The National Institute of Standards and Technology has released Cybersecurity Framework 2.0 — its first major revision since the framework's 2014 launch, adding a critical sixth function: Govern.
What's New in CSF 2.0
The most significant addition is the "Govern" function, which places cybersecurity risk management at the executive and board level. This signals a shift from security being a purely technical concern to a top-tier organizational governance priority, aligning with growing regulatory expectations worldwide.
The Five Core Functions, Refined
- Govern (NEW): Establishing and monitoring cybersecurity risk management strategy, expectations, and policy.
- Identify: Understanding organizational assets and their associated cybersecurity risks.
- Protect: Implementing safeguards for critical infrastructure services.
- Detect: Developing activities to identify cybersecurity events quickly.
- Respond & Recover: Taking action regarding detected cybersecurity incidents and maintaining recovery plans.
Zero Trust Alignment
CSF 2.0 provides explicit guidance on aligning with Zero Trust Architecture principles, referencing NIST SP 800-207 throughout. For organizations already on a Zero Trust journey, this framework provides the auditable evidence trail required for regulated industries.
Action for Enterprises
Security teams should immediately conduct a gap assessment against CSF 2.0. Many of the new requirements around supply chain security and continuous monitoring will require tooling investments. We recommend starting with threat modelling for your most critical data flows.