NIST Cybersecurity Framework 2.0: the framework gets broader and closer to business

In February 2024, NIST released the second version of the Cybersecurity Framework - a document that since 2014 has been one of the primary reference points for building cybersecurity programs. The first version was created in response to a presidential executive order, focused on protecting US critical infrastructure. Version 2.0 addresses a significantly broader audience.

I want to explain what actually changed and why this concerns not only CISOs but also those who make risk decisions at the board or executive level.

What the first version contained

CSF 1.0 and 1.1 were built around five functions: Identify, Protect, Detect, Respond, Recover. It is an intuitive framework: know what you have, protect it, notice problems, respond, and recover. It was oriented toward security teams and technical specialists.

The problem was that the framework translated poorly to leadership conversations. How does "Protect" connect to budget decisions? How do you tell the board where the company sits on the risk scale?

What version 2.0 adds

The main change is a sixth function: Govern. It sits at the centre of the updated model and covers what was previously implied but not explicit: cybersecurity strategy, policies, roles and accountability, integration with enterprise risk management, communication with stakeholders.

This is a significant shift. The Govern function states plainly that cybersecurity is not only a technical question. It is a question of how the organisation makes decisions about risk, who is accountable for those decisions, and how they connect to business goals.

The second change is the explicit broadening of the intended audience. NIST CSF 2.0 is addressed to any organisation of any size, not only critical infrastructure operators. The document has become considerably more practical from an implementation standpoint.

The third change is more explicit integration with supply chain risk management. Third-party and software supplier risks are now woven into the framework more directly - which is relevant given several high-profile incidents in recent years.

Why this matters to executives, not only security teams

In most companies today, cybersecurity lives as a separate discipline that is almost entirely delegated to the IT department or external contractors. Leadership asks "is everything under control?" and receives the answer "yes."

NIST CSF 2.0 sets a different standard. The Govern function raises questions that should be answered at the board level: what level of cyber risk is acceptable for this company? How do security decisions connect to business strategy? How will we know when a significant incident has occurred, and how will we respond?

This does not mean the executive team must understand technical details. It means that risk governance questions should be part of ordinary management processes.

Practical implications

A few questions worth asking your organisation after the release of NIST CSF 2.0:

1. Do we have an explicitly articulated cybersecurity policy that is understood not only by security staff but by leadership?
2. Who in the company is accountable for cybersecurity risk - with a specific name and clear authority?
3. How do we assess cyber risks from our key vendors and contractors?
4. When did the board or executive committee last review cybersecurity as a governance question - not just as an incident report?
5. Do the company's senior leaders know what they are supposed to do in the first hours of a significant cyber incident?

The NIST update is not a reason to immediately rebuild a security program. It is a good reason to use it as a framework for a conversation about how cybersecurity fits into the company's governance.