The National Institute of Standards and Technology released version 2.0 of the Cybersecurity Framework in February 2024, marking the first major revision since the framework’s original publication in 2014 and its minor update to version 1.1 in 2018. The changes are significant. Organizations that built their cybersecurity programs around CSF 1.1 need to understand what shifted, what was added, and how to adjust their implementation accordingly.
What Changed from CSF 1.1 to 2.0
The most visible change is structural: CSF 2.0 introduces a sixth core function called Govern, elevating cybersecurity governance from a background concern to a first-class element of the framework. But the revisions go deeper than that.
Expanded scope. CSF 1.1 was originally designed for critical infrastructure sectors. While many other organizations adopted it voluntarily, the framework’s language and framing reflected that narrow origin. CSF 2.0 explicitly broadens its intended audience to include organizations of all sizes, sectors, and maturity levels. The title itself changed from “Framework for Improving Critical Infrastructure Cybersecurity” to simply “The Cybersecurity Framework.” This is not cosmetic. It means the guidance, examples, and implementation tiers are now written to be applicable whether you are a hospital system, a software company, a municipality, or a defense contractor.
Improved guidance on profiles. CSF 1.1 introduced the concept of profiles (a snapshot of an organization’s current or target cybersecurity posture mapped to the framework’s categories and subcategories), but the guidance on how to actually build and use them was thin. CSF 2.0 provides substantially more detail on creating organizational profiles, including community profiles that represent shared cybersecurity goals across an industry or sector. This makes profiles a genuinely useful planning and communication tool rather than an afterthought.
Better integration with other frameworks. CSF 2.0 was designed with interoperability in mind. NIST published updated reference mappings that connect CSF subcategories to controls in NIST SP 800-53, ISO 27001, and other frameworks. The CSF’s improved international alignment makes it easier to integrate with ISO 27001 controls. This cross-referencing is central to how organizations with multiple compliance obligations can use CSF 2.0 as a coordination layer.
Supply chain risk management. CSF 2.0 strengthens the treatment of supply chain risk, integrating it throughout the framework rather than confining it to a single category. Given the increase in supply chain attacks over the past several years, this reflects operational reality.
CSF 1.1 vs CSF 2.0 at a Glance
| Aspect | CSF 1.1 | CSF 2.0 |
|---|---|---|
| Core Functions | 5 (Identify, Protect, Detect, Respond, Recover) | 6 (adds Govern) |
| Target Audience | Critical infrastructure | All organizations regardless of size or sector |
| Governance | Embedded within other functions | Dedicated Govern function elevates cybersecurity governance |
| Supply Chain | Limited coverage in Identify function | Expanded supply chain risk management across multiple functions |
| Profiles | Current and Target profiles | Enhanced guidance with community profiles for specific sectors |
| Tiers | 4 implementation tiers | Same 4 tiers with clearer alignment to risk management practices |
| International Alignment | US-focused references | Improved alignment with ISO 27001 and global frameworks |
The Six Core Functions
CSF 2.0 organizes cybersecurity activities into six functions. Each function contains categories and subcategories that describe specific outcomes organizations should achieve. Here is what each function covers and why it matters.
Govern (GV)
This is the new addition. Govern establishes and monitors an organization’s cybersecurity risk management strategy, expectations, and policy. It addresses questions like: Who is accountable for cybersecurity risk? How does cybersecurity risk fit into broader enterprise risk management? What policies and processes guide cybersecurity decisions?
Govern includes categories covering organizational context, risk management strategy, roles and responsibilities, policy, oversight, and supply chain risk management. By making governance a distinct function rather than burying it in implementation guidance, CSF 2.0 forces organizations to confront whether they have the leadership structures and decision-making processes to support their technical controls.
Identify (ID)
Identify focuses on understanding the organization’s environment, assets, risks, and vulnerabilities. You cannot protect what you do not know about. This function covers asset management, business environment analysis, risk assessment, and improvement processes. It answers the fundamental question: What do we need to protect and what are the risks to it?
Protect (PR)
Protect covers the safeguards that limit or contain the impact of cybersecurity events. This includes identity management and access control, awareness and training, data security, platform security, and technology infrastructure resilience. These are the controls most organizations think of first when they consider cybersecurity: authentication, encryption, network segmentation, endpoint protection, and similar measures. Organizations pursuing CMMC 2.0 certification will find significant overlap with CSF 2.0, particularly in the Protect and Detect functions.
Detect (DE)
Detect addresses the activities needed to identify cybersecurity events in a timely manner. Continuous monitoring, anomaly detection, and adverse event analysis fall here. The value of this function is in timeliness. Detection capabilities determine how quickly an organization recognizes that something has gone wrong, which directly affects the severity of the outcome.
Respond (RS)
Respond encompasses the actions taken once a cybersecurity incident is detected. This includes incident management, analysis, mitigation, and reporting. A well-implemented Respond function ensures that when an incident occurs, there are predefined processes for containing it, communicating about it, and learning from it.
Recover (RC)
Recover focuses on restoring capabilities or services impaired by a cybersecurity incident. This includes recovery planning and execution as well as communication during and after recovery. The goal is resilience: ensuring the organization can return to normal operations and incorporate lessons learned into future planning.
Implementation Tiers
CSF 2.0 retains the four implementation tiers from version 1.1, though with refined descriptions. The tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework:
- Tier 1 — Partial: Risk management is ad hoc and reactive. There is limited awareness of cybersecurity risk at the organizational level, and no formalized processes exist for managing it.
