NIST CSF 2.0: What Changed from CSF 1.1
NIST published the Cybersecurity Framework 2.0 in February 2024 — the most significant update since the original CSF was released in 2014. The headline change is a new sixth function: GOVERN. But there are several other important updates that affect how SaaS companies should use the framework.
| What Changed | CSF 1.1 | CSF 2.0 |
|---|---|---|
| Functions | 5 (Identify, Protect, Detect, Respond, Recover) | 6 (GOVERN added as the outermost function) |
| Target audience | Critical infrastructure sectors | All organisations — explicit expansion beyond critical infrastructure |
| Supply chain security | ID.SC subcategory (5 controls) | GV.SC — entire category under GOVERN with 10 subcategories |
| Privacy integration | Separate Privacy Framework | Privacy risks explicitly integrated into CSF 2.0 categories |
| Tiers | 4 tiers (Partial, Risk Informed, Repeatable, Adaptive) | Same 4 tiers, but guidance on Target Profiles is clearer |
| Core categories | 23 categories | 22 categories (some consolidated) |
| Cybersecurity measurement | Minimal guidance | New GV.OV oversight category explicitly requires measuring programme effectiveness |
The New GOVERN Function: Why It Matters
GOVERN sits above the other five functions in CSF 2.0. It covers the organisational context, risk management strategy, roles and responsibilities, policies, oversight, and supply chain risk. The addition reflects a decade of lessons: the most expensive cybersecurity failures weren't primarily technical failures — they were governance failures.
For SaaS companies, the key GOVERN requirements are:
- GV.OC (Organisational Context): Understand your legal and regulatory obligations (GDPR, HIPAA, NIS2, SOC 2 customer requirements) and their cybersecurity implications. Document them.
- GV.RM (Risk Management Strategy): Leadership must formally approve the organisation's risk appetite. "We're a startup and don't have time for formal risk management" is Tier 1 — and increasingly unacceptable to enterprise customers and investors.
- GV.RR (Roles and Responsibilities): Assign specific individuals accountability for cybersecurity. Even in a 10-person company, someone needs to be the named security owner.
- GV.PO (Policy): Documented policies that are approved, communicated, and reviewed annually. SOC 2 auditors have required this since the framework began — CSF 2.0 aligns explicitly.
- GV.OV (Oversight): Senior leadership reviews cybersecurity results and uses them to adjust strategy. This maps to SOC 2 CC1.1 (control environment) and ISO 27001 Clause 9 (performance evaluation).
- GV.SC (Supply Chain): This is the most expanded area. CSF 2.0 explicitly requires formal third-party risk management — from vendor assessment through contract requirements to ongoing monitoring. This mirrors the explosion of supply chain attacks (SolarWinds, Log4Shell, MOVEit) that drove the update.
CSF 2.0 Implementation Tiers
Tiers describe the sophistication of an organisation's cybersecurity risk management practices, not a measure of security strength. Higher tiers mean more formalised, integrated practices.
| Tier | Name | Characteristics | Typical Profile |
|---|---|---|---|
| Tier 1 | Partial | Ad hoc, reactive. No formal risk management process. Limited awareness of cybersecurity risk. | Early-stage startups, companies that haven't started compliance work |
| Tier 2 | Risk Informed | Risk management practices exist but aren't formally approved or consistently applied across the organisation. | Growth-stage SaaS companies beginning SOC 2 or ISO 27001 preparation |
| Tier 3 | Repeatable | Risk management practices are formally approved by leadership and consistently implemented. Updated based on changes and lessons learned. | SOC 2 Type II or ISO 27001-certified companies |
| Tier 4 | Adaptive | Cybersecurity risk management is continuously improved. Real-time threat intelligence informs decisions. Security is embedded in all business decisions. | Security-mature enterprises, critical infrastructure operators, regulated financial institutions |
Most SaaS companies target Tier 3. Enterprise procurement teams increasingly expect Tier 3 maturity as demonstrated by SOC 2 Type II certification. Tier 4 is appropriate for security-critical industries (financial services, critical infrastructure) or companies with particularly sensitive data.
