NIST CSF 2.0: What Changed, Why It Matters, and How to Update Your Cybersecurity Program [Video + Guide]
Posted: March 14, 2026 to Cybersecurity.
Watch the video above for a quick overview, or read the full guide below for a detailed analysis of NIST CSF 2.0 changes and how to update your cybersecurity program accordingly.
NIST CSF 2.0: The Most Significant Update Since 2014
The National Institute of Standards and Technology released Cybersecurity Framework (CSF) 2.0 in February 2024, marking the most significant update to this foundational cybersecurity framework since its original publication in 2014. CSF 2.0 expands the framework's scope, adds a new core function, and introduces organizational profiles and tiers that help organizations of all sizes improve their cybersecurity posture.
While CSF 1.1 focused primarily on critical infrastructure, CSF 2.0 is explicitly designed for all organizations regardless of size, sector, or cybersecurity maturity. This expanded scope reflects the reality that cybersecurity threats affect every organization, from small businesses to large enterprises, government agencies to nonprofits.
If your organization uses NIST CSF as the foundation for your cybersecurity program, understanding these changes and updating your practices is essential. The transition to CSF 2.0 also impacts organizations pursuing CMMC compliance, as CMMC aligns with NIST frameworks.
The Biggest Change: The GOVERN Function
CSF 2.0 introduces a sixth core function: GOVERN. This is the most significant structural change in the framework. The original five functions — Identify, Protect, Detect, Respond, and Recover — remain, but GOVERN now sits at the center, emphasizing that cybersecurity governance is the foundation upon which all other functions depend.
The GOVERN function includes six categories:
Organizational Context (GV.OC): Understand the organization's mission, stakeholder expectations, and dependencies that affect cybersecurity risk management decisions. This ensures cybersecurity strategy aligns with business objectives.
Risk Management Strategy (GV.RM): Establish and communicate the organization's risk management priorities, constraints, and risk tolerance. Define how cybersecurity risks are assessed, prioritized, and communicated to leadership.
Roles, Responsibilities, and Authorities (GV.RR): Define cybersecurity roles and responsibilities across the organization. Ensure accountability at all levels, from the board and executive leadership through operational staff.
Policy (GV.PO): Establish, communicate, and enforce organizational cybersecurity policies. Policies should be reviewed and updated regularly to reflect changes in the threat landscape and business environment.
Oversight (GV.OV): Use results of cybersecurity risk management activities to inform and adjust the organization's strategy. Conduct regular reviews of cybersecurity posture at the governance level.
Cybersecurity Supply Chain Risk Management (GV.SC): Identify, establish, manage, monitor, and improve supply chain risk management processes. This reflects the growing importance of third-party risk as attacks increasingly target supply chains.
Other Key Changes in CSF 2.0
Expanded Scope: CSF 2.0 explicitly serves all organizations, not just critical infrastructure. The title changed from "Framework for Improving Critical Infrastructure Cybersecurity" to simply "The NIST Cybersecurity Framework." Guidance now includes examples and resources scaled for small businesses.
Organizational Profiles: CSF 2.0 introduces the concept of organizational profiles that describe an organization's current cybersecurity posture (Current Profile) and target posture (Target Profile). Profiles help organizations prioritize improvement actions and communicate cybersecurity status to stakeholders.
Framework Tiers: The four tiers (Partial, Risk Informed, Repeatable, Adaptive) have been refined to better characterize how organizations manage cybersecurity risk. Tiers now more clearly link to governance practices and help organizations assess their maturity.
Improved Guidance: CSF 2.0 includes significantly more implementation guidance, quick-start guides for different audiences, and mapping resources that connect CSF to other frameworks like ISO 27001, CIS Controls, and NIST SP 800-53.
Supply Chain Focus: Supply chain risk management has been elevated throughout the framework, not just in the new GOVERN function. Categories across Identify, Protect, Detect, Respond, and Recover now include supply chain considerations.
How to Update Your Cybersecurity Program for CSF 2.0
Step 1 — Gap Assessment Against GOVERN: The most immediate action is assessing your organization against the new GOVERN function. Most organizations already have some governance practices in place but may not have formalized them according to CSF 2.0 categories. Document your current governance practices and identify gaps.
