Back to Blog
GRC4 min read

NIST CSF 2.0: What Changed and Why It Matters

The first major update to the NIST Cybersecurity Framework in a decade adds a critical new function: Govern. Here's what you need to know.

In February 2024, NIST released version 2.0 of the Cybersecurity Framework—the first major update in a decade. If you've been using CSF to guide your security program, this matters.

The most significant change? A new sixth function called Govern. And if you've ever wondered why security initiatives stall despite good intentions, the Govern function is the answer NIST finally codified.

What the Original Framework Got Right

The original NIST CSF gave us five functions: Identify, Protect, Detect, Respond, Recover. It was elegant. It was flexible. It could be adopted by organizations of any size without requiring specific technologies or prescriptive controls.

CSF works because it focuses on outcomes rather than checkboxes.

But there was always something missing.

The Governance Gap

Organizations would implement controls, detect threats, and respond to incidents—but struggle to sustain momentum. Security initiatives would launch with enthusiasm and fade into neglected documentation.

The missing piece was organizational commitment. Who's accountable? How does security connect to business objectives? What's the actual risk appetite?

These are governance questions, and the original framework left them implicit. CSF 2.0 makes them explicit.

The Govern Function

Govern sits at the center of the framework now, touching all five other functions. It addresses:

Organizational Context — Understanding your business environment, stakeholder expectations, and legal requirements. Security doesn't exist in a vacuum; it exists to enable your business objectives.

Risk Management Strategy — Defining how you'll approach risk. What's acceptable? How do you prioritize? Who makes the decisions when tradeoffs are necessary?

Roles and Responsibilities — Clearly assigning accountability for cybersecurity outcomes. Not just "IT handles security" but specific ownership of specific outcomes.

Policy — Establishing, communicating, and enforcing security policies that align with organizational objectives.

Oversight — Leadership involvement in security decision-making, not as a rubber stamp but as active governance.

Cybersecurity Supply Chain Risk Management — Recognizing that your security is only as strong as your vendors' security.

Why This Matters for Small Organizations

You might think governance sounds like enterprise bureaucracy. It's not.

For small organizations, Govern actually simplifies things. Instead of trying to implement every possible control, Govern asks you to first answer: what are we actually trying to protect? What risks are we willing to accept? Who decides when we're not sure?

A 30-person company with clear governance—documented risk appetite, explicit security ownership, aligned policies—will outperform a 300-person company where security is "everyone's responsibility" (meaning nobody's responsibility).

The Updated Six Functions

Here's how CSF 2.0 now structures the framework:

Govern — Establish and maintain an organizational cybersecurity strategy, risk management, and oversight

Identify — Understand your assets, business context, and risks to prioritize efforts

Protect — Implement safeguards to ensure delivery of critical services

Detect — Identify the occurrence of cybersecurity events

Respond — Take action when a cybersecurity incident is detected

Recover — Maintain resilience and restore capabilities impaired by an incident

Govern isn't sequential with the others—it's continuous and foundational. It informs how you approach all five operational functions.

Practical First Steps

If you're already using CSF 1.0, here's how to start incorporating 2.0:

  1. Document your current governance — Who owns security decisions today? Is it clear? Write it down.

  2. Define risk appetite — Work with leadership to establish what level of risk is acceptable. This prevents endless debates about individual controls.

  3. Connect security to business — For every major security initiative, articulate why it matters to the business. If you can't, reconsider the priority.

  4. Review supply chain risk — CSF 2.0 emphasizes vendor security. Inventory your critical vendors and assess their security posture.

  5. Schedule governance reviews — Security governance isn't set-and-forget. Quarterly reviews keep it current.

This Is a Multi-Part Series

In the following posts, we'll dive deeper into each function with practical guidance for implementation. The goal isn't academic understanding—it's building a security program that actually works for your organization.

Need help mapping your security program to NIST CSF 2.0? Our GRC Advisory services can guide you through the transition. Let's talk.

Jonathan Carpenter
Jonathan Carpenter
Founder, Anchor Cyber Security
Share:

Want to discuss this topic?

Let's talk about how these insights apply to your organization.

Get in Touch