NIST CSF 2.0, Explained for People Who Have to Use It

A vendor questionnaire crossed my desk last quarter with a section I'd started seeing more frequently: "Describe how your security program aligns to NIST CSF 2.0 and indicate your tier for each function." The company had updated its supply chain risk process from 1.1 to 2.0 language, and responses that couldn't speak to the new structure were getting flagged for follow-up calls.

That's the moment most practitioners actually need to understand this framework: not when a consultant recommends it at a strategy offsite, but when a customer is waiting for a specific answer.

What the framework actually is

The NIST Cybersecurity Framework is a voluntary document produced by the National Institute of Standards and Technology, a US federal agency. Version 2.0 was released in February 2024 and represents the first major revision since the original shipped in 2014.

Three things worth getting straight before anything else:

It's voluntary. No US regulation requires you to use it (barring specific federal agency contracts). What drives adoption is market pressure: enterprise buyers and cyber insurers have adopted CSF 2.0 as a benchmark for what a reasonable security program looks like. When they ask, you need a coherent answer.

There's no certificate. You can't "pass" NIST CSF. There's no accredited auditor who issues a report. If a customer asks whether you're "NIST CSF compliant," the accurate answer is something like "we align our program to the framework," because no formal compliance state exists to achieve.

The scope expanded significantly. CSF 1.1 was explicitly aimed at critical infrastructure operators: power grids, hospitals, financial institutions. Version 2.0 is designed for organizations of all sizes, sectors, and sophistication levels. That's a deliberate change, and it's why CSF 2.0 language now shows up in questionnaires from SaaS companies that have no critical infrastructure angle at all.

The six functions

CSF 1.1 organized security outcomes into five functions: Identify, Protect, Detect, Respond, and Recover. CSF 2.0 adds a sixth, Govern, and places it at the center of the framework diagram, touching all five operational functions.

A quick read on each:

Govern: Establishes and monitors the organization's cybersecurity risk strategy, policies, and roles. New in 2.0 and covers more ground than any other function: organizational context, risk management strategy, roles and responsibilities, policies, oversight, and supply chain risk management. More on this below.

Identify: Understand what you have and what risks it carries. Asset management, risk assessment, the business environment your program operates in. This is the foundation everything else builds on.

Protect: Put controls in place. Access management, data protection, training, secure configuration, resilient infrastructure. Most teams are already doing work in this function; they may just not have given it a name.

Detect: Continuously monitor for threats and anomalies. Logging, alerting, threat intelligence. The difference between detecting a breach in hours versus months almost always traces back to Detect function gaps.

Respond: Handle incidents when they happen. Response planning, containment, communications, analysis.

Recover: Restore operations after disruption. Backups, continuity planning, post-incident improvements.

The five operational functions form a cycle. Govern provides the strategy and accountability that make the cycle run in practice rather than exist only on paper.

Where most programs actually have gaps

In CSF 1.1, governance topics were distributed across the Identify function as a handful of subcategories. Pulling them into their own first-class function sends a clear message: security programs fail at the governance level just as often as at the technical level.

What the Govern function asks about:

• Does the organization have a documented cybersecurity risk strategy, and do the people who make security decisions actually know what it says?
• Are roles and responsibilities clearly assigned, and do the people who hold them understand what they own?
• Is leadership getting useful security reporting, not just assurance that everything's fine?
• How are you managing risks from the vendors and third parties in your supply chain?

That last item is where 2.0 got notably more specific. CSF 1.1 had five supply chain risk management subcategories. Version 2.0 doubled that to ten. If you run a SaaS product, your customers' questionnaires may now probe your vendor vetting process in detail, which is the same question a SOC 2 auditor raises when reviewing vendor risk.

For most programs, the Govern function surfaces gaps that live above the engineering layer: documentation, decision-making accountability, executive reporting. Those are slower to fix than a missing firewall rule, and they tend to be what gets exposed in real incidents and post-breach investigations.

Tiers and profiles

Two components of the framework often get skipped when people only read the function summaries.

Tiers describe how mature your program is, on a four-point scale:

• Tier 1 (Partial): Cybersecurity is managed reactively. Practices may exist but aren't consistently applied across the organization.
• Tier 2 (Risk Informed): Practices are in place but may not be organization-wide. Risk awareness is uneven.
• Tier 3 (Repeatable): Documented, organization-wide processes reviewed and updated on a regular cycle. Risk management is integrated into broader business decisions.
• Tier 4 (Adaptive): The program continuously learns and evolves based on threat intelligence and lessons from incidents.

Tiers aren't levels you have to reach in sequence. They're a self-assessment tool. A small startup doesn't need Tier 4 discipline, and spending toward it is waste, not prudence. A healthcare SaaS handling patient records at scale probably shouldn't still be at Tier 1 when an incident happens and regulators or legal counsel start asking questions.

Profiles let you compare your current state against where you want to be. A Current Profile describes your program today. A Target Profile describes the outcomes you're working toward. The gap between them is your roadmap.

This is the most practically useful part of the framework for making a security investment case to leadership. Showing a documented Current Profile and a reasoned Target Profile gives executives something concrete to evaluate, without requiring them to understand specific technical controls or framework jargon.

How CSF 2.0 fits with what you're already doing

If you're working toward SOC 2 or ISO 27001, CSF 2.0 doesn't replace either. It sits alongside them as a risk management vocabulary.

SOC 2 is an attestation: a CPA firm tests your controls and issues a written report you hand to customers who ask. CSF 2.0 is an organizing structure for describing how your program is designed. They answer different questions for different audiences. The frameworks guide covers how to decide which certifications and standards to prioritize first and in what order.

ISO/IEC 27001 and CSF 2.0 speak a compatible language. ISO's Annex A controls map directly onto CSF functions; if you hold ISO 27001, mapping your existing controls to CSF takes hours rather than months. Coverage in Identify, Protect, Detect, Respond, and Recover will typically be solid; the Govern function is usually where the gaps show. The structure of ISO's management system requirements is covered in ISO 27001 explained.

One thing worth saying plainly: CSF is not a shortcut around doing the actual work. It won't get you a report to hand a customer, it won't produce a certificate, and it won't build any controls for you. What it does well is give you a shared vocabulary for talking about your security program with buyers, insurers, and boards, and a structured way to spot where that program is thin.

Where to start

NIST publishes the full framework document free. It runs about 32 pages and is more readable than most government publications at that length.

Start with a rough Current Profile. Walk through the six functions, note what your program actually does or doesn't cover in each, and estimate a tier with something approaching honesty. The Govern function gaps you surface will probably point toward documentation and accountability work more than new technical controls. The supply chain gaps you find mirror the vendor vetting gaps your SOC 2 auditor will raise in the same conversation.

If a customer has asked specifically for your CSF 2.0 alignment, a brief one-pager walking through each function with concrete specifics about your program goes further than a boilerplate checkbox response. The goal is to answer the underlying question they're actually asking: how do you think about and manage security risk across your organization?

Get the templates we actually use.

One practical email a week: a new template, a teardown of a real framework requirement, and the occasional honest tool review. No fluff, unsubscribe anytime.

Send me the templates

No spam. Unsubscribe in one click.