NIST published the final Cybersecurity Framework 2.0 on 26 February 2024. It is the first major revision of the framework since its initial publication in 2014 and represents a decade of accumulated feedback and implementation experience. If your security strategy, board reporting, or risk management framework references NIST CSF, this is what changed and what you should do.
What Changed in the Final Version
The new Govern function is confirmed — the most significant structural change from CSF 1.1 to 2.0. GOVERN is now the sixth core function, sitting alongside Identify, Protect, Detect, Respond, and Recover. The Govern function consolidates governance-related subcategories that were previously scattered across the framework (particularly in Identify) and adds new subcategories addressing risk management strategy, supply chain risk management, and cybersecurity programme oversight.
The framework explicitly expands its audience beyond critical infrastructure to all organisations and sectors. The title itself changed from “Framework for Improving Critical Infrastructure Cybersecurity” to simply “Cybersecurity Framework.” The language throughout has been updated to reflect this broader scope.
Implementation examples and quick start guides have been added as companion resources — practical guidance for different organisation types (small businesses, enterprise, government) on how to apply the framework proportionately. These resources were not part of CSF 1.1 and address a common criticism that the original framework was too abstract for smaller organisations to implement without significant external support.
Supply chain risk management is substantially expanded — appearing in the Govern function as a first-class category with specific subcategories covering supplier identification and assessment, supply chain risk management plans, and supplier incident response.
What Did Not Change
The core five functions remain and their fundamental character is unchanged. Organisations that have built programmes against CSF 1.1 will find the transition relatively manageable — the Govern function formalises governance activities that mature organisations already have, and the supply chain expansion formalises supply chain activities that are increasingly standard in mature security programmes. CSF 2.0 is an evolution, not a replacement.
How to Update Your Programme
Three practical steps for organisations referencing CSF 1.1 in their security programme documentation:
First, update references in strategy and policy documents from CSF 1.1 to CSF 2.0. This is straightforward documentation maintenance.
Second, assess your programme against the new Govern function. If you have a board-approved cybersecurity risk management strategy, defined roles and accountabilities, and documented supply chain risk management — you are largely there. If any of these are absent or undocumented, CSF 2.0’s Govern function provides a structured framework for building them.
Third, review your supply chain risk management practices against the expanded CSF 2.0 supply chain subcategories. The expanded requirements may surface gaps in how you assess, document, and manage supply chain cybersecurity risks.
At Bitsecura, we help organisations update their security programmes to reflect CSF 2.0 — assessing against the new Govern function, identifying gaps, and updating strategy and roadmap documentation. If you want to ensure your programme reflects the current standard, reach out here.
Bitsecura provides NIST CSF-aligned cybersecurity strategy and advisory services. Learn more about our NIST CSF services.