- Tier 2 — Risk Informed: Risk management practices are approved by management but may not be established as organization-wide policy. There is awareness of risk but inconsistent application of controls.
- Tier 3 — Repeatable: Risk management practices are formally approved, expressed as policy, and regularly updated. The organization consistently applies its processes and adapts to changes in the threat landscape.
- Tier 4 — Adaptive: The organization adapts its cybersecurity practices based on lessons learned and predictive indicators. Risk management is part of the organizational culture, and continuous improvement is built into operations.
Tiers are not maturity levels in the traditional sense. NIST emphasizes that organizations should select the tier that meets their risk management objectives and is feasible given their resources. Tier 4 is not inherently the goal for every organization. A small business with limited cybersecurity exposure may find Tier 2 entirely appropriate, while a defense contractor handling classified information should aim for Tier 3 or 4.
How to Create Organizational Profiles
A CSF profile represents an organization’s alignment of its cybersecurity posture with the framework’s functions, categories, and subcategories. CSF 2.0 describes two types:
Current Profile: Documents your existing cybersecurity outcomes. For each subcategory, you assess whether and how well the organization achieves that outcome today. This provides a baseline.
Target Profile: Defines the desired cybersecurity outcomes based on your risk tolerance, business requirements, and regulatory obligations. The target profile represents where you want to be.
The gap between the current profile and the target profile becomes your action plan. This gap analysis drives prioritization: you focus resources on closing the gaps that represent the greatest risk to the organization.
To build a profile effectively:
- Define scope. Determine which business units, systems, or processes the profile covers.
- Gather input from stakeholders. Profiles should reflect business priorities, not just technical assessments. Include leadership, legal, compliance, and operational teams.
- Assess each subcategory. For the current profile, document what is in place. For the target profile, determine what is needed based on risk assessments, regulatory requirements, and organizational goals.
- Identify and prioritize gaps. Rank gaps by risk impact and feasibility of remediation.
- Develop an action plan. Assign ownership, timelines, and resources to close priority gaps.
Mapping CSF 2.0 to Actionable Controls with SCF Connect
The CSF is an outcomes-based framework. It tells you what to achieve but does not prescribe specific controls for how to achieve it. This is by design, as it allows flexibility, but it also means organizations need a way to translate CSF outcomes into concrete, implementable controls.
This is where the Secure Controls Framework and SCF Connect provide direct value. SCF Connect maps every CSF 2.0 category and subcategory to specific controls from the SCF’s unified control set. When you select NIST CSF as one of your applicable frameworks in SCF Connect, the platform shows you exactly which controls satisfy each subcategory, what evidence you need to demonstrate compliance, and how those same controls map to other frameworks you may be subject to.
For organizations that are also working toward NIST SP 800-53 compliance, this mapping is particularly valuable. CSF 2.0 and 800-53 are complementary. CSF provides the strategic framework; 800-53 provides the detailed control catalog. SCF Connect bridges them, so you can see how implementing a specific 800-53 control simultaneously satisfies CSF subcategories and any other overlapping framework requirements.
The practical benefit is efficiency. Using a common control framework approach, instead of maintaining separate compliance tracking for CSF, 800-53, ISO 27001, and other frameworks, SCF Connect lets you manage a single set of controls and view your compliance posture through the lens of whichever framework a particular auditor, customer, or regulator requires.
Getting Started
Organizations adopting CSF 2.0 should begin with the Govern function. Without clear governance, the remaining five functions lack the organizational support needed for sustained implementation. Define accountability, establish risk management policies, and ensure cybersecurity risk is integrated into enterprise risk management.
From there, build your current and target profiles, use gap analysis to prioritize, and implement controls in a structured, measurable way. When preparing for a NIST-aligned assessment, our audit readiness checklist provides a practical timeline. SCF Connect provides the infrastructure to manage this entire lifecycle, from initial assessment through ongoing monitoring and continuous improvement.
Start your free trial to see how SCF Connect maps NIST CSF 2.0 to actionable controls across your entire compliance landscape.
Frequently Asked Questions
What is new in NIST CSF 2.0?
The most significant change is the addition of the Govern function, making cybersecurity governance a top-level concern. CSF 2.0 also broadens its scope from critical infrastructure to all organizations, expands supply chain risk management guidance, introduces enhanced organizational profiles, and improves international framework alignment.
How many functions does NIST CSF 2.0 have?
NIST CSF 2.0 has six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. The Govern function is new in version 2.0 and addresses cybersecurity risk management strategy, expectations, and policy at the organizational level.
Is NIST CSF 2.0 mandatory?
NIST CSF is voluntary for most private-sector organizations, but it is increasingly referenced in regulations and contractual requirements. Federal agencies are required to use NIST frameworks, and many industries treat CSF alignment as a de facto requirement. The framework is designed to be adapted to any organization’s risk management program.
How does NIST CSF relate to NIST 800-53?
NIST CSF provides a high-level strategic framework for managing cybersecurity risk, while NIST 800-53 provides a detailed catalog of security and privacy controls. CSF categories and subcategories map to specific 800-53 controls — SCF Connect makes this mapping explicit, allowing organizations to move from strategy to implementation seamlessly.
Related resources:
- NIST CSF Compliance with SCF Connect — How SCF maps controls to NIST CSF categories
- NIST 800-53 Compliance with SCF Connect — Detailed control catalog mapping
- SCF Connect Features — Platform capabilities for framework management
- What Is GRC? — Understanding governance, risk, and compliance
- SCF Controls Reference — Browse the full SCF control set