NIST CSF 2.0: what changed and why it matters
The National Institute of Standards and Technology released NIST Cybersecurity Framework 2.0 (CSF 2.0) on 26 February 2024 — the first major revision since the original 1.0 framework launched in 2014. The update reflects a decade of implementation experience, the expansion of cybersecurity risk beyond critical infrastructure into every sector, and the growing recognition that cybersecurity is fundamentally a governance and risk management issue — not just a technical one.
The headline change is the addition of a sixth core function: GOVERN (GV). But the scope changes go deeper than that: expanded supply chain risk management, an updated Tier model, broader applicability beyond critical infrastructure, Organisational Profiles as a first-class planning tool, and significantly expanded implementation guidance through Community Profiles and Quick Start Guides.
In 2026, regulators, enterprise procurement teams, and boards are increasingly using CSF 2.0 as a common language for cybersecurity risk. The SEC's cybersecurity disclosure rules require public companies to describe their cybersecurity risk management approach — CSF 2.0 provides the vocabulary. CISA references CSF 2.0 in its Cybersecurity Performance Goals. Federal contractors dealing with NIST SP 800-171/CMMC overlap CSF 2.0 with those requirements. And internationally, the NIS2 Directive's risk management measures map closely to CSF 2.0 functions.
The six functions: what's new in CSF 2.0
GOVERN (GV) — New in CSF 2.0
GOVERN is the most significant addition. It addresses the cybersecurity risk management strategy, policies, processes, and oversight that enable all other CSF functions. NIST recognised that in CSF 1.1, governance was implicitly addressed but not given a dedicated function — creating an implementation gap where organisations built technical controls without the governance infrastructure to sustain them.
GOVERN contains six categories:
- GV.OC — Organisational Context: Mission, stakeholders, dependencies, legal/regulatory requirements, and risk tolerance understood at leadership level.
- GV.RM — Risk Management Strategy: Risk tolerance established, risk strategy approved by leadership, risk management integrated with enterprise risk management.
- GV.RR — Roles, Responsibilities, and Authorities: Cybersecurity roles defined, communicated, and enforced; board/executive accountabilities clear.
- GV.PO — Policy: Cybersecurity policies reflect risk tolerance and regulatory requirements; reviewed and updated regularly.
- GV.OV — Oversight: Cybersecurity results reported to leadership; governance processes reviewed; metrics tracked.
- GV.SC — Cybersecurity Supply Chain Risk Management: Supply chain risks understood and addressed; supplier requirements defined; SCRM integrated with ERM.
GV.SC is particularly significant — supply chain risk management was present in CSF 1.1 under IDENTIFY but has been elevated and significantly expanded in GOVERN. The SolarWinds and Log4Shell incidents drove this expansion; NIST recognised that supply chain risk is a governance-level concern, not just a technical one.
IDENTIFY (ID) — Expanded but familiar
CSF 2.0 updates IDENTIFY to emphasise the asset management → risk assessment → improvement loop. New subcategories address software and firmware assets explicitly (reflecting software supply chain risk), and risk identification has been broadened to include third-party dependencies and environmental risks.
PROTECT (PR) — Software supply chain additions
PROTECT gains explicit coverage of software supply chain security: software bill of materials (SBOM), secure software development practices, and supply chain monitoring. This reflects the post-SolarWinds reality that protecting your own perimeter is insufficient if your software supply chain is compromised.
DETECT (DE), RESPOND (RS), RECOVER (RC) — Refined
These three functions are refined and reorganised rather than fundamentally changed. Detection processes now explicitly include supply chain monitoring. RESPOND has been updated to better align with incident communication requirements across regulatory frameworks. RECOVER better integrates with business continuity planning.
The Tier model in CSF 2.0: what changed
The four Tiers (Partial, Risk Informed, Repeatable, Adaptive) remain in CSF 2.0 but have been updated to better describe organisational maturity:
Tier 1 — Partial
Cybersecurity risk management is ad hoc and reactive. Risk management processes are not formalised, and there is limited awareness of cybersecurity risk at the organisational level. Supply chain risk management is informal or absent. Limited communication with external stakeholders about cybersecurity.
What this looks like in practice: Security measures exist but are individual-driven rather than process-driven. No formal risk assessment. Incident response is improvised. No board visibility of cybersecurity risk.
Tier 2 — Risk Informed
Risk management practices are approved by management but may not be established as organisation-wide policy. There is awareness of cybersecurity risk but it isn't consistently applied. Cybersecurity information is shared informally. Supply chain risk is considered but not formally managed.
What this looks like in practice: Written policies exist but aren't uniformly followed. Risk assessments conducted but not integrated with enterprise risk management. Board gets occasional security updates. Vendor security is assessed during procurement but not monitored continuously.
Tier 3 — Repeatable
Cybersecurity risk management practices are formally approved and expressed as policy. Practices are consistently implemented across the organisation and updated based on application of risk management processes. The organisation considers cybersecurity risks in the context of mission and business objectives. Supply chain risk management is formally integrated.