Step 2 — Create Organizational Profiles: Develop your Current Profile by assessing your implementation of each CSF 2.0 category and subcategory. Create a Target Profile based on your risk tolerance, business requirements, and compliance obligations. The gap between current and target profiles becomes your improvement roadmap.
Step 3 — Update Documentation: Revise your cybersecurity policies, procedures, and plans to align with CSF 2.0 structure and terminology. Update your risk management framework documentation. Revise board and executive reporting to include governance metrics.
Step 4 — Address Supply Chain Risk: If you have not already, establish a supply chain risk management program. Assess critical suppliers and vendors for cybersecurity risks. Include cybersecurity requirements in contracts and procurement processes. Monitor supplier compliance on an ongoing basis.
Step 5 — Train Your Team: Ensure your cybersecurity team, IT staff, and leadership understand the CSF 2.0 changes. Update training materials and security awareness programs. Include governance responsibilities in role-specific training.
CSF 2.0 and Other Compliance Frameworks
CMMC Alignment: CMMC maps to NIST SP 800-171, which aligns closely with CSF. The addition of GOVERN in CSF 2.0 reinforces governance practices already expected in CMMC assessments. Organizations pursuing CMMC benefit from adopting CSF 2.0 governance practices.
HIPAA Alignment: HIPAA Security Rule requirements map well to CSF functions. The new GOVERN function aligns with HIPAA's administrative safeguard requirements including security management, workforce security, and information access management.
ISO 27001: NIST provides official mapping between CSF 2.0 and ISO 27001:2022. Organizations maintaining ISO 27001 certification can use CSF 2.0 as a complementary framework for risk management and improvement planning.
Frequently Asked Questions
Is CSF 2.0 mandatory for my organization?
CSF 2.0 is voluntary for most private-sector organizations, but it is increasingly referenced in regulations, contracts, and cyber insurance requirements. Federal agencies are required to use NIST frameworks. Defense contractors pursuing CMMC align with NIST standards. Even where not mandated, CSF 2.0 provides the most widely recognized structure for building a comprehensive cybersecurity program.
How long do we have to transition from CSF 1.1 to 2.0?
NIST has not set a mandatory transition deadline for voluntary adopters. However, CSF 1.1 is no longer being updated, and all future guidance, tools, and mappings will reference CSF 2.0. Organizations should plan a 6 to 12 month transition timeline, prioritizing the new GOVERN function and organizational profiles.
What is the biggest challenge in adopting CSF 2.0?
For most organizations, the biggest challenge is formalizing governance practices. Many organizations have informal cybersecurity governance but lack documented policies, defined roles, and regular oversight processes. The GOVERN function requires making these practices explicit, documented, and measurable. The technical security controls are often already in place; governance documentation is the gap.
Do small businesses need to implement all of CSF 2.0?
No. CSF 2.0 is designed to be scalable. Small businesses should focus on the categories most relevant to their risk profile, industry, and compliance requirements. NIST provides small business quick-start guides that identify priority actions. Start with identity management, data protection, and incident response basics, then expand as resources allow.
Update Your Cybersecurity Program with PTG
Petronella Technology Group helps organizations transition to NIST CSF 2.0 and build cybersecurity programs that meet today's threat landscape. Our cybersecurity consulting services include CSF gap assessments, governance framework development, organizational profile creation, and ongoing managed security services. We align your CSF implementation with CMMC, HIPAA, and other compliance requirements.
Modernize your cybersecurity framework. Contact PTG today for a CSF 2.0 readiness assessment. For ongoing education, visit our Training Academy.
![Security Awareness Training: How to Build a Human Firewall That Actually Stops Cyberattacks [Video + Guide]](https://petronellatech.com/inc/modules/Blog/images/icons/1320.webp){kind=icon}
![Multi-Factor Authentication (MFA): The Single Most Important Security Control Your Business Can Deploy [Video + Guide]](https://petronellatech.com/inc/modules/Blog/images/icons/1319.webp){kind=icon}
![Endpoint Detection and Response (EDR): Why Antivirus Is Dead and What Your Business Needs Instead [Video + Guide]](https://petronellatech.com/inc/modules/Blog/images/icons/1316.webp){kind=icon}
![Network Segmentation Guide: How to Contain Breaches and Protect Critical Systems with Proper Network Design [Video + Guide]](https://petronellatech.com/inc/modules/Blog/images/icons/1315.webp){kind=icon}
