The NIST Cybersecurity Framework is arguably the single most‑referenced cybersecurity publication in industry. Version 2.0 introduces a sixth core function, Govern, broadens the framework’s scope beyond critical infrastructure to all organizations, and adds new emphasis on supply‑chain risk management (National Institute of Standards and Technology [NIST], 2024).

Document Background

The original Cybersecurity Framework was born from Executive Order 13636 (2013), which directed NIST to develop a voluntary framework for reducing cyber risk to critical infrastructure. Version 1.0 arrived in February 2014, and the minor update to version 1.1 followed in April 2018. Although the framework was designed for critical infrastructure sectors such as energy, healthcare, and finance, its clear structure and plain language led to widespread voluntary adoption across industries of all sizes, both in the United States and internationally (NIST, 2024).

CSF 2.0, published in February 2024, is the first major revision. It reflects a decade of feedback, evolving threats, and the reality that cybersecurity governance has become a board‑level concern rather than a purely technical one. The title itself changed: the framework no longer carries the subtitle “for Improving Critical Infrastructure Cybersecurity.” It is now intended for all organizations regardless of size, sector, or maturity level (NIST, 2024).

Why It Matters

If you work in cybersecurity, you will encounter the CSF. It is the common language that boards, auditors, regulators, and practitioners use to discuss cyber risk. Insurance underwriters reference it. Federal agencies are required to align with it. Private‑sector companies voluntarily adopt it to demonstrate due diligence. Understanding the six functions and how profiles work is foundational knowledge for any cybersecurity professional.

The Six Functions

The CSF organizes cybersecurity outcomes into six high‑level functions. Each function is subdivided into categories and subcategories that describe specific outcomes an organization should work toward. The functions are not sequential steps; they operate concurrently and continuously (NIST, 2024).

  1. Govern (GV)

    New in CSF 2.0. Govern establishes and monitors the organization’s cybersecurity risk‑management strategy, expectations, and policy. It addresses organizational context, risk‑management strategy, roles and responsibilities, policies, oversight, and cybersecurity supply‑chain risk management. Govern is positioned at the center of the framework because it informs how an organization implements all five other functions (NIST, 2024).

  2. Identify (ID)

    Understand the organization’s current cybersecurity risks. This includes asset management (knowing what hardware, software, data, and people you have), risk assessment, and understanding the business environment. You cannot protect what you do not know exists (NIST, 2024).

  3. Protect (PR)

    Use safeguards to manage cybersecurity risks. This covers identity management, authentication, and access control; awareness and training; data security; platform security (securing hardware, software, and services); and the resilience of technology infrastructure (NIST, 2024).

  4. Detect (DE)

    Find and analyze possible cybersecurity attacks and compromises. Detection includes continuous monitoring of networks, systems, and physical environments, as well as analysis of potentially adverse events to determine whether they constitute actual incidents (NIST, 2024).

  5. Respond (RS)

    Take action regarding a detected cybersecurity incident. Response activities include incident management, analysis, mitigation, reporting, and communication with internal and external stakeholders (NIST, 2024).

  6. Recover (RC)

    Restore assets and operations affected by a cybersecurity incident. Recovery planning and execution ensure that the organization can return to normal operations in a timely manner and that lessons learned are incorporated into future planning (NIST, 2024).

The Govern Addition

The introduction of Govern as a sixth function is the most significant structural change in CSF 2.0. In version 1.1, governance‑related outcomes were scattered across Identify subcategories. Elevating governance to its own function reflects a hard‑won lesson from the past decade: organizations that treat cybersecurity as a technical problem to be delegated downward consistently underperform on risk management. Govern makes explicit that leadership accountability, strategy, and supply‑chain oversight are not optional accessories but foundational requirements (NIST, 2024).

Profiles & Tiers

Framework Profiles

A Profile describes an organization’s current or target cybersecurity posture in terms of the CSF’s categories and subcategories. Organizations typically create two profiles (NIST, 2024):

Current Profile: documents which CSF outcomes the organization is currently achieving. This is a snapshot of the present state, built through self‑assessment or external audit.

