What Is NIST CSF 2.0?

The Cybersecurity Framework was first published by NIST in February 2014 (Version 1.0) under Executive Order 13636, then revised to Version 1.1 in April 2018. Version 2.0 — released on February 26, 2024 — is the first major architectural change since the framework's debut and the first version explicitly scoped beyond U.S. critical infrastructure to organizations of all sizes and sectors, including industry, government, academia, and nonprofit.

The headline change is the addition of the Govern (GV) Function. CSF 1.1 had five Functions: Identify, Protect, Detect, Respond, Recover. CSF 2.0 has six, with Govern positioned as the connective tissue that informs the other five. Govern covers cybersecurity strategy, organizational context, supply-chain risk management, roles and responsibilities, policy, and oversight. This was a direct response to a decade of post-2014 incidents — SolarWinds (2020), Colonial Pipeline (2021), Log4Shell (CVE-2021-44228), MOVEit (CVE-2023-34362) — in which the dominant failure mode was governance and third-party risk, not missing technical controls.

The framework's Core is structured as Functions → Categories → Subcategories. CSF 2.0 contains 6 Functions, 22 Categories, and 106 Subcategories (down from CSF 1.1's 23 Categories and 108 Subcategories, after consolidation). Each Subcategory is mapped to Informative References — concrete controls from sources such as NIST SP 800-53 Rev. 5, ISO/IEC 27001:2022, CIS Controls v8, and COBIT 2019. NIST maintains these mappings in the online CSF 2.0 Reference Tool rather than baking them into the static PDF, which is itself a change from earlier versions.

CSF 2.0 also formalizes Profiles and Tiers. A Profile describes an organization's current or target cybersecurity posture across the Core; Tiers (Partial, Risk Informed, Repeatable, Adaptive) describe the rigor of cyber risk governance and management practices. NIST published Community Profiles alongside CSF 2.0 — including a Small Business Quick-Start Guide (NIST SP 1300) — to reduce the framework's notorious accessibility gap for non-enterprise adopters.

The framework is voluntary and outcome-based. It does not prescribe specific tools, vendors, or technologies, and it is not itself a certification. Compliance against CSF is typically asserted via self-assessment or third-party attestation rather than a NIST-issued certificate. This distinguishes CSF from ISO/IEC 27001 (which has a formal certification scheme) and from regulatory regimes like HIPAA Security Rule or PCI DSS 4.0.

CSF 2.0 has been formally referenced or adopted by U.S. federal guidance (CISA Cybersecurity Performance Goals), the Department of Defense Cybersecurity Maturity Model Certification (CMMC) program, and a growing number of state-level breach-notification and critical-infrastructure statutes. International adoption is significant: ENISA, the U.K. NCSC, and Japan's IPA all maintain CSF crosswalks, and the Bank of Italy referenced CSF in its 2023 supervisory guidance on ICT risk.

For practitioners, the practical reading of CSF 2.0 is: it is the lingua franca for cybersecurity program structure. Board-level risk discussions, regulator inquiries, cyber insurance underwriting questionnaires, and vendor security reviews increasingly assume the six-Function vocabulary. An organization that cannot articulate where it sits on Govern, Identify, Protect, Detect, Respond, and Recover is now operating below the implicit baseline.