NIST CSF 2.0

Executive summary. On February 26 2024 the National Institute of Standards and Technology released version 2.0 of its flagship Cybersecurity Framework (CSF). The update broadens the framework’s audience beyond critical infrastructure to all organizations, introduces a new Govern function that elevates cybersecurity risk management to the board level and emphasizes supply‑chain due diligence, and adds updated setup guidance, sector profiles, metrics and a reference tool for cross‑mapping to other standards. Security leaders should familiarize themselves with these changes to align existing programs and prepare for audits and procurement.

Overview of CSF 2.0

CSF 2.0 builds on the widely adopted CSF 1.1 to help organizations manage cybersecurity risk across five core functions—Identify, Protect, Detect, Respond and Recover—and now adds a sixth Govern function. According to NIST, CSF 2.0 aims to help all organizations — not just critical infrastructure achieve cyber maturity. The govern function emphasizes establishing a cybersecurity strategy, assigning roles and responsibilities, integrating risk appetite into decision‑making and managing supply‑chain risks. CSF 2.0 retains the flexible, outcome‑based structure of its predecessor while updating categories and subcategories, refining setup tiers and encouraging enterprises to tailor the framework to their unique context.

Key changes and improvements

• New Govern function. CSF 2.0 introduces a sixth function that covers leadership commitment, policy, roles, risk management, governance strategy and supply‑chain risk management. Boards and executives will integrate cybersecurity into business planning and oversight, define risk tolerances and ensure appropriate governance structures.
• Supply‑chain risk management. Within the new Govern function, CSF 2.0 emphasizes supplier vetting, contract clauses, monitoring and consequence management. Organizations should align with NIST SP 800‑161 Rev. 1 and implement due diligence processes for third‑ and fourth‑party vendors.
• Expanded scope and updated profiles. The framework extends its applicability to small businesses, education, state/local governments and international teams. New and updated sector profiles (for example, healthcare, energy, manufacturing) provide tailored guidance and benchmarking targets. The public draft included community profiles; CSF 2.0 finalizes these references.
• Reference tool and cross‑framework mapping. NIST released a digital reference tool that allows organizations to search and export CSF 2.0 core content, link outcome categories to controls in ISO/IEC 27001, CIS Controls, PCI DSS and other standards. This helps enterprises harmonize compliance efforts and map controls across frameworks.
• Integration with emerging technologies. CSF 2.0 acknowledges risks posed by artificial intelligence, quantum computing and other emerging technologies. Guidance encourages organizations to assess new technologies through a risk lens and adapt controls as needed.
• Metrics and continuous improvement. The update emphasizes defining key performance indicators (KPIs) and key risk indicators (KRIs), aligning metrics with organizational goals and using them to drive continuous improvement.

Implications for organizations

Security and risk leaders should review CSF 2.0 and plan updates to charters, budget requests and program documentation. The new govern function elevates cybersecurity oversight to the board and executive level; board committees may need to adopt charters that reflect governance outcomes and supply‑chain responsibilities. Your compliance team should map CSF 2.0 to existing frameworks and adjust controls as needed, using the reference tool for crosswalks.

Procurement functions must improve vendor intake workflows, risk scoring, contract clauses and ongoing monitoring to meet supply‑chain guidance. If you are affected, also identify metrics that reflect both performance and risk appetite and update dashboards and reporting to align with CSF 2.0. Training and awareness programs should be updated to reflect the new framework and emphasize the role of leadership in cybersecurity.

Key takeaways

CSF 2.0 is more than an incremental update; it signals a shift toward embedding cybersecurity governance into enterprise risk management. By elevating the governance of cybersecurity to the board level, NIST acknowledges that cyber threats can materially impact business resilience and reputation.

The explicit focus on supply‑chain risk management reflects growing concern over vendor incidents and aligns with other standards such as ISO/IEC 27001 and the NIST AI Risk Management Framework. The reference tool simplifies cross‑framework alignment, reducing audit complexity and enabling organizations to build integrated control architectures. As regulators and insurers now point to CSF 2.0 as a benchmark, early adoption will help organizations show diligence and readiness for future certifications and regulatory requirements.

Related articles

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 100/100 · May 12, 2025

Cyber Resilience — Post-quantum cryptography

Post-quantum cryptography is no longer theoretical—it is time to start planning your migration. NIST has finalized CRYSTALS-Kyber and CRYSTALS-Dilithium as the primary PQC algorithms. Federal agencies already have…

Cybersecurity · Credibility 95/100 · February 26, 2024

NIST Cybersecurity Framework 2.0 released

On 26 February 2024 NIST released Cybersecurity Framework 2.0, adding a Govern function, expanded guidance for all organization sizes, and improved supply chain risk management coverage.

Cybersecurity · Credibility 90/100 · February 26, 2024

NIST Cybersecurity Framework 2.0

NIST’s Cybersecurity Framework 2.0 adds a Govern function, updated categories, and new setup tools, pressing security leaders to realign policies, control testing, and board oversight with the expanded guidance released…

Cybersecurity · Credibility 90/100 · April 2, 2024

Cyber Safety Review Board

The Cyber Safety Review Board's report on Lapsus$ is worth reading if you want to understand modern threat actor TTPs. They exploited basic weaknesses—SIM swapping, social engineering, MFA fatigue attacks. The report's…

Cybersecurity · Credibility 90/100 · April 4, 2024

Cybersecurity — CIRCIA

CISA’s 447-page proposed CIRCIA rule sets 72-hour incident and 24-hour ransom reporting requirements for covered critical infrastructure entities.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

February 26, 2024

Coverage pillar

Cybersecurity

Source credibility

90/100 — high confidence

Topics

NIST CSF 2.0 · Govern function · Supply chain risk management · ISO/IEC 27001 · Metrics

Sources cited

3 sources (nist.gov, insideprivacy.com, acaglobal.com)

Reading time

6 min

References

1. NIST Releases Version 2.0 of Landmark Cybersecurity Framework
2. Inside Privacy: NIST Publishes Cybersecurity Framework 2.0
3. ACA Group: NIST Cybersecurity Framework 2.0 – Key Changes and Enhancements