NIST Cybersecurity Framework 2.0 explained
NIST Cybersecurity Framework 2.0 is the 2024 update to the U.S. National Institute of Standards and Technology's voluntary cybersecurity framework. It organizes cybersecurity activities into six functions — Govern, Identify, Protect, Detect, Respond, Recover — and serves as the most widely-adopted scaffolding for cybersecurity program design, board reporting, and maturity assessment in the United States and beyond. CSF 2.0's headline change from version 1.1 is promoting governance to a top-level function.
CSF 2.0 is the framework most working CISOs reach for when they need a structure for their program — not because it's prescriptive (it isn't), but because it gives them the same vocabulary auditors, regulators, insurers, and the board are already using. This is the working reference.
The six functions (and why Govern got promoted)
CSF 1.1 had five functions: Identify, Protect, Detect, Respond, Recover. The 2024 update split out a new sixth function — Govern — that consolidates risk management strategy, oversight, supply-chain risk management, and policy. The reason: in the decade between CSF 1.0 (2014) and CSF 2.0 (2024), governance failures became the most common contributor to high-impact incidents. The board-level conversations that follow a breach are about who decided what, not just which control failed. CSF 2.0 reflects that reality structurally.
- Govern (GV) — risk management strategy, oversight, roles and responsibilities, policies and processes, supply chain risk management. This function shapes the other five.
- Identify (ID) — asset management, business environment, risk assessment. What you have, what it's worth, what could go wrong.
- Protect (PR) — identity management, access control, awareness and training, data security, platform security. Pre-incident defenses.
- Detect (DE) — continuous monitoring, anomaly and event detection. The "are we under attack right now?" function.
- Respond (RS) — incident management, analysis, mitigation, response communication. The function that runs during a real incident.
- Recover (RC) — incident recovery plan execution, recovery improvements, recovery communication. The function most underinvested-in until the first breach.
What CSF 2.0 actually contains
The framework is published as three components. The Core is the function/category/subcategory hierarchy — six functions, 23 categories, 106 subcategories. Each subcategory is a specific outcome (e.g., GV.RM-01: "Risk management objectives are established and agreed to by organizational stakeholders"). The Implementation Tiers describe maturity progression — Partial, Risk Informed, Repeatable, Adaptive — applied per organization or per function. The Profiles are the customization layer: a Current Profile (where you are today) and a Target Profile (where you want to be) per category, with the gap analysis between them driving the program roadmap.
How CSF maps to other frameworks
NIST publishes informative references — official mappings between CSF subcategories and other standards. The most-used mappings:
- NIST 800-53 Rev 5 — the U.S. federal control catalog. Each CSF subcategory maps to specific 800-53 control families.
- ISO/IEC 27001:2022 — the international information-security management standard. CSF and ISO 27001 are largely complementary; CSF is the program scaffolding, ISO 27001 is the certification-eligible management system around it.
- CIS Controls v8 — the prescriptive control list. CIS Controls implement the outcomes CSF describes.
- COBIT 2019 — the IT-governance framework. Strong overlap with CSF's Govern function specifically.
For organizations doing audit prep, NIST 800-53 + ISO 27001 are the two most common companion frameworks.
Using CSF 2.0 in board reporting
Most CISOs use CSF as the column headers of their quarterly board scorecard. The dashboard reports current Implementation Tier per function, year-over-year trend, and the top three risks per function. This keeps the conversation strategic rather than tool-by-tool. Board members don't want to hear that you upgraded the SIEM — they want to hear that Detect-function maturity moved from Risk Informed to Repeatable across two specific categories, with the spend that produced it. CSF gives you that structure for free.
When a regulator or auditor asks for a posture summary, the same scorecard usually works without modification. CSF is widely-recognized enough that an examiner reads "Detect tier: Repeatable" the same way you intended it.
Where CSF 2.0 falls short
CSF describes outcomes but not implementation depth. "Continuous monitoring is performed" (DE.CM-01) is satisfied by a SOC analyst manually reviewing weekly reports OR a fully-automated UEBA stack with sub-minute alert response. The framework treats those as the same outcome. To actually run a program you need either a prescriptive companion framework (CIS Controls, NIST 800-53) or your own internal definition of what "Repeatable" means for each subcategory.
