Table of Contents
- NIST CSF 2.0: Everything About the Update
- What Is NIST CSF 2.0?
- What Changed in NIST CSF 2.0
- NIST CSF 1.1 vs 2.0 Comparison Table
- CSF 2.0 Core Functions Overview
- CSF 2.0 Implementation Resources
- How to Transition from CSF 1.1 to 2.0
- How to Simplify NIST CSF 2.0 Implementation
- NIST CSF 2.0 FAQs
- Key Takeaways
NIST CSF 2.0: Everything About the Update
NIST CSF 2.0 is the first major revision to the NIST Cybersecurity Framework since its creation in 2014. Published by the National Institute of Standards and Technology (NIST) on February 26, 2024, CSF 2.0 adds a sixth core function (Govern), expands scope from critical infrastructure to all organizations, and restructures the framework into six functions, 22 categories, and 106 subcategories.
Whether your organization is adopting the CSF for the first time, transitioning from 1.1, or evaluating how 2.0 affects an existing program, this guide breaks down what changed, how the six functions work, what NIST provides for implementation, and how to move forward. It is written for security practitioners, compliance leads, IT risk managers, and CISOs who need to understand the update and act on it.
For a high-level overview of the NIST Cybersecurity Framework, see our NIST CSF complete guide.
What Is NIST CSF 2.0?
NIST CSF 2.0 is the current version of the NIST Cybersecurity Framework, published by the National Institute of Standards and Technology (NIST) in February 2024. It adds a Govern function, applies to all organizations, and organizes cybersecurity outcomes into 106 subcategories across 22 categories and six functions.
NIST CSF 2.0 is a voluntary cybersecurity framework that helps organizations manage and reduce cyber risk. It provides a common language of outcomes — organized into six functions, 22 categories, and 106 subcategories — that any organization can use to assess its cybersecurity posture, prioritize improvements, and communicate risk to leadership.
NIST CSF 2.0 succeeds CSF 1.1 (2018) and CSF 1.0 (2014). NIST changed the title from “Framework for Improving Critical Infrastructure Cybersecurity” to “The NIST Cybersecurity Framework (CSF) 2.0” to signal that the framework now applies to every organization — universities, hospitals, manufacturers, financial institutions — regardless of sector, size, or maturity level.
The update followed a multi-year public review that began in February 2022 and included two public draft comment periods that drew over 300 responses. NIST published companion resources alongside the framework, including Quick Start Guides, Implementation Examples, and an interactive CSF Tools reference. In its one-year retrospective, NIST reported that CSF 2.0 downloads exceeded CSF 1.1’s first-year totals within months.
What Changed in NIST CSF 2.0
CSF 2.0 introduces seven changes that affect how organizations design, operate, and measure cybersecurity programs:
- New Govern function. A sixth core function that makes governance, risk strategy, policy, oversight, and supply chain risk management explicit. In CSF 1.1, governance was scattered across the Identify function.
- Expanded scope. The framework now applies to all organizations regardless of size, sector, or maturity. CSF 1.1 was written for critical infrastructure operators.
- Reorganized subcategories. Consolidates from 108 subcategories (1.1) to 106 (2.0). NIST merged overlapping outcomes and rewrote subcategory language to focus on measurable outcomes.
- Enhanced organizational profiles. Stronger guidance for building Current Profiles and Target Profiles with structured gap analysis methods.
- Community profiles. Sector-specific baseline profiles built by NIST and external contributors that organizations can adopt and customize.
- Implementation resources. Quick Start Guides, Implementation Examples, crosswalk documents, and the CPRT Reference Tool. CSF 1.1 had limited companion materials.
- Online reference tool. The CPRT provides searchable, machine-readable access to every CSF 2.0 category, subcategory, and cross-framework mapping.
SANS Institute’s analysis characterized these changes as a shift from treating cybersecurity as a technical function to treating it as an enterprise governance responsibility — a shift that requires board-level engagement, not just SOC-level execution.
The New Govern Function
The Govern (GV) function is the most significant structural addition in CSF 2.0. It elevates cybersecurity governance to the same level as the five operational functions and provides the strategic foundation for how each operates.
