NIST CSF 2.0: What Changed and How to Transition

The Next Generation of the CSF

In February 2024, NIST released version 2.0 of the Cybersecurity Framework, the first major update since the original 2014 release and 1.1 update in 2018. CSF 2.0 represents a significant evolution, introducing a new core function, expanding the framework's scope, and providing enhanced implementation guidance.

This guide covers the key changes and practical steps for organizations transitioning from CSF 1.1 to 2.0.

---

Key Changes in CSF 2.0

1. New GOVERN Function

The most significant change is the addition of a sixth core function: GOVERN.

What GOVERN covers: - Organizational Context (GV.OC) - Risk Management Strategy (GV.RM) - Roles, Responsibilities, and Authorities (GV.RR) - Policy (GV.PO) - Oversight (GV.OV) - Cybersecurity Supply Chain Risk Management (GV.SC)

Why it matters: GOVERN elevates cybersecurity governance from being scattered across other functions to a first-class element. It emphasizes that cybersecurity is a leadership responsibility, not just a technical one.

2. Expanded Scope

CSF 2.0 explicitly applies to organizations of all types: - All sizes (not just critical infrastructure) - All sectors (private, public, nonprofit) - All maturity levels (from starting out to advanced)

The title itself changed from "Framework for Improving Critical Infrastructure Cybersecurity" to simply "Cybersecurity Framework."

3. Enhanced Supply Chain Risk Management

Supply chain security, previously embedded in the Identify function, is now prominently positioned within GOVERN (GV.SC). This reflects the growing importance of third-party risk management.

4. Restructured Categories and Subcategories

CSF 2.0 reorganizes outcomes with updated language and structure: - Some categories consolidated - New categories added - Subcategories refined and modernized - Updated to reflect current threat landscape

5. Improved Implementation Guidance

CSF 2.0 provides significantly more implementation support: - Quick-start guides for different use cases - Community Profile templates - Implementation examples - Enhanced Informative References

---

Comparing CSF 1.1 and 2.0

| Aspect | CSF 1.1 | CSF 2.0 | |--------|---------|---------| | Core Functions | 5 | 6 (added GOVERN) | | Target Audience | Critical infrastructure | All organizations | | Supply Chain | Part of Identify | Elevated to GOVERN | | Implementation Guidance | Limited | Extensive | | Profiles | Brief treatment | Enhanced guidance | | Governance | Distributed | Centralized in GOVERN |

---

Transition Steps

Step 1: Understand the New Structure

Before mapping existing work, understand CSF 2.0's structure: - Review the six functions and their categories - Understand how GOVERN relates to existing practices - Note category and subcategory changes

Step 2: Map Existing CSF 1.1 Work

Your CSF 1.1 implementation doesn't become obsolete. Map it to 2.0: - Most Identify outcomes remain in Identify - Some governance-related outcomes moved to GOVERN - Supply chain outcomes consolidated under GOVERN - Detect, Respond, Recover largely unchanged

Step 3: Assess GOVERN Function Gaps

The GOVERN function likely reveals gaps: - Is cybersecurity strategy formally documented? - Are roles and responsibilities clearly defined? - Is there leadership oversight of cybersecurity? - Is supply chain risk formally managed?

Step 4: Update Profiles

Revise Current and Target Profiles: - Update to CSF 2.0 structure - Incorporate GOVERN outcomes - Reassess priorities with new context - Use NIST's profile templates

Step 5: Leverage New Resources

Take advantage of CSF 2.0's expanded guidance: - Quick-start guides for your organization type - Implementation examples - Updated Informative References - Community Profiles for your sector

---

GOVERN Function Deep Dive

The new GOVERN function deserves special attention:

GV.OC - Organizational Context

Understanding the organization's mission, stakeholders, and legal/regulatory requirements.

Key outcomes: - Organizational mission understood - Internal and external stakeholders identified - Legal and regulatory requirements identified - Critical objectives determined

GV.RM - Risk Management Strategy

Establishing and communicating the organization's cybersecurity risk management priorities.

Key outcomes: - Risk appetite established - Risk tolerance documented - Risk management process established - Strategic direction communicated

GV.RR - Roles, Responsibilities, and Authorities

Establishing cybersecurity roles and responsibilities.

Key outcomes: - Leadership accountability defined - Roles and responsibilities established - Adequate resources allocated - Cybersecurity in human resource practices

GV.PO - Policy

Establishing, communicating, and enforcing cybersecurity policy.

Key outcomes: - Policy based on organizational context - Policy communicated and understood - Policy reviewed and updated - Policy implementation verified

GV.OV - Oversight

Ensuring ongoing review and adjustment of the cybersecurity program.

Key outcomes: - Cybersecurity strategy reviewed - Risk posture assessed - Performance measured - Adjustments made based on findings

GV.SC - Cybersecurity Supply Chain Risk Management

Managing supply chain cybersecurity risks.

Key outcomes: - Supply chain risk management program - Suppliers/partners identified and prioritized - Contracts address cybersecurity - Supplier assessment and monitoring

---

Timeline Considerations

There's no mandated transition deadline since CSF is voluntary. However:

- New implementations should use CSF 2.0 - Existing programs should plan transition - Regulatory requirements may specify version - Business partners may request 2.0 alignment

---

Related Resources

- [NIST Cybersecurity Framework 2.0 Overview](/kb/nist-cybersecurity-framework-20-overview) - [NIST CSF Implementation Tiers](/kb/nist-csf-implementation-tiers) - [NIST CSF Profiles](/kb/nist-csf-profiles) - [NIST CSF Mapping to Other Frameworks](/kb/nist-csf-mapping-to-other-frameworks)

---

This article provides general guidance on transitioning to NIST CSF 2.0. Organizations should consult the official NIST publications for authoritative guidance.