Target Profile: describes the desired cybersecurity outcomes the organization wants to achieve, based on its risk appetite, business requirements, and regulatory obligations.

The gap between the Current Profile and the Target Profile becomes the basis for a prioritized action plan. This approach lets organizations of any size focus resources on the outcomes that matter most to their specific risk environment rather than attempting to implement every subcategory at once (NIST, 2024).

CSF 2.0 also introduces the concept of Community Profiles, which are baseline profiles developed by a sector, industry group, or other community to address shared risks. A sector regulator, for example, might publish a Community Profile that all organizations in that sector can use as a starting point for their own Target Profiles (NIST, 2024).

Framework Tiers

Tiers describe the degree to which an organization’s cybersecurity risk‑management practices exhibit the characteristics defined in the framework. The four tiers are (NIST, 2024):

  1. Tier 1 — Partial

    Risk management is ad hoc and reactive. There is limited awareness of cybersecurity risk at the organizational level, and no formalized processes exist for managing it.

  2. Tier 2 — Risk‑Informed

    Risk management practices are approved by management but may not be established as organization‑wide policy. There is awareness of risk, and processes exist but are not consistently applied.

  3. Tier 3 — Repeatable

    Risk management practices are formally approved, expressed as policy, and consistently implemented across the organization. Practices are regularly updated based on changes in risk.

  4. Tier 4 — Adaptive

    The organization continuously adapts its cybersecurity practices based on lessons learned and predictive indicators. Real‑time information sharing and continuous improvement characterize this level.

Tiers are not maturity levels in the traditional sense, and NIST does not prescribe that every organization should aim for Tier 4. The appropriate tier depends on the organization’s risk environment, resources, and mission. However, tiers provide a useful vocabulary for discussing how formalized and adaptive an organization’s risk management practices are (NIST, 2024).

CSF 1.1 vs. CSF 2.0 at a Glance

Major changes between CSF 1.1 (2018) and CSF 2.0 (2024) (NIST, 2024).
Topic CSF 1.1 (2018) CSF 2.0 (2024)
Core functions Five: Identify, Protect, Detect, Respond, Recover Six: Govern, Identify, Protect, Detect, Respond, Recover
Intended audience Critical infrastructure organizations All organizations, regardless of size or sector
Governance Addressed within Identify subcategories Elevated to its own top‑level function (Govern)
Supply chain risk Addressed in a single category under Identify Expanded with dedicated outcomes in Govern and across multiple functions
Profiles Current and Target profiles Current, Target, and new Community Profiles
Implementation guidance Limited; separate companion documents Expanded with implementation examples and quick‑start guides
Framework title “Framework for Improving Critical Infrastructure Cybersecurity” “The NIST Cybersecurity Framework (CSF) 2.0”
International alignment Referenced internationally but U.S.‑focused language Explicitly designed for global applicability

Citing This Document (APA 7)

The CSF 2.0 is treated as a group‑author report in APA 7. The issuing agency is the author, and the parent department is the publisher. Because the National Institute of Standards and Technology has a common abbreviation (NIST), APA 7 allows the abbreviation to be introduced on first in‑text use and reused thereafter.

Format Demonstration
Reference list entry
National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29). U.S. Department of Commerce. https://doi.org/10.6028/NIST.CSWP.29
First in‑text citation (introduces the abbreviation)
(National Institute of Standards and Technology [NIST], 2024)
Subsequent in‑text citations
(NIST, 2024)
Narrative citation
The National Institute of Standards and Technology (NIST, 2024) introduced Govern as the sixth core function of the Cybersecurity Framework.

Remember that APA 7 does not require page numbers for paraphrased material from long technical documents. Cite the section or function name if you need to point the reader to a specific location within the framework.

References

  1. National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29). U.S. Department of Commerce. https://doi.org/10.6028/NIST.CSWP.29
  2. National Institute of Standards and Technology. (2018). Framework for improving critical infrastructure cybersecurity, version 1.1. U.S. Department of Commerce. https://doi.org/10.6028/NIST.CSWP.04162018