What this looks like in practice: Formal risk assessment on a defined cycle. Policies reviewed annually and enforced. Regular board reporting with defined metrics. Supply chain risk management programme with vendor assessments and continuous monitoring. Incident response tested annually.
Tier 4 — Adaptive
The organisation adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current activities. Through continuous improvement of cybersecurity practices in response to changes in business/mission requirements, threat landscape, and technology. Risk tolerance and supply chain risk are actively managed and integrated with enterprise risk. Board-level cybersecurity oversight is mature and metrics-driven.
What this looks like in practice: Real-time threat intelligence integrated into detection and response. Automated response capabilities. Metrics dashboard reported to board quarterly. Supply chain incidents trigger immediate supplier review. Purple team exercises integrated into continuous improvement cycle.
The key CSF 2.0 changes for practitioners
Broader applicability
CSF 1.0 was "for critical infrastructure" — CSF 2.0 is explicitly for all organisations regardless of size, sector, or geography. NIST has published sector-specific Community Profiles (for healthcare, financial services, technology, and others) and Organisation Size Quick Start Guides (small business, enterprise). This makes CSF 2.0 immediately applicable to mid-market and growth-stage companies that previously felt CSF was only for large enterprises.
Organisational Profiles
CSF 2.0 introduces Organisational Profiles as a formal tool — Current Profile (where you are) and Target Profile (where you want to be). Profiles are used to understand gaps and prioritise improvements. Profiles can be shared — regulators, sector bodies, and enterprise customers may publish expected Profile requirements, allowing organisations to align to external expectations.
Continuous Improvement is explicit
CSF 2.0 makes continuous improvement a first-class concept. The GOVERN function's GV.OV (Oversight) subcategory explicitly requires that cybersecurity results are communicated to leadership and used to improve the programme. This operationalises the PDCA (Plan-Do-Check-Act) cycle in the CSF context.
Mapping CSF 2.0 to regulatory requirements
CSF 2.0 is not a regulatory requirement in itself, but it maps to many regulations:
- SEC Cybersecurity Disclosure Rules (2023): Public companies must disclose material cybersecurity incidents (Form 8-K) and annual disclosure of risk management, strategy, and governance (Form 10-K). CSF 2.0 GOVERN function directly supports the governance disclosure requirements.
- EU NIS2 Directive (2022/2555): NIS2 requires risk analysis, information system security policies, incident handling, business continuity, supply chain security, network security, and cybersecurity training. These map directly to CSF 2.0 functions.
- DORA (Financial entities in EU): DORA's ICT risk management framework maps to IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER. DORA Art. 5 management body oversight maps to CSF 2.0 GOVERN.
- NIST SP 800-171 / CMMC 2.0: For federal contractors, CSF 2.0 Tier 3+ posture is consistent with CMMC Level 2 readiness.
- HIPAA Security Rule: The Security Rule's administrative, physical, and technical safeguards map to CSF 2.0 PROTECT and DETECT functions.
Progressing from Tier 1 to Tier 3: a practical roadmap
Tier 1 → Tier 2 (typically 3–6 months)
Focus: get risk-aware without building bureaucracy.
- Conduct first formal risk assessment — doesn't need to be perfect, needs to be documented
- Document cybersecurity responsibilities — who owns what
- Get leadership sign-off on a one-page cybersecurity risk tolerance statement
- Establish asset inventory (even a spreadsheet is fine at this stage)
- Stand up an incident response procedure (even a simple one)
- Conduct first security awareness training
Tier 2 → Tier 3 (typically 6–12 months)
Focus: formalise and operationalise — make it organisation-wide.
- Formally approve policies at board/executive level; publish them organisation-wide
- Integrate cybersecurity risk into enterprise risk management
- Establish quarterly board reporting cadence with defined metrics
- Build supply chain risk assessment programme — assess all vendors with access to systems/data
- Test incident response plan annually (tabletop exercise)
- Implement continuous monitoring (SIEM or equivalent)
- Address MFA, EDR, patch management as baseline technical controls
Board reporting with CSF 2.0 Tiers
One of CSF 2.0's most valuable uses is board communication. The Tier model gives boards a simple, internationally recognised benchmark: "We are currently Tier 2 (Risk Informed) and targeting Tier 3 (Repeatable) by Q4 2026. The key gaps are [supply chain risk programme, IRP testing, continuous monitoring]."
This framing is more meaningful to board members than technical metrics. It positions cybersecurity as a risk management maturity programme — something boards understand from enterprise risk management contexts.
For organisations subject to SEC disclosure requirements, the CSF 2.0 Tier model can directly inform the annual 10-K cybersecurity risk management disclosure. Document your current Tier, your target Tier, and the programme you have in place to progress — this is precisely what the SEC rules require you to describe.
ComplyKit's free NIST CSF 2.0 Tier Assessment covers all 42 controls across all six CSF 2.0 functions — including the new GOVERN function — and produces a professional assessment report with your current Tier determination, function-by-function scorecard, gap analysis, and a phased roadmap for Tier progression. No account required.