CSF also still under-specifies third-party risk despite the 2.0 expansions. The supply-chain risk subcategories (GV.SC-* series) are necessary but not sufficient — most working programs supplement with a dedicated TPRM framework (e.g., Shared Assessments SIG, ISO 28000) for the operational layer.
How CISO Game models the framework
The simulation's six posture subscores — Detection, Response, Prevention, Identity, Recovery, Awareness — map directly to CSF functions (with Prevention and Awareness as the operational view of Protect). Every investment in the catalog contributes to one or more subscores; every risk in the register is mitigated by specific subscore weights. Playing through a 5-year scenario gives you a concrete feel for which CSF functions move under which kinds of strategic decisions. Start a free run to see it in action.
Common CSF 2.0 mistakes
Three patterns that working CISOs see repeatedly:
- Treating CSF as a checklist. The framework is outcome-based. Marking a subcategory "implemented" because you bought a tool is meaningless without the operational evidence behind it (logs being reviewed, alerts being triaged, runbooks being executed).
- Ignoring Govern because it's not technical. The Govern function is where most program failures originate. A perfect Detect maturity with a broken Govern function fails at board reporting and audit prep — which means it fails at the conversations that determine budget.
- Setting all targets to "Adaptive." Adaptive (Tier 4) is appropriate for a small minority of categories at most organizations. Repeatable (Tier 3) is the realistic target for most programs. Aiming everywhere at Adaptive produces a roadmap nobody can fund or staff.
Related references on this site
- How CISO Game models postureHow the six subscores roll up to the composite score, mapped to CSF functions.
- 52 risks tracked liveEach risk is linked to the CSF subscore weights that mitigate it.
- Cybersecurity risk managementHow working programs run a risk register aligned to CSF.
- Composite PostureThe single 0-100 number rolled up from the six subscores.
- Incident Response strategyThe CSF Respond + Recover functions in operational practice.
CSF 2.0 is the structural backbone of most cybersecurity programs. See how working programs run a risk register against this framework, or play CISO Game to watch the six functions move quarter by quarter.
Frequently asked questions
What is NIST CSF 2.0?
NIST Cybersecurity Framework 2.0 is the 2024-released update to the United States National Institute of Standards and Technology's voluntary cybersecurity framework. It organizes cybersecurity activities into six functions — Govern, Identify, Protect, Detect, Respond, Recover — that together describe an organization's full cybersecurity posture. CSF 2.0 explicitly extends the framework beyond critical infrastructure to apply to organizations of any size and sector.
What's the difference between NIST CSF 1.1 and 2.0?
The headline change is the new Govern function, added as the sixth function. CSF 1.1 had five functions (Identify, Protect, Detect, Respond, Recover); CSF 2.0 promotes governance — risk strategy, oversight, supply chain risk, policy — to a top-level function rather than burying it inside Identify. CSF 2.0 also broadens scope explicitly beyond critical infrastructure, adds online implementation guidance via Quick Start Guides, and aligns more tightly with NIST 800-53 and ISO 27001.
What are the six NIST CSF 2.0 functions?
Govern (GV) — risk management strategy, oversight, supply chain risk, roles and responsibilities. Identify (ID) — asset management, business environment, risk assessment. Protect (PR) — identity management, access control, data security, platform security, awareness and training. Detect (DE) — continuous monitoring, anomaly detection. Respond (RS) — incident management, analysis, mitigation, communication. Recover (RC) — incident recovery plan execution, recovery communications.
How do CISOs actually use NIST CSF in their programs?
Most working CISOs use CSF 2.0 as the structural backbone for board reporting and as a maturity-assessment scaffolding rather than a prescriptive control list. The functions become the columns of the executive scorecard; categories within each function (e.g., GV.RM-01 risk strategy) become the rows. Posture is reported as current-tier (Partial, Risk Informed, Repeatable, Adaptive) per category. CSF doesn't dictate which controls to implement — it tells you which capability buckets a mature program covers.
Is NIST CSF mandatory?
NIST CSF is voluntary for private-sector organizations in the United States. It became mandatory for U.S. federal agencies under Executive Order 13800 (2017). Many regulated sectors (energy, healthcare via HHS HICP, financial services via FFIEC) reference CSF as the baseline for examiner expectations even when not formally mandated. Internationally, the framework has been adopted as guidance in jurisdictions including Israel, Italy, and Japan.