NIST is finalising version 2.0 of the Cybersecurity Framework, expected to be published in early 2024. The update is the most significant revision since the framework’s original publication in 2014, and it introduces changes that reflect a decade of practical implementation experience, feedback from thousands of organisations, and the evolution of the cybersecurity landscape. If your security programme references NIST CSF 1.1, you need to understand what is changing.
The Biggest Change: A New Govern Function
The most substantive change in CSF 2.0 is the addition of a sixth core function: GOVERN. The original five functions — Identify, Protect, Detect, Respond, Recover — were expanded from a criticism that the original framework underemphasised governance and organisational context. CSF 2.0 addresses this directly by elevating governance from subcategories within Identify to its own dedicated function.
The Govern function covers: organisational context (mission, objectives, legal requirements); risk management strategy (risk appetite, tolerance, priorities); cybersecurity supply chain risk management; roles, responsibilities, and authorities; policy and oversight; and cybersecurity programme improvement. The addition of Govern reflects a widespread recognition that governance failures — boards not engaging with cybersecurity, risk appetite not defined, accountability not assigned — are at the root of many security programme failures.
Expanded Scope: Beyond Critical Infrastructure
CSF 1.1 was primarily designed for US critical infrastructure sectors, though it was adopted widely across other industries. CSF 2.0 explicitly broadens the scope — it is designed for organisations of all sizes and in all sectors, not just critical infrastructure. The framework has been updated to reflect this broader intended audience, with clearer guidance on how smaller organisations and non-critical-infrastructure entities should apply it.
Supply Chain Risk Management: More Prominent
Supply chain risk management appears more prominently in CSF 2.0 than in 1.1 — reflecting the supply chain attacks that have defined the threat landscape since 2020. The new Govern function includes supply chain risk management as a distinct category, and the framework provides more detailed guidance on supplier assessment, contractual requirements, and supply chain incident response.
What Organisations Should Do Now
For organisations that currently reference CSF 1.1 in their security programme documentation — security strategies, risk management frameworks, board reporting — the transition to 2.0 requires updating those references and assessing whether the new Govern function reveals gaps in their current programme.
Most organisations with mature security programmes will find that the Govern function covers capabilities they already have — board oversight, risk appetite documentation, defined roles and responsibilities. The value of the explicit Govern function is in surfacing governance gaps in organisations that have these capabilities in outline but not in a consistent, documented form that the framework can assess against.
At Bitsecura, we are preparing to update our NIST CSF-aligned strategy and assessment work to reflect CSF 2.0 on publication. If you want to understand the implications of CSF 2.0 for your security programme, or want to begin the transition ahead of the final publication, reach out here.
Bitsecura provides NIST CSF-aligned cybersecurity strategy and advisory services. Learn more about our NIST CSF services.