nist csf 2.0 update

NIST Cybersecurity Framework 2.0: What’s Changed and Why It Matters

Lauren Blanc

Marketing Manager


Cyber threats never sleep, which means neither can your defenses. That’s why the US Government’s National Institute of Standards and Technology (NIST) recently updated its Cybersecurity Framework (CSF) to version 2.0, the first major update since the creation of the CSF a decade ago.

The biggest addition is the Govern function, emphasizing the importance of governance in managing cyber risks. Things like policies, procedures, oversight, and resource allocation now have a home in the framework.

Another big shift in the new framework is its expanded scope beyond critical infrastructure sectors. While the original 2014 version focused on industries like energy, finance, and transportation, this new iteration is designed to help organizations of all types and sizes.

Let’s dive further into the key updates of version 2.0, but before we do that, let’s walk through why the framework was established in the first place and what it covers at a high level.

Overview of the NIST CSF 

NIST CSF was formed to provide guidance to help organizations manage cyber risks. When it was first introduced back in 2014, it outlined 5 core functions that remain central to the framework today: Identify, Protect, Detect, Respond, and Recover. Identify and Protect help you understand and manage cybersecurity risks. Detect, Respond, and Recover help you handle cybersecurity events.

Now, in Cybersecurity Framework 2.0, NIST has added a sixth function: Govern.

So, What’s Covered in the New Govern Function?

The most significant addition in NIST CSF 2.0 is the new Govern function, which emphasizes how important governance and oversight are for managing cyber risk. The Govern function helps you establish and monitor your cyber risk strategy, policies and expectations, and provides outcomes to guide your organization in achieving the goals of the other functions.

The Govern function is made up of six categories, each essential for building a solid cybersecurity governance framework:

Organizational Context: This category is all about knowing how cyber risk relates to you as an organization – your mission, objectives, the people you serve, and risk tolerance. Understanding this helps tailor your cybersecurity efforts to fit your unique needs.

Risk Management Strategy: Here, the framework dives into identifying, assessing, and tackling cyber risks head-on. It’s about having a plan in place to deal with whatever cyber threats come your way.

Roles & Responsibilities: Clear roles and responsibilities are crucial for making sure everyone knows what they need to do to keep your digital assets safe. This category helps define who’s responsible for what in your organization’s cybersecurity efforts.

Policy: Policies are like the rulebook for cybersecurity. They lay out what’s expected of employees and how to ensure compliance with regulatory requirements and industry best practices.

Oversight: Provide oversight and monitoring to evaluate the effectiveness of your cyber risk management program and make improvements. Report on cyber risks and progress to senior leadership and the board of directors.

Cybersecurity Supply Chain Risk Management: As organizations increasingly rely on third-party vendors and suppliers, cybersecurity isn’t just about what happens inside your organization – it’s also about the companies you partner with too. This category helps companies manage the risks that come with outsourcing and working with third-party vendors. Read more on how vendor security assessments help companies identify cybersecurity risks here.

nist csf 2.0 functions

CSF 2.0 is Designed to Help All Organizations, Not Just Critical Infrastructure Sectors

The original CSF focused primarily on critical infrastructure sectors like energy, finance, and healthcare. CSF 2.0 expands its scope to include organizations of all sizes and industries. Whether you run a small business, mid-size company, or large enterprise, the framework can help you better manage cyber risks.

Startups Benefit Too

Startups often struggle to implement robust cybersecurity programs due to limited resources and expertise. CSF 2.0 provides guidance tailored to organizations with less complex IT infrastructure and staffing. Things like streamlining risk assessments, focusing on key controls, and designating a single person (or Scytale compliance expert!) to lead cyber efforts can help startups adopt the framework.

One Size Doesn’t Fit All

The updated framework recognizes that different organizations have different needs and risk tolerances. It offers flexibility so you can adapt cybersecurity practices to your unique business requirements, risk profile, and resources. You choose which framework parts to implement based on your priorities and what’s practical for your organization.

CSF 2.0 Provides More Guidance and Resources

CSF 2.0 provides a wealth of new resources to facilitate framework adoption for organizations of all kinds. Things like case studies, videos, sector-specific guidance, and a five-step implementation process make it easier to put the framework into practice. Whether you need to build a cyber program from the ground up or strengthen an existing one, CSF 2.0 has tools and advice for you. Some of these resources include:

Quick Start Guides

New quick start guides for small businesses walk you through how to get started with the framework. If you run a startup, these guides are invaluable. They break down how to perform a basic risk assessment, set cybersecurity goals, and implement safeguards on a smaller scale.


Framework 2.0 also includes mappings to other standards, guidelines, and practices. These mappings help you determine how the framework aligns with things you may already be doing. They can also point you to additional guidance to strengthen your cybersecurity program.

Additional Resources

On top of these, NIST released a catalogue of resources like educational materials, videos, spreadsheets, and document templates to support framework use. The variety of resources means there are options for different learning styles and needs.


How Scytale Can Help

Although CSF 2.0 provides a lot more resources for implementation, adopting the framework can still be a big, daunting project. If you’re short on resources, expertise, or time to tackle this independently, Scytale is here to assist you every step of the way.

Scytale’s continuous monitoring and risk management tools can help you implement key controls to improve your cyber resilience and protect against emerging threats. Our experts can guide you through a gap analysis and create a customized implementation roadmap that considers your unique business needs and risk tolerance – ensuring you meet NIST compliance requirements while optimizing security and efficiency. 

Share this article

A CTO’s Roadmap to Security Compliance: Your Go-To Handbook for Attaining SOC 2 and ISO 27001

Security Compliance for CTOs