NIST released Cybersecurity Framework 2.0 on February 26, 2024 — the first major revision since the original framework launched in 2014. The update reflects a decade of real-world implementation experience across thousands of organizations. It also reflects how dramatically the threat landscape has changed: ransomware, supply chain attacks, and cloud-native environments barely existed as mainstream concerns when CSF 1.0 was written.
Why the Update Matters
The most significant change in CSF 2.0 is the addition of a sixth core function: GOVERN. This is not a cosmetic addition. It represents NIST explicitly acknowledging what practitioners have known for years — that cybersecurity programs fail not because of missing technical controls, but because of missing organizational accountability. You can have the best security tools in the world and still get breached if leadership does not understand the risks, does not fund remediation, and has not defined who is responsible for what.
Notable: The original CSF was developed for critical infrastructure operators. CSF 2.0 explicitly broadened its scope to "all organizations" — small businesses, nonprofits, schools, and government agencies included. NIST also released sector-specific Community Profiles for healthcare, finance, and others to make adoption easier.
The Six Core Functions
- GOVERN — Establish cybersecurity strategy, risk tolerance, policies, roles, and supply chain risk management
- IDENTIFY — Understand your assets, data, suppliers, and the risks to each
- PROTECT — Implement safeguards: access control, data security, training, platform security
- DETECT — Continuously monitor for anomalies, indicators of compromise, and adverse events
- RESPOND — Have a tested plan to contain, analyze, and communicate during incidents
- RECOVER — Restore systems and services, communicate with stakeholders, incorporate lessons learned
A common misreading of the framework is treating these functions as sequential phases. They are not. IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER run in parallel continuously. GOVERN underpins all of them. An organization with strong PROTECT capabilities but weak DETECT will be slow to discover breaches. One with strong DETECT but poor RESPOND will know about an incident and still fail to contain it.
Tiers: What They Actually Mean
The four tiers (Partial, Risk Informed, Repeatable, Adaptive) describe how mature and integrated your cybersecurity risk management is — not how good your security controls are. A Tier 1 organization has ad hoc, reactive practices. A Tier 4 organization continuously learns from threat intelligence and adapts in near real-time.
Critically: Tier 4 is not the universal target. NIST is explicit that organizations should aim for the tier that meets their business needs and risk tolerance. A small accounting firm may need Tier 2 or 3. A defense contractor or hospital probably needs Tier 4. Chasing the highest tier without business justification wastes resources.
Using Profiles to Drive Your Roadmap
A CSF Profile is how you turn the framework into an actionable plan. Your Current Profile maps where you are today. Your Target Profile maps where you need to be based on your risk appetite, legal requirements, and business objectives. The gap between them is your cybersecurity roadmap.
- Start with GOVERN — without leadership alignment, the rest does not stick
- Use your risk assessment to prioritize which functions to address first
- Map existing controls to the framework before buying anything new
- Community Profiles exist for many sectors — use them as a starting point
- Review and update your Target Profile annually as threats and business needs evolve
CSF 2.0 and Other Frameworks
NIST CSF does not replace ISO 27001, SOC 2, or other frameworks — it complements them. NIST publishes mapping documents showing how CSF subcategories align with ISO 27001 controls, COBIT, and others. If your organization is pursuing ISO 27001 certification, CSF 2.0 is an excellent planning and communication tool to use alongside it.
