Back to Blog
ComplianceDecember 10, 202412 min read

NIST Cybersecurity Framework 2.0: What's New in 2024

A comprehensive guide to the updated NIST CSF 2.0 and how the new Govern function impacts your organization's cybersecurity strategy.

Introduction to NIST CSF 2.0

In February 2024, the National Institute of Standards and Technology (NIST) released version 2.0 of its Cybersecurity Framework—the first major update since the framework's introduction in 2014. This update reflects a decade of lessons learned, evolving threat landscapes, and the maturation of cybersecurity as a business imperative rather than merely a technical concern.

The NIST Cybersecurity Framework has become the de facto standard for organizations worldwide, providing a flexible, risk-based approach to managing cybersecurity. With CSF 2.0, NIST addresses critical gaps identified through years of implementation while maintaining the framework's core strength: its adaptability across industries, organization sizes, and threat environments.

Quick Take

The biggest change in CSF 2.0 is the addition of a sixth core function: Govern. This elevates governance from a supporting role to a primary framework pillar, emphasizing that effective cybersecurity requires leadership commitment and organizational alignment.

Why the Update Was Needed

Evolving Threat Landscape

Since 2014, the cybersecurity landscape has transformed dramatically:

  • Ransomware proliferation: From isolated incidents to systemic threats affecting critical infrastructure
  • Supply chain attacks: SolarWinds and similar incidents highlighting ecosystem vulnerabilities
  • Cloud adoption: Rapid migration creating new attack surfaces and shared responsibility challenges
  • Nation-state threats: Increased sophistication and frequency of state-sponsored attacks

Governance Maturity

Organizations have learned that technical controls alone don't create resilient cybersecurity programs. Effective cybersecurity requires board-level oversight, clear accountability structures, and integration with enterprise risk management. CSF 2.0 formally recognizes this reality.

The Six Core Functions of CSF 2.0

CSF 2.0 expands the framework from five to six core functions, with Govern joining the existing functions:

1

Govern (NEW)

Establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy. This includes leadership engagement, risk management strategies, and supply chain risk management.

2

Identify

Develop organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Understanding business context, resources, and risks.

3

Protect

Develop and implement appropriate safeguards to ensure delivery of critical services. Includes access control, data security, training, and protective technology.

4

Detect

Develop and implement activities to identify the occurrence of a cybersecurity event. Continuous monitoring and detection processes to identify anomalies and events.

5

Respond

Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. Response planning, communications, analysis, mitigation, and improvements.

6

Recover

Develop and implement activities to maintain plans for resilience and restore capabilities or services impaired due to a cybersecurity incident. Recovery planning, improvements, and communications.

Deep Dive: The Govern Function

The Govern function represents the most significant change in CSF 2.0. It emphasizes that cybersecurity is a business risk requiring executive leadership and integration with enterprise strategy.

Key Categories Within Govern

Organizational Context (GV.OC)

Understanding how cybersecurity fits within the organization's mission, stakeholder expectations, and overall risk tolerance.

  • Legal, regulatory, and contractual requirements are understood
  • Cybersecurity's role in organizational objectives is established
  • Organizational priorities are communicated across the enterprise

Risk Management Strategy (GV.RM)

Establishing priorities, constraints, risk tolerances, and assumptions to support operational risk decisions.

  • Risk management objectives are established and agreed upon
  • Risk appetite and risk tolerance statements are established
  • Determinations of risk appetite are informed by organizational role in critical infrastructure

Roles, Responsibilities & Authorities (GV.RR)

Cybersecurity roles and responsibilities are coordinated and aligned with internal and external stakeholders.

  • Organizational leadership is responsible for cybersecurity risk
  • Roles and responsibilities for cybersecurity are established
  • Adequate resources are allocated for cybersecurity

Policy (GV.PO)

Organizational cybersecurity policy is established, communicated, and enforced.

  • Policy is established and communicated to guide cybersecurity activities
  • Policies are reviewed and updated based on risk assessments
  • Processes are in place to receive, analyze, and respond to cybersecurity disclosures

Oversight (GV.OV)

Results of organization-wide cybersecurity risk management activities and performance are used to inform and improve.

  • Cybersecurity risk management strategy outcomes are reviewed
  • Risk management strategy is reviewed and adjusted
  • Organizational leadership is informed of cybersecurity performance

Cybersecurity Supply Chain Risk Management (GV.SC)

Cyber supply chain risk management processes are identified, established, managed, monitored, and improved.

  • A strategy is established for managing cybersecurity risks in the supply chain
  • Cybersecurity roles and responsibilities for suppliers are established
  • Cybersecurity requirements are included in contracts with suppliers

Other Significant Changes in CSF 2.0

Expanded Scope Beyond Critical Infrastructure

While CSF 1.0 primarily targeted critical infrastructure, CSF 2.0 explicitly addresses organizations of all types and sizes. The framework now includes guidance for small and medium enterprises, recognizing that cyber risk affects everyone, not just large corporations.