The ISACA Journal describes how Govern creates a clear hierarchy: executives set strategy, managers implement policy, and practitioners execute controls. An NYU Compliance analysis called CSF 2.0 “the most significant update to the Cybersecurity Framework since its creation in 2014.”
Govern contains six categories and 31 subcategories:
- GV.OC (Organizational Context): Understand and document the organization’s mission, stakeholder expectations, legal requirements, and risk environment.
- GV.RM (Risk Management Strategy): Establish risk tolerance, prioritize threats, and allocate resources. The NISTIR 8286 series, revised in December 2025, provides detailed guidance for this category.
- GV.RR (Roles, Responsibilities, and Authorities): Assign ownership for cybersecurity outcomes at every level, from the board to individual control owners.
- GV.PO (Policy): Establish and maintain the security policies, standards, and procedures that govern operational activities.
- GV.OV (Oversight): Monitor, audit, and review whether the cybersecurity program delivers the outcomes defined in organizational profiles.
- **GV.SC (Cybersecurity Supply Chain Risk Management):** Manage third-party and vendor risk. CSF 1.1 placed supply chain risk under Identify (ID.SC); CSF 2.0 moves it into Govern.
What the Govern Function Adds in CSF 2.0
| Category | What It Covers | What Changed from 1.1 |
| GV.OC Organizational Context | Mission, stakeholders, legal/regulatory requirements, risk environment | Formalizes the link between business context and cybersecurity priorities |
| GV.RM Risk Management Strategy | Risk tolerance, prioritization methods, resource allocation | Elevates risk strategy from an implicit Identify activity to a defined governance process |
| GV.RR Roles, Responsibilities, and Authorities | Accountability for cybersecurity decisions at every organizational level | Consolidates role definitions that were spread across ID.AM and ID.GV in 1.1 |
| GV.PO Policy | Security policies, standards, and procedures | Creates a dedicated policy management layer under governance |
| GV.OV Oversight | Performance monitoring, auditing, and governance review | Makes continuous oversight a core expectation with defined outcomes |
| GV.SC Supply Chain Risk Management | Third-party risk, vendor management, supply chain due diligence | Moved from ID.SC in Identify. Reclassified as a governance-led activity |
Updated Categories and Subcategories
CSF 2.0 reorganizes categories and subcategories to eliminate overlap and centralize governance activities under the new Govern function. The result is 106 subcategories (down from 108) with clearer ownership boundaries.
Key reorganization patterns:
- Identify lost eight subcategories. Most moved to Govern. The remaining categories focus on asset management, risk assessment, and improvement.
- Protect lost 17 subcategories. NIST consolidated overlapping safeguards into five categories covering identity management, training, data security, platform security, and infrastructure resilience.
- Detect lost seven subcategories. Merged into continuous monitoring and adverse event analysis.
- Respond lost three subcategories. Streamlined into incident management, analysis, reporting, and mitigation.
- Recover gained two subcategories. Expanded to cover recovery execution and recovery communication.
| Function | Categories (2.0) | Subcategories (2.0) | Change from 1.1 |
| Govern (NEW) | 6 | 31 | +31 (new function) |
| Identify | 3 | 21 | -8 (governance moved to GV) |
| Protect | 5 | 22 | -17 (consolidated) |
| Detect | 2 | 11 | -7 (merged monitoring outcomes) |
| Respond | 4 | 13 | -3 (streamlined) |
| Recover | 2 | 8 | +2 (expanded communication) |
| Total | 22 | 106 | -2 net |
Expanded Profiles and Tiers
Profiles and tiers help organizations measure where they stand and where they need to go. Profiles define which CSF outcomes the organization achieves today and targets for the future. Tiers describe how mature and integrated those practices are.
- Current Profile: Documents which CSF outcomes the organization achieves today. CSF 2.0 adds structured assessment guidance so organizations can rate achievement and identify evidence for each subcategory.
- Target Profile: Defines desired outcomes based on business priorities, risk tolerance, and regulatory requirements. Organizations compare Current and Target profiles to quantify gaps and prioritize improvements.
