On February 26, 2024, the National Institute of Standards and Technology (NIST) released the long-awaited second version of the Cybersecurity Framework (CSF). Dubbed “CSF 2.0,” it contains a few significant changes:
- Creation of a new “Govern” function.
- Increased acknowledgement of supply chain and vendor security.
- An intentional effort to reframe the CSF to make it more accessible to and usable by smaller organizations.
As we noted in a July 2023 blog post, NIST was required by the White House’s National Cybersecurity Strategy to update the CSF by the first quarter of fiscal year 2025. The publication of CSF 2.0 puts NIST far ahead of schedule.
The Govern function is a gamechanger
The creation of the Govern function and its interconnectedness with all the other functions mark the biggest difference between NIST CSF 1.1 and CSF 2.0. This new Govern function requires an organization to “establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy.” As background, CSF 1.0 and 1.1 were built around five core functions – Identify, Protect, Detect, Respond and Recover – that CSF 1.1 stated “should be performed…
