AuditXYZ

Lesson 5 of 5

NIST CSF 2.0: What Changed and What It Means

11 min readAdvanced

NIST CSF 2.0

NIST released CSF 2.0 in February 2024, the first major update since the framework's original publication in 2014. The update reflects a decade of implementation experience and the evolving cybersecurity landscape. The changes are significant but evolutionary — organizations using CSF 1.1 will find 2.0 familiar.

The Govern Function

The most notable change is the addition of a sixth function: Govern. This function establishes the organization's cybersecurity risk management strategy, expectations, and policy. It elevates governance from a supporting activity to a core function, emphasizing that cybersecurity is a leadership responsibility.

Govern categories include organizational context, risk management strategy, cybersecurity supply chain risk management, roles and responsibilities, policies, and oversight. By making governance explicit, CSF 2.0 ensures that cybersecurity decisions are aligned with business objectives and risk tolerance.

Expanded Scope

CSF 1.1 was titled "Framework for Improving Critical Infrastructure Cybersecurity." CSF 2.0 drops the critical infrastructure focus, explicitly recognizing that the framework applies to all organizations regardless of size, sector, or cybersecurity sophistication. This reflects how the framework was already being used in practice.

Updated Core

The Framework Core has been reorganized with updated categories and subcategories. Many subcategories have been refined for clarity. New subcategories address emerging topics like cybersecurity supply chain risk management, which received significant expansion.

Implementation Resources

CSF 2.0 introduces new implementation resources including the CSF 2.0 Reference Tool (a searchable online tool for navigating the Core), Quick Start Guides for different organization types, Community Profiles for specific sectors and use cases, and Informative References mapping CSF to other frameworks.

Transitioning from CSF 1.1

Map your existing CSF 1.1 implementation to CSF 2.0 categories and subcategories. NIST provides a crosswalk document to assist. Address the new Govern function — most organizations already perform governance activities but may need to formalize and document them. Leverage new implementation resources to refine your profiles and tiers.

The transition does not require starting over. CSF 2.0 builds on 1.1, and most existing work carries forward.