- Community Profiles: Sector-specific baseline profiles that accelerate adoption. NIST published the first finalized community profile in April 2025: SP 800-61r3. Additional draft profiles are in development.
- Implementation Tiers: Four maturity levels that describe how well cybersecurity practices integrate into risk management. CSF 2.0 clarifies that tiers are not a maturity model to climb sequentially — organizations select the tier that aligns with their risk tolerance.
| Implementation Tier | Characteristics | Risk Management Integration |
| Tier 1: Partial | Ad hoc, reactive responses to incidents | Cybersecurity risk managed case-by-case with limited awareness of organizational risk |
| Tier 2: Risk Informed | Risk-aware practices exist but are inconsistently applied | Risk management approved by management but may not be policy across the organization |
| Tier 3: Repeatable | Defined policies, regularly updated based on risk changes | Organization-wide approach with consistent processes and skilled personnel |
| Tier 4: Adaptive | Continuously improving, informed by lessons learned and predictive indicators | Cybersecurity risk management part of organizational culture with real-time response to threat changes |
NIST CSF 1.1 vs 2.0 Comparison Table
CSF 2.0 differs from CSF 1.1 across eight dimensions that affect scope, structure, governance, and available resources.
| Dimension | NIST CSF 1.1 (2018) | NIST CSF 2.0 (2024) |
| Core functions | 5 (Identify, Protect, Detect, Respond, Recover) | 6 (added Govern) |
| Categories | 23 | 22 |
| Subcategories | 108 | 106 |
| Scope | Critical infrastructure | All organizations, all sectors, all sizes |
| Governance | Scattered across Identify (ID.GV) | Dedicated Govern function with six categories and 31 subcategories |
| Supply chain risk | Under Identify (ID.SC), 5 subcategories | Under Govern (GV.SC), expanded to include due diligence, contracts, and monitoring |
| Profiles | Current and Target | Current, Target, and Community (sector-specific baselines) |
| Resources | Limited (Informative References only) | Quick Start Guides, CPRT Reference Tool, Implementation Examples, crosswalks, transition spreadsheet |
Use the CSF 1.1-to-2.0 Transition Spreadsheet for a cell-by-cell mapping of every 1.1 category and subcategory to its 2.0 equivalent.
CSF 2.0 Core Functions Overview
CSF 2.0 organizes cybersecurity outcomes into six concurrent functions. Govern sits at the center and informs strategy, policy, and oversight for the five operational functions: Identify, Protect, Detect, Respond, and Recover.
| Function | Code | Categories | Key Purpose |
| Govern | GV | 6 | Strategy, policy, oversight, supply chain risk management |
| Identify | ID | 3 | Asset management, risk assessment, improvement |
| Protect | PR | 5 | Access control, training, data security, platform security, resilience |
| Detect | DE | 2 | Continuous monitoring, adverse event analysis |
| Respond | RS | 4 | Incident management, analysis, reporting, mitigation |
| Recover | RC | 2 | Recovery execution, recovery communication |
Govern (GV)
Govern establishes the cybersecurity strategy, expectations, and oversight that direct the other five functions. It defines organizational context, risk tolerance, roles and responsibilities, policies, oversight processes, and supply chain risk management. See The New Govern Function above for detailed category breakdowns.
Identify (ID)
Identify helps organizations understand what they need to protect and where the risks are. CSF 2.0 narrows Identify to three categories — Asset Management, Risk Assessment, and Improvement — after moving governance-related categories to Govern. The Improvement category is new and formalizes continuous improvement as a core outcome.
Protect (PR)
Protect covers the safeguards organizations put in place to secure systems and data. CSF 2.0 reorganizes Protect into five categories: Identity Management and Access Control, Awareness and Training, Data Security, Platform Security, and Technology Infrastructure Resilience. Platform Security is new and addresses the security of hardware, software, and services throughout their lifecycle.
Detect (DE)
Detect helps organizations find cybersecurity events as quickly as possible. CSF 2.0 consolidates Detect from three categories to two: Continuous Monitoring and Adverse Event Analysis. Teams monitor networks, physical environments, and personnel activity, then correlate event data to declare incidents when thresholds are met.