CSF 2.0 to SOC 2, ISO 27001, and NIS2 Crosswalk
One of CSF 2.0's most useful features for SaaS companies is its natural alignment with the frameworks customers actually ask about. If you're working towards SOC 2 or ISO 27001, the CSF 2.0 gap assessment is a useful complement:
| CSF 2.0 Function | SOC 2 Trust Service Criteria | ISO 27001:2022 | NIS2 Article 21 |
|---|---|---|---|
| GOVERN | CC1 (Control Environment), CC3 (Risk Assessment), CC9 (Vendor Risk) | Clause 5 (Leadership), Clause 6 (Planning), A.5.1 (InfoSec Policy), A.5.19 (Supplier Relations) | Art. 20 (Governance), Art. 21(2)(a) (Risk Policies), Art. 21(2)(d) (Supply Chain) |
| IDENTIFY | CC3 (Risk Assessment), CC6.1 (Asset Inventory) | A.5.9 (Asset Inventory), A.5.12 (Classification), Clause 6.1 (Risk Assessment) | Art. 21(2)(a) (Risk Analysis), Art. 21(2)(i) (Asset Management) |
| PROTECT | CC6 (Logical Access), CC7 (System Ops), CC8 (Change Management) | A.8 (Technological Controls), A.6 (People Controls), A.7 (Physical Controls) | Art. 21(2)(e-j) (multiple technical controls) |
| DETECT | CC4 (Monitoring), CC7.1 (Vulnerability Management) | A.8.15 (Logging), A.8.16 (Monitoring), A.8.8 (Vulnerability Management) | Art. 21(2)(f) (Effectiveness Monitoring) |
| RESPOND | CC7.3 (Incident Response) | A.5.26 (Response to Incidents), A.5.24-A.5.28 (Incident Management) | Art. 21(2)(b) (Incident Handling), Art. 23 (Incident Reporting) |
| RECOVER | CC7.5 (Recovery), A1 (Availability) | A.5.29 (BCP), A.5.30 (ICT Readiness for Business Continuity) | Art. 21(2)(c) (BCP, Backup, Crisis Management) |
Using CSF 2.0 as a SaaS Company Without Federal Requirements
CSF 2.0 was designed for all organisations, but it originated in the US federal sector. For SaaS companies without US government contracts, it's most useful as:
- A gap assessment tool: Run the 6-function assessment to identify where your security programme has gaps before starting a formal SOC 2 or ISO 27001 audit
- A communication framework: Use the CSF 2.0 function language to communicate security posture to enterprise customers ("We are currently at Tier 2 overall, with GOVERN and DETECT as improvement areas")
- A roadmap structure: Organise your security improvement roadmap around the 6 functions
- A vendor requirement: Some US enterprise customers and government-adjacent organisations now ask vendors for CSF 2.0 alignment evidence
The GOVERN Function: What SaaS Startups Most Often Miss
The GOVERN function is where most startups fail their first CSF 2.0 assessment. The most common gaps:
- No risk appetite statement: Leadership hasn't formally defined how much cybersecurity risk is acceptable. This is required for GV.RM-02 and is the foundation of a risk management programme.
- No formal supply chain risk management: GV.SC requires vendor assessment, contractual security requirements, and ongoing monitoring. Most startups buy SaaS tools without assessing security at all.
- Cybersecurity not in board/leadership reviews: GV.OV requires leadership to review cybersecurity results. A 5-person startup doesn't need a CISO — but someone needs to report security metrics to leadership quarterly.
- Legal/regulatory obligations not documented: GV.OC-02 requires understanding GDPR, HIPAA, or other applicable requirements. Many SaaS companies know they have GDPR obligations but haven't formally documented the cybersecurity implications.
Minimum Viable CSF 2.0 Compliance for a Growth-Stage SaaS
- ✅ Documented Information Security Policy (approved by CEO/CTO/board) — covers GV.PO
- ✅ Named security owner with explicit accountability — covers GV.RR
- ✅ Annual risk assessment with a risk register — covers GV.RM, ID.RA
- ✅ Asset inventory (hardware, software, cloud) — covers ID.AM
- ✅ MFA on all production access and cloud consoles — covers PR.AA
- ✅ AES-256 encryption at rest, TLS 1.2+ in transit — covers PR.DS
- ✅ Automated vulnerability scanning monthly — covers DE.CM
- ✅ Documented Incident Response Plan — covers RS.MA
- ✅ Quarterly leadership review of security metrics — covers GV.OV
- ✅ Vendor assessment process for new third-party tools — covers GV.SC
Run Your NIST CSF 2.0 Gap Assessment
Use the NIST CSF 2.0 Gap Assessment Generator to assess your security posture across all 6 functions (37 subcategories). You'll get a scored gap report with a prioritised remediation roadmap, framework crosswalk (SOC 2, ISO 27001, NIS2), and tier progression plan.
Related generators: ISO 27001 Gap Assessment, SOC 2 Gap Assessment, NIS2 Compliance Checklist, Information Security Policy, Incident Response Plan, Vulnerability Management Policy.
Related reading: ISO 27001 Gap Assessment Guide, SOC 2 Gap Analysis Guide, ISO 27001 vs SOC 2: Which First?, NIS2 Compliance Guide.
⚠️ This guide is for informational purposes only. NIST CSF 2.0 is a voluntary framework — alignment does not constitute certification. For US federal contracts, confirm specific requirements with your contracting officer.