This article is for informational purposes only. GRCadia is not a law firm and does not provide legal or certification advice. Content is based on publicly available regulatory and standards guidance. Organisations should consult a qualified legal professional or accredited certification body for advice specific to their situation.
The National Institute of Standards and Technology released version 2.0 of its Cybersecurity Framework in February 2024 — the first major update since the framework launched in 2014. If you are using CSF 1.1 today, this guide walks you through what changed, why it matters, and how to apply the new version in your organisation.
What Is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework (CSF) is a voluntary guidance document published by the U.S. National Institute of Standards and Technology. It gives organisations a structured way to manage cybersecurity risk — not by prescribing specific technical controls, but by providing a common language and organising structure that works across industries and company sizes.
Since 2014, CSF has been one of the most widely adopted cybersecurity frameworks globally. It is used by government agencies, critical infrastructure operators, financial institutions, healthcare organisations, and technology companies. According to NIST, the framework has been downloaded millions of times and is referenced in policy and regulation across more than 50 countries.
CSF 2.0 builds on that foundation rather than replacing it. The core philosophy — identify your assets, protect them, detect threats, respond to incidents, recover from disruption — remains intact. What changed is the scope, structure, and practical guidance around how organisations apply it.
What Changed in CSF 2.0
1. A New Core Function: Govern
The most significant structural change in CSF 2.0 is the addition of a sixth Core Function: Govern.
CSF 1.1 had five functions: Identify, Protect, Detect, Respond, Recover. These focused on operational security activities. What was missing was explicit guidance on the organisational and leadership structures that make those activities work — how cybersecurity decisions get made, who is accountable, how risk appetite is set, and how security connects to business strategy.
CSF 2.0 adds Govern to address this gap. The Govern function covers:
- Organisational context and mission alignment
- Risk management strategy and appetite
- Roles, responsibilities, and accountability
- Policies, processes, and oversight
- Cybersecurity supply chain risk management
In practice, Govern acts as the foundation for everything else. It answers the question: who decides, and based on what criteria? Without it, organisations can have strong technical controls but fragmented ownership, inconsistent risk decisions, and no clear connection between security activity and business objectives.
2. Expanded Scope — Not Just Critical Infrastructure
CSF 1.1 was originally developed for U.S. critical infrastructure sectors. In practice, it spread far beyond that, but the language and framing still implied a particular audience.
CSF 2.0 explicitly positions itself as a framework for all organisations, regardless of size, sector, or geography. The updated text removes critical-infrastructure-specific framing and replaces it with guidance that works for small businesses, government agencies, non-profits, and multinational enterprises alike.
3. Revised Tiers — Focus on Risk Management Maturity
The four Implementation Tiers (Partial, Risk Informed, Repeatable, Adaptive) remain in CSF 2.0, but their framing has shifted.
In CSF 1.1, tiers were sometimes interpreted as maturity levels — higher was better. CSF 2.0 clarifies that tiers describe how an organisation integrates cybersecurity risk management into its broader risk management practices. A Tier 2 organisation is not failing; it may simply be at a stage appropriate for its size, risk environment, and resources.
4. Profiles — Before and After, Not Just Current State
Profiles in CSF 1.1 allowed organisations to document their current cybersecurity posture. CSF 2.0 expands this with the concept of Current Profiles and Target Profiles used together to drive a gap analysis and improvement roadmap.
A Current Profile describes where you are. A Target Profile describes where you need to be, based on your risk appetite, regulatory requirements, and business objectives. The gap between the two becomes your action plan.
5. Cybersecurity Supply Chain Risk Management
Supply chain risk was a secondary consideration in CSF 1.1. CSF 2.0 elevates it significantly, moving supply chain risk management into the Govern function and expanding guidance throughout the framework.
For organisations that manage vendors, process customer data through third parties, or rely on cloud and SaaS providers, this is one of the most practically significant changes in the new version.
The CSF 2.0 Core: Six Functions at a Glance
| Function | What It Covers |
|---|---|
| Govern | Risk strategy, accountability, policies, oversight, supply chain governance |
| Identify | Asset management, risk assessment, business environment understanding |
| Protect | Access control, data security, training, secure configuration |
| Detect | Continuous monitoring, anomaly detection, event logging |
| Respond | Incident response planning, communications, mitigation |
| Recover | Recovery planning, improvements, communications during recovery |
How to Apply CSF 2.0 in Practice
Step 1 — Establish Your Organisational Context (Govern)
Before assessing controls, document the basics: what does your organisation do, what data and systems are critical to that mission, who is accountable for cybersecurity decisions, and what level of risk is acceptable?
Step 2 — Build Your Current Profile
Work through the CSF functions and categories. For each subcategory, assess whether it is fully implemented, partially implemented, or not implemented in your organisation. Be honest — the purpose of a Current Profile is not to demonstrate compliance, it is to give you an accurate picture of where you stand.
Step 3 — Define Your Target Profile
Based on your risk appetite, regulatory requirements, and business objectives, define where you need to be. Not every organisation needs to be at the same level across every category.
Step 4 — Gap Analysis and Prioritisation
The difference between your Current and Target profiles is your gap. Prioritise gaps based on risk — which gaps leave you most exposed to the threats most likely to affect your organisation? Document this as a risk register with ownership, timelines, and resource requirements.
Step 5 — Implement, Monitor, Repeat
CSF is not a one-time exercise. Implement your priority actions, monitor effectiveness, and reassess on a defined schedule.
CSF 2.0 and Other Frameworks
CSF 2.0 is designed to work alongside other frameworks, not replace them. NIST publishes reference mappings between CSF and ISO/IEC 27001, SOC 2, HIPAA Security Rule, and PCI DSS. If you are already working toward ISO 27001 certification, your ISMS documentation and risk treatment work maps directly to CSF functions.
Common Mistakes When Implementing CSF 2.0
Treating it as a checklist. CSF is an outcomes-based framework. The subcategories describe what good looks like, not a list of boxes to tick. Skipping Govern. Starting with Govern — establishing accountability, risk appetite, and strategic context — makes every other function more focused and actionable. Aiming for Tier 4 across the board. For most organisations, Tier 2 or Tier 3 across priority areas is a realistic and defensible target.Getting Started with Your Risk Assessment
The foundation of any CSF 2.0 implementation is a structured risk assessment — identifying your assets, mapping threats, assessing likelihood and impact, and defining treatment actions.
GRCadia's Enterprise Risk Assessment Workbook gives you a ready-to-use framework: asset register, threat catalogue, 5x5 risk matrix, treatment plan, and dashboard — fully editable in Excel, ready to populate on day one.
View the Enterprise Risk Assessment WorkbookOne-time purchase. Instant download. No subscription.
Share this article
Ready to get compliant?
GRCadia provides audit-ready compliance templates for ISO 27001, SOC 2, HIPAA, and more. One-time purchase, instant download.
Browse Products