NIST CSF 2.0: What's New & Key Changes from Version 1.1
Quick Answer
NIST CSF 2.0 (released February 2024) adds a sixth core function (Govern), expands scope to all organizations (not just critical infrastructure), enhances supply chain risk management, introduces community profiles, and adds implementation examples. It is the first major update since the framework launched in 2014.
NIST CSF 2.0 Overview
NIST CSF 2.0, released in February 2024, is the first major revision of the Cybersecurity Framework since its initial publication in 2014. It reflects a decade of community feedback, evolving threats, and lessons learned from widespread adoption. The update is significant but evolutionary — organizations using CSF 1.1 will find the core concepts familiar.
Key Takeaways
- New sixth function: Govern (GV) — establishes cybersecurity governance and strategy
- Scope expanded from 'critical infrastructure' to ALL organizations regardless of sector or size
- Enhanced supply chain risk management integrated throughout (especially in Govern)
- New: Community Profiles provide sector-specific and use-case-specific starting points
- New: Implementation Examples and Quick Start Guides for easier adoption
- CSF 2.0 has 6 functions, 22 categories, and 106 subcategories (up from 5/23/108 in 1.1)
The Govern Function
The most significant change in CSF 2.0 is the addition of Govern (GV) as a sixth core function. Govern establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy. It recognizes that effective cybersecurity requires organizational support from the top.
| Category | ID | Focus |
|---|---|---|
| Organizational Context | GV.OC | Mission, stakeholder expectations, legal/regulatory requirements |
| Risk Management Strategy | GV.RM | Risk priorities, risk appetite, strategic risk decisions |
| Roles & Responsibilities | GV.RR | Cybersecurity roles, accountability, authority |
| Policy | GV.PO | Cybersecurity policy establishment and communication |
| Oversight | GV.OV | Governance and review of risk management activities |
| Supply Chain Risk Mgmt | GV.SC | Supply chain risk identification, assessment, and response |
❗ Govern is foundational, not optional
While NIST CSF is voluntary, the Govern function is designed to be the foundation for all other functions. Without governance, risk strategy, and organizational commitment, the other five functions lack direction and support. NIST emphasizes that Govern should be addressed first.
Expanded Scope
CSF 1.0/1.1 was titled "Framework for Improving Critical Infrastructure Cybersecurity." CSF 2.0 drops the critical infrastructure focus, explicitly stating it is designed for all organizations regardless of type, size, or sector.
Scope: CSF 1.1 vs CSF 2.0
| Feature | CSF 1.1 | CSF 2.0 |
|---|---|---|
| Title | Framework for Improving Critical Infrastructure Cybersecurity | The NIST Cybersecurity Framework 2.0 |
| Target audience | Critical infrastructure organizations | All organizations of any type, size, or sector |
| Small business guidance | Limited | Dedicated quick-start guides for SMBs |
| International adoption | Referenced but US-focused | Explicitly designed for global use |
| Sector-specific guidance | General informative references | Community Profiles for specific sectors |
Supply Chain Risk Management
Supply chain risk management is significantly elevated in CSF 2.0. It moves from a few subcategories in 1.1 to an entire category (GV.SC) within the Govern function, reflecting the growing threat of supply chain attacks.
New Resources in CSF 2.0
- Implementation Examples: Practical examples showing how to implement each subcategory in real-world scenarios
- Quick Start Guides: Simplified guides for different audiences (small businesses, enterprise, specific industries)
- Community Profiles: Pre-built profiles for specific sectors, use cases, and technologies
- CSF 2.0 Reference Tool: Interactive online tool for exploring the framework and mapping to other standards
- Informative References: Updated mappings to current standards (ISO 27001:2022, NIST 800-53 Rev 5, CIS Controls v8)
Migrating from CSF 1.1 to 2.0
CSF 1.1 to 2.0 Migration Steps
Review the structural changes
Map your existing 1.1 assessments to the new 2.0 structure. Most subcategories carry forward with some reorganization.
Address the Govern function
Assess your current governance capabilities against the six GV categories. This is likely where you will find the most new gaps.
Update supply chain risk management
Enhance your third-party risk management practices to align with the new GV.SC category.
Refresh your profiles
Update Current and Target Profiles to use CSF 2.0 subcategory structure.
Leverage new resources
Use implementation examples, community profiles, and quick-start guides to improve your approach.
6
Core Functions
Up from 5 with the addition of Govern
22
Categories
Reorganized from 23 in CSF 1.1
106
Subcategories
Refined from 108 in CSF 1.1
10 years
Since Original
CSF 2.0 reflects a decade of lessons learned
Is CSF 1.1 still valid?
CSF 2.0 supersedes CSF 1.1, and NIST encourages all organizations to adopt 2.0. However, there is no mandatory migration deadline since NIST CSF is voluntary. Organizations using 1.1 should plan to transition to 2.0 to benefit from updated guidance and maintain relevance.
Do I need to start over if I am using CSF 1.1?
No. CSF 2.0 is evolutionary, not revolutionary. Most subcategories from 1.1 carry forward in 2.0. The primary new work is addressing the Govern function and updating your profiles to the new structure.
What is the biggest practical change?
The addition of the Govern function and the emphasis on cybersecurity governance. This requires organizations to formalize their cybersecurity strategy, risk tolerance, roles, and oversight at the organizational level — not just the IT level.
How do community profiles work?
Community Profiles are pre-built NIST CSF profiles tailored for specific sectors or use cases. They identify the most relevant subcategories and recommended implementation levels. Organizations use them as a starting point and customize based on their specific needs.
Update to NIST CSF 2.0
Find tools and consultants that support NIST CSF 2.0 implementation and migration from 1.1.
Browse CSF 2.0 Tools