Respond (RS)
Respond describes how organizations handle cybersecurity incidents once discovered. CSF 2.0 streamlines Respond into four categories: Incident Management, Incident Analysis, Incident Response Reporting, and Incident Mitigation. Updated reporting requirements reflect the increase in mandatory breach notification laws since 2018.
Recover (RC)
Recover explains how organizations restore systems and operations after an incident. CSF 2.0 expands Recover into two categories: Incident Recovery Plan Execution and Incident Recovery Communication. Recovery now includes verifying the integrity of restored systems and coordinating public and internal communications.
CISA’s Cross-Sector Cybersecurity Performance Goals (CPG) 2.0, released in December 2025, map directly to all six CSF 2.0 functions and reference specific subcategories.
CSF 2.0 Implementation Resources
NIST publishes free companion resources that provide implementation guidance, cross-framework mappings, and transition tools for CSF 2.0 adoption.
| Resource | What It Covers | When to Use It |
| CSF 2.0 Full Document (PDF) | Complete framework: all functions, categories, subcategories, and usage guidance | Primary reference for understanding CSF 2.0 structure, scope, and intended use |
| SP 1299 Resource & Overview Guide | High-level summary of CSF 2.0 with pointers to all companion resources | Starting point for readers new to the framework or evaluating whether to adopt |
| Quick Start Guides | Role-specific guidance for executives, practitioners, and small organizations. Includes SP 1308 for integrating CSF 2.0 with enterprise risk management and workforce management | Onboarding specific audiences without requiring full framework expertise |
| CSF 2.0 Reference Tool (CPRT) | Interactive, searchable, machine-readable CSF 2.0 content with cross-framework mappings | Searching subcategories, exporting data, tracing mappings to NIST 800-53, ISO 27001, CIS Controls |
| Implementation Examples | Practical scenarios demonstrating how to achieve specific CSF outcomes | Translating abstract subcategory outcomes into concrete organizational actions |
| Community Profiles | Sector-specific baseline profiles, including SP 800-61r3 Incident Response Profile (April 2025) | Selecting a ready-made Target Profile aligned to industry-specific risks |
| Crosswalk Resources | Mappings between CSF 2.0 and NIST 800-53, ISO 27001, CIS Controls, and other frameworks | Aligning CSF 2.0 with existing compliance programs and control frameworks |
| CSF 1.1-to-2.0 Transition Spreadsheet | Cell-by-cell mapping of every CSF 1.1 category and subcategory to its CSF 2.0 equivalent | Migrating existing Organizational Profiles from 1.1 to 2.0 |
For ongoing updates and new guidance, track CSF 2.0 developments through NIST’s official announcements page.
How to Transition from CSF 1.1 to 2.0
Most existing practices carry forward from CSF 1.1. The primary work is formalizing governance and realigning subcategory mappings.
- Map your current controls to CSF 2.0. Use the NIST Transition Spreadsheet to identify which 1.1 subcategories map to 2.0, which were merged, and which are new. For a step-by-step roadmap, see our NIST CSF implementation guide.
- Build out the Govern function. Audit existing governance practices and map them to the six GV categories. As AuditBoard’s CISO guide highlights, formalizing governance is the primary gap for most organizations.
- Update subcategory mappings. Realign controls to the reorganized subcategories across all five operational functions. Use NIST’s Implementation Examples to verify that mapped controls satisfy the updated outcome language.
- Adopt a community profile. Check NIST’s Community Profiles page for sector-specific baselines and use one as your Target Profile starting point.
- Set a phased transition timeline. Prioritize Govern function gaps first, then address the highest-risk subcategory changes in Protect and Detect. NIST has set no mandatory deadline.
- Distribute Quick Start Guides. Use NIST’s role-specific Quick Start Guides to bring leadership and business stakeholders into the process.
For a structured way to evaluate your current state, see our NIST CSF assessment guide.
How to Simplify NIST CSF 2.0 Implementation
Coordinating assessments, gap analysis, and remediation tracking across six functions, 22 categories, and multiple departments is hard. Spreadsheets circulate, evidence gets buried in email threads, and no one has a clear view of where the program stands against CSF 2.0 outcomes.
