the company shut down its networks to contain the incident, production stopped for around five weeks across its UK plants. The damage didn’t stay within JLR. It spread to roughly 5,000 suppliers and associated businesses, many of whom feared for their survival. The Cyber Monitoring Centre estimated the total cost at £1.9 billion, making it the most economically damaging cyber event in UK history.
This is exactly the kind of risk CSF 2.0 brings into your remit. Supply chain security is no longer a box to tick once a year. It’s a governance responsibility that runs through strategy, oversight, and accountability, whether the threat reaches you through a supplier or radiates from your own systems to everyone who relies on you.
The Six Functions
As already mentioned, CSF covers six functions that should be addressed simultaneously, rather than in order. Govern interacts with the following five areas, but they are all of equal importance.
By looking at the headline figures, it might seem like there hasn’t been much change. CSF 1.1 was structured around 5 functions, 23 categories, and 108 subcategories. CSF 2.0, however, is structured around 6 functions, 22 categories, and 106 subcategories. Underneath these numbers, there has been a considerable amount of restructuring, making 2.0 quite different to 1.1.
Govern
This is all about setting up the strategy. It’s about assigning roles, setting policies, managing oversight, and ensuring that there is accountability. Every other section comes back to this central question of governance.
Identify
This is about knowing what your assets are and where the risk sits. How does your unique environment create specific risks? What general, industry-wide risks are you susceptible to? In this area, vulnerability management and attack surface management tools are vital.
Protect
What safeguards and limitations do you have in place? Access control, awareness, and data security are all key areas under this title. There is, however, no real limit to what should be protected. Platform Security and Technology Infrastructure Resilience were added as new categories in 2.0.
This will include IAM, PAM, SAT, and DLP.
Detect
This area accounts for finding the anomalies or loopholes, then understanding their impact quickly. No matter how comprehensive your plan is, there will always be risks that slip through or evolve over time. You’ll want to use SIEM and EDR tools to address these issues. CSF 2.0 now sits at two categories (Continuous Monitoring and Adverse Event Analysis) dropping Detection Processes and restructuring ‘Anomalies and Events’ and ‘Security Continuous Monitoring’ into the new subcategories.
Respond
Once you have confirmed the nature of an incident, Respond will ensure that you are able to address it. This will include triage, containment, communication, and mitigation. SOAR platforms will help teams in this area. This category was streamlined from the previous regulation. Three subcategories were removed, while incident management, analysis, reporting, mitigation and communications were updated. The communication section is split into internal and external stakeholders, with law enforcement and regulatory considerations.
Recover
As soon as an issue has been dealt with, you’ll want to restore services and capabilities, ensuring that your strategy can improve based on your findings. Tooling like Backup-as-a-Service and Disaster Recovery will dictate the speed that you are able to do this. One important feature to be mindful of in terms of backup is immutability. You need to be sure that any backups you do restore haven’t been tampered with. Check the speed and security of a backup when you choose a provider.
How To Get Started
The first thing you need to do when building for CSF 2.0 is understand where you are now and work out where you need to go. This will allow you to plot a path to adding the functionality or tightening policies to do so. You’ll only know what this path looks like, once you understand the nature of your coverage gap.
During this process, you will map your own capabilities under the six headings. This will ensure that you’re taking a holistic and comprehensive approach to security, without leaving room for loopholes.
NIST’s Quick Start guides will help you to plan out this transition, giving you implementation examples meaning that you don’t have to start from blank.
Through every stage, keep returning to Govern. Ask who bears the responsibility for each measure. Who oversees roll out and ongoing management? Who will update policies? Ownership, policy, and oversight set the context that every other function operates within.
The Bottom Line
The five functions that security teams have used for a decade remain in CSF 2.0. What is new is the focus on Governance, and the expanded remit of the framework. This covers new attack types, such as supply chain risks, as well as ensuring that a broader portion of organizations and sectors fall under NIST’s remit.
The real focus of CSF 2.0 is to make the framework usable, rather than aspirational.
For CISOs, this gives them more leverage within the boardroom. CSF 2.0 confirms in a recognized standard what many security leaders have argued for several years: that cybersecurity is a business risk that belongs in the boardroom. Whichever of the six functions your organization currently lacks, CISOs now have the language to discuss this and the mandate to push for change.
