What changed in CSF 2.0.
NIST released CSF 2.0 in February 2024, and the update is more significant than a version bump. The original framework, published in 2014, was designed for critical infrastructure sectors like energy, water, and financial services. CSF 2.0 broadens the scope explicitly to all organizations, regardless of size or sector. If you are a 50-person SaaS company, this framework was designed with you in mind.
The biggest structural change is the addition of a sixth core function: Govern. The original five functions (Identify, Protect, Detect, Respond, Recover) focused on the operational side of cybersecurity. Govern adds the organizational context that was always implied but never formalized: risk management strategy, roles and responsibilities, policy oversight, and supply chain risk management.
Other notable changes include expanded supply chain risk management guidance, improved alignment with other frameworks and standards (making cross-mapping easier), new emphasis on continuous improvement and cybersecurity measurement, and better guidance on using the framework's implementation tiers as a maturity model rather than a compliance checklist.
If you built your program around CSF 1.1, the transition to 2.0 is not a complete overhaul. Your existing controls map forward. The main work is incorporating the Govern function and updating your documentation to reflect the new subcategory structure. For organizations starting fresh, CSF 2.0 provides a cleaner, more comprehensive starting point.