Isora GRC, the collaborative GRC Assessment Platform™ built for security teams, gives you one shared workspace to run CSF 2.0 assessments and coordinate responses across the organization.
- Assessment distribution: Send CSF-aligned questionnaires to control owners across teams and collect responses, evidence, and documentation in one place. Track participation and completion in real time.
- Governance and risk tracking: Assign ownership for risks, exceptions, and policy reviews aligned to the Govern function. Maintain a live risk register connected to assessment findings.
- Maturity scoring: Measure cybersecurity maturity across profiles and tiers. Monitor improvement over time.
- Reporting and oversight: Generate reports that summarize outcomes, highlight gaps, and support communication with leadership, boards, and auditors.
See how Isora GRC supports CSF 2.0 assessments
NIST CSF 2.0 FAQs
What is NIST CSF 2.0?
NIST CSF 2.0 is a voluntary cybersecurity framework published by NIST on February 26, 2024. It gives organizations a structured way to assess cybersecurity risk, define target outcomes, and measure improvement — organized into six functions, 22 categories, and 106 subcategories. New adopters should start with 2.0.
When was NIST CSF 2.0 released?
NIST CSF 2.0 was released on February 26, 2024 — the first major revision since the framework’s creation in 2014. NIST began the update process in February 2022 with a Request for Information, followed by concept papers and two public draft comment periods that drew over 300 responses.
What changed in NIST CSF 2.0?
NIST CSF 2.0 introduced seven structural changes, including a new Govern function (six categories, 31 subcategories), expanded scope from critical infrastructure to all organizations, reorganized subcategories (106, down from 108), enhanced Current and Target profiles with gap analysis guidance, community profiles for sector-specific baselines, new companion resources (Quick Start Guides, Implementation Examples, crosswalks), and the interactive CPRT Reference Tool.
Is NIST CSF 2.0 mandatory?
NIST CSF 2.0 is voluntary for private organizations. Federal agencies must use the CSF under Executive Order 13800, with requirements extended by EO 14028 (2021) and EO 14144 (2025). Many private organizations adopt CSF voluntarily as a best-practice risk management model. NIST has set no mandatory transition deadline from 1.1 to 2.0.
What is the Govern function?
The Govern function is the sixth core function added in NIST CSF 2.0, with six categories and 31 subcategories covering governance, risk strategy, roles and responsibilities, policy, oversight, and supply chain risk management. Govern sits at the center of the CSF 2.0 model — it defines the strategic context and accountability structure that the five operational functions (Identify, Protect, Detect, Respond, Recover) execute against.
How many subcategories are in NIST CSF 2.0?
NIST CSF 2.0 covers 106 subcategories across 22 categories and six functions — a net reduction of two from CSF 1.1 (108 subcategories, 23 categories). The Govern function adds 31 new subcategories; the remaining functions were consolidated to eliminate overlap.
Is there official NIST CSF 2.0 training?
No official NIST certification or training program exists. Instead, NIST provides free self-service resources: Quick Start Guides (role-specific), Implementation Examples, and the CSF Reference Tool (CPRT). Third-party training providers offer CSF 2.0 courses and workshops.
Do I need to transition from CSF 1.1 to 2.0?
Start with CSF 2.0 if you are new to the framework. If you already use 1.1, transition gradually — most existing practices carry forward. The primary work is formalizing governance under the new Govern function and realigning subcategory mappings using NIST’s Transition Spreadsheet. For framework comparisons, see our NIST CSF vs other frameworks guide.
Key Takeaways
CSF 2.0 connects governance, operations, and measurement within a single framework structure. The Govern function makes cybersecurity strategy and accountability explicit. Reorganized subcategories clarify ownership. Profiles and tiers provide a consistent method for assessing current state and defining targets. Companion resources — Quick Start Guides, community profiles, the CPRT Reference Tool, and crosswalks — reduce the implementation burden.
Ready to assess your organization’s maturity? See how Isora GRC supports CSF 2.0 assessments.
This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.
