NIST Cybersecurity Framework 2.0
What is NIST Cybersecurity Framework 2.0?
NIST Cybersecurity Framework 2.0The February 2024 update to the NIST Cybersecurity Framework, adding a sixth 'Govern' Function alongside Identify, Protect, Detect, Respond, and Recover, and broadening the audience beyond U.S. critical infrastructure to all organizations.
NIST Cybersecurity Framework 2.0, published 26 February 2024, is the first major revision since CSF 1.1 in 2018. It adds a new top-level Function, 'Govern' (GV) — covering organizational context, risk management strategy, supply-chain risk management, roles & responsibilities, policy, and oversight — recognizing that cyber risk is a governance topic alongside operational hygiene. The other Functions remain: Identify, Protect, Detect, Respond, Recover. The scope was broadened from 'critical infrastructure' to all organizations regardless of sector or size, with explicit guidance for small and medium enterprises. NIST also published a richer set of companion resources: implementation examples, informative references mapping to NIST SP 800-53/171, ISO 27001, CIS Controls, and the Cybersecurity Framework Reference Tool. CSF 2.0 is widely used as a board-level reporting lattice, as a baseline for vendor questionnaires, and as a structure for cyber-insurance underwriting. Many existing CSF 1.1 programs migrated to 2.0 through 2024–2025.
● Examples
- 01
A board adopts CSF 2.0 categories as the structure for the quarterly security update, with the new Govern Function used to report on risk appetite and oversight.
- 02
A cyber insurer's underwriting questionnaire maps each question to a CSF 2.0 subcategory so it can score applicants on a common lattice.
● Frequently asked questions
What is NIST Cybersecurity Framework 2.0?
The February 2024 update to the NIST Cybersecurity Framework, adding a sixth 'Govern' Function alongside Identify, Protect, Detect, Respond, and Recover, and broadening the audience beyond U.S. critical infrastructure to all organizations. It belongs to the Compliance & Frameworks category of cybersecurity.
What does NIST Cybersecurity Framework 2.0 mean?
The February 2024 update to the NIST Cybersecurity Framework, adding a sixth 'Govern' Function alongside Identify, Protect, Detect, Respond, and Recover, and broadening the audience beyond U.S. critical infrastructure to all organizations.
How does NIST Cybersecurity Framework 2.0 work?
NIST Cybersecurity Framework 2.0, published 26 February 2024, is the first major revision since CSF 1.1 in 2018. It adds a new top-level Function, 'Govern' (GV) — covering organizational context, risk management strategy, supply-chain risk management, roles & responsibilities, policy, and oversight — recognizing that cyber risk is a governance topic alongside operational hygiene. The other Functions remain: Identify, Protect, Detect, Respond, Recover. The scope was broadened from 'critical infrastructure' to all organizations regardless of sector or size, with explicit guidance for small and medium enterprises. NIST also published a richer set of companion resources: implementation examples, informative references mapping to NIST SP 800-53/171, ISO 27001, CIS Controls, and the Cybersecurity Framework Reference Tool. CSF 2.0 is widely used as a board-level reporting lattice, as a baseline for vendor questionnaires, and as a structure for cyber-insurance underwriting. Many existing CSF 1.1 programs migrated to 2.0 through 2024–2025.
How do you defend against NIST Cybersecurity Framework 2.0?
Defences for NIST Cybersecurity Framework 2.0 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for NIST Cybersecurity Framework 2.0?
Common alternative names include: NIST CSF 2.0, CSF v2.
● Related terms
- compliance№ 818
NIST Cybersecurity Framework
A voluntary risk-based framework published by the U.S. National Institute of Standards and Technology that organizes cybersecurity outcomes into six core functions.
- compliance№ 821
NIST Risk Management Framework
A seven-step NIST process, defined in SP 800-37, for integrating security, privacy, and supply-chain risk management into the system lifecycle.
- compliance№ 620
ISO/IEC 27001
The international standard specifying requirements for an Information Security Management System (ISMS), against which organizations can be formally certified.
- compliance№ 192
CIS Controls
A prioritized set of best-practice cybersecurity safeguards maintained by the Center for Internet Security to defend against the most common cyberattacks.
- compliance№ 1264
Third-Party Risk Management (TPRM)
The end-to-end discipline of identifying, assessing, contracting, monitoring, and offboarding third parties so that the cyber, operational, and compliance risks they introduce stay within appetite.
- compliance№ 1043
Risk Management
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.