Implementation Tiers Refinement

CSF 2.0 refines the four implementation tiers (Partial, Risk-Informed, Repeatable, Adaptive) to better reflect organizational cybersecurity maturity. The updated tiers now incorporate governance considerations and supply chain risk management practices.

Enhanced Measurement Guidance

The updated framework provides clearer guidance on measuring cybersecurity program effectiveness. Organizations can now better demonstrate value to stakeholders and track improvement over time.

Implementing CSF 2.0: A Practical Approach

Step 1: Assess Your Current State

Begin by evaluating your organization's current cybersecurity posture against the six core functions. This baseline assessment identifies gaps and prioritizes improvement areas.

Step 2: Establish Governance

Start with the Govern function—it provides the foundation for all other activities:

  1. Define cybersecurity's role in organizational strategy
  2. Establish clear roles and responsibilities
  3. Develop and communicate cybersecurity policies
  4. Create risk management processes
  5. Implement oversight and reporting mechanisms
  6. Address supply chain cybersecurity requirements

Step 3: Create Target Profile

Develop a target profile representing your desired cybersecurity outcomes. This should align with business objectives, risk tolerance, and available resources.

Step 4: Determine, Analyze, and Prioritize Gaps

Compare your current profile to your target profile, identifying gaps. Prioritize these gaps based on risk impact and resource requirements.

Step 5: Implement Action Plan

Develop a roadmap to address prioritized gaps. Include quick wins for momentum alongside longer-term strategic initiatives.

Step 6: Continuously Monitor and Improve

Cybersecurity is not a one-time effort. Regularly reassess your posture, update your target profile as business needs evolve, and continuously improve your program.

Implementation Timeline

Most organizations should plan 12-18 months for initial CSF 2.0 implementation, with ongoing continuous improvement thereafter. However, you can realize benefits from governance improvements within the first 90 days.

Industry-Specific Considerations

Financial Services

Financial institutions should map CSF 2.0 to existing regulatory frameworks like GLBA, SOX, and PCI DSS. The Govern function aligns well with board-level risk oversight requirements already mandated by regulators.

Healthcare

Healthcare organizations can use CSF 2.0 to complement HIPAA compliance. The framework's risk-based approach helps prioritize protections for electronic protected health information (ePHI).

Manufacturing and OT Environments

Organizations with operational technology should pay special attention to the supply chain risk management components of the Govern function, as OT supply chains present unique vulnerabilities.

Common Implementation Challenges

Challenge: Securing Executive Buy-In

Solution: Use the Govern function's emphasis on business risk to frame cybersecurity in terms leadership understands. Present CSF 2.0 implementation as enterprise risk management, not just IT security.

Challenge: Resource Constraints

Solution: Implement incrementally, focusing first on governance and highest-risk areas. CSF 2.0 is designed to scale with your organization's resources and risk profile.

Challenge: Measuring Progress

Solution: Establish clear metrics for each core function. Track implementation progress, incident response effectiveness, and risk reduction over time.

The Future of NIST CSF

NIST has committed to more frequent updates based on stakeholder feedback and evolving threats. Expect continued refinement of implementation guidance, more industry-specific examples, and expanded international collaboration.

The framework's influence continues to grow globally, with many countries adopting CSF as their national cybersecurity standard or using it to inform their own frameworks. This international adoption reinforces CSF's value for organizations operating across borders.

Conclusion

NIST CSF 2.0 represents a significant evolution in cybersecurity risk management. The addition of the Govern function acknowledges what security leaders have known for years: effective cybersecurity requires more than technical controls—it demands organizational commitment, clear governance, and integration with business strategy.

Organizations that embrace CSF 2.0 will build more resilient cybersecurity programs aligned with business objectives and better positioned to manage evolving threats. The framework's flexibility ensures it remains relevant regardless of organization size, industry, or current maturity level.

Start your CSF 2.0 journey today—begin with governance, establish clear accountability, and build a cybersecurity program that supports your organization's mission while managing risk effectively.

Automate NIST CSF Compliance

CyberXprt provides automated compliance mapping to NIST CSF 2.0, helping you track implementation progress, identify gaps, and generate audit-ready reports across all six core functions.

See Compliance Automation
CyberXprt Security Team
Compliance & Governance Experts

Related Articles

Automation

Building Effective Security Automation Workflows

Learn how to design and implement security automation that aligns with CSF 2.0 requirements.

Security

Vulnerability Management Best Practices 2024

Modern approaches to vulnerability management that support NIST CSF compliance.