The original NIST Cybersecurity Framework, published in 2014, was designed for critical infrastructure but became the de facto standard for security program design across industries. In February 2024, NIST released Version 2.0 — the most significant update to the framework in its decade of existence.
If your security program references CSF 1.1, here's what you need to know about the changes.
The Biggest Addition: Govern
CSF 1.1 had five core functions: Identify, Protect, Detect, Respond, Recover. CSF 2.0 adds a sixth: Govern.
The Govern function addresses the organizational context that enables all the other functions — how the organization makes decisions about cybersecurity risk, how it establishes accountability, how leadership oversees the security program, and how security risk is integrated into enterprise risk management.
This is a significant acknowledgment that security programs fail not because of missing technical controls but because of missing governance: unclear ownership, insufficient leadership engagement, security siloed from business strategy, and risk decisions made without appropriate context.
The Govern function includes categories for: Organizational Context, Risk Management Strategy, Roles/Responsibilities/Authorities, Policy, Oversight, and Cybersecurity Supply Chain Risk Management.
Broader Scope
CSF 1.1 explicitly focused on critical infrastructure. CSF 2.0 explicitly broadens to "organizations of all sizes and all sectors" — a recognition that the framework has been widely adopted beyond its original intended audience.
This makes the framework's claim about who it's for match who's actually using it.
Supply Chain Risk Gets Prominent Treatment
The original framework touched on supply chain risk, but CSF 2.0 gives it significantly more prominence — both within the Govern function (Cybersecurity Supply Chain Risk Management as a category) and throughout the other functions.
This reflects the SolarWinds, Kaseya, MOVEit, and other major supply chain attacks that have dominated the threat landscape since CSF 1.1.
Integration with Other Frameworks
CSF 2.0 explicitly positions itself as a high-level meta-framework intended to work alongside other, more detailed frameworks (NIST SP 800-53, CIS Controls, ISO 27001, sector-specific frameworks).
NIST has also published reference tools — Implementation Examples, Quick-Start Guides for specific audiences, and Community Profiles — that make the framework more accessible and actionable for different user types.
What About the Tiers?
The four tiers (Partial, Risk-Informed, Repeatable, Adaptive) remain in CSF 2.0 with modest refinements. The key clarification: tiers describe maturity of risk governance practices, not overall security program maturity. They're not ratings or grades — they're calibration tools.
What This Means for Your Program
If you're using CSF 1.1 as a reference: The five core functions you're familiar with still exist. The addition of Govern is additive, not replacing. Your existing assessment methodology remains largely applicable.
Immediate action: Review whether your program explicitly addresses the Govern function categories. Most security programs have elements of governance, but they're often implicit rather than explicitly mapped. The CSF 2.0 Govern function provides a useful checklist.
Supply chain: If your program doesn't have a formal supplier risk management component mapped to the CSF, CSF 2.0's prominence of SCRM is a prompt to add it.
Communication: If you use CSF as a communication tool with leadership or for board reporting, updating to CSF 2.0 and explicitly addressing the Govern function strengthens the governance narrative.
The Good News
The core insight of the NIST CSF — organize security activities around risk management across Identify, Protect, Detect, Respond, and Recover — hasn't changed. CSF 2.0 is an evolution, not a revolution. Programs built on CSF 1.1 are well-positioned to adapt.