← All posts

NIST CSF 2.0 in plain English: what changed and why it matters

NIST CSF 2.0 added Govern as a sixth function and reorganized how small and mid-market organizations should think about cybersecurity. A practitioner's translation.

· Atticus Rowan

NIST released Cybersecurity Framework 2.0 in February 2024, and cyber insurance renewal questionnaires began referencing it specifically through the 2024-2026 renewal cycles. A question that has surfaced across mid-market renewals: “Does your organization operate under a documented cybersecurity framework aligned with NIST Cybersecurity Framework 2.0?”, updated wording from earlier questionnaires that referenced CSF 1.1. The reasonable first question when this lands on an IT lead’s desk is: what actually changed and does the existing program need to be redone?

The short answer: nothing blew up and no, an existing program built against CSF 1.1 does not need to be torn down. The longer answer is worth understanding, because NIST CSF 2.0 is going to be the default cybersecurity framework reference in small and mid-market cybersecurity for the next five-plus years and it reorganizes the conversation in ways that actually help smaller organizations.

What NIST CSF is, briefly

NIST CSF, Cybersecurity Framework, is a voluntary framework published by the National Institute of Standards and Technology. It is organized around high-level “functions” that describe what a cybersecurity program does, at the level of “identify your assets,” “protect them,” “detect attacks,” and so on. It is deliberately not a checklist and deliberately not prescriptive about which tools or controls to use. It is a structured way to have the cybersecurity conversation.

Version 1.1 (2018) had five functions: Identify, Protect, Detect, Respond, Recover. Version 2.0 (released February 2024) has six: Govern, Identify, Protect, Detect, Respond, Recover.

The addition of Govern is the headline change. The five operational functions are largely unchanged in intent.

Why Govern matters and what’s in it

In practice, nearly every cybersecurity failure we investigate at small and mid-market organizations traces back to a governance gap: someone assumed someone else was handling something, policies existed on paper but not in practice, roles were not clear, risk was not tracked. NIST 1.1 addressed governance inside each function; 2.0 pulls it out into its own function and makes it the first thing a program has to articulate.

The Govern function covers:

  • Organizational context, what does the business actually do and what are its risk tolerances?
  • Risk management strategy, how does the organization make risk decisions and who makes them?
  • Cybersecurity supply chain risk management, what about your vendors?
  • Roles, responsibilities and authorities, who owns what?
  • Policy, what’s written down and kept current?
  • Oversight, how does leadership (or the board, for portco scenarios) see what’s happening?

For a 40-person manufacturer, Govern does not mean writing a 200-page GRC binder. It means having documented answers, short ones, to questions like: “Who decides whether we pay a ransomware demand?” “Where do we record cybersecurity risks we have chosen to accept rather than mitigate?” “When an employee leaves, who removes their vault access and their VPN certificate?” Those documented answers are what a cyber insurance underwriter, customer auditor, or PE diligence team is actually looking for.

The other five functions, what (barely) changed

Identify, catalog your assets, data and the vendors you depend on. Updated in 2.0 to pull the vendor-risk components up into Govern (supply chain) while keeping the asset-inventory components here.

Protect, the controls that reduce the likelihood of a successful attack. Access management, awareness training, data security, technology infrastructure resilience. Substantially the same in 2.0 as in 1.1.

Detect, the capability to notice when something is happening. Monitoring, anomaly detection, alerting. In 2.0, slightly clearer about continuous monitoring as an ongoing activity rather than an occasional scan.

Respond, what you do when something happens. Incident response plan, communications, analysis, mitigation. Substantially the same in 2.0.

Recover, how you get back to normal. Recovery planning, communications, improvements post-incident. Substantially the same in 2.0.

What small and mid-market organizations should actually do

If your organization is under 200 employees and has never formally aligned to NIST CSF, here is the minimum viable program:

  1. Pick a tier, CSF 2.0 keeps the four-tier maturity scale (Partial, Risk Informed, Repeatable, Adaptive). For most small and mid-market firms, Tier 2 (Risk Informed) is a realistic target; Tier 3 (Repeatable) is where programs become genuinely durable. Tier 4 is typically reserved for larger regulated organizations.

  2. Document roles, one page listing who owns which function. For a small firm, several functions often map to the same person or to an MSP engagement. That is fine. What matters is the documentation.

  3. Inventory assets, computers, servers, cloud services, data types and vendors. A spreadsheet is fine. Updated quarterly is fine.

  4. Write short policies, access management, acceptable use, incident response, backup and change management at minimum. Five to ten pages each. Reviewed annually.

  5. Document controls, for each core control, what you do, how you know it is working and who is responsible. This is the evidence layer that cyber insurance underwriters and customer reviews actually examine.

  6. Test incident response, one documented tabletop exercise per year, minimum. More if you have a higher risk profile.

That program, maintained, covers the substance of what 90% of cyber insurance questionnaires and customer security reviews ask about. It is also what most PE diligence processes are checking for under their own labeling.

CSF 2.0 in practice at Atticus Rowan

Our day-to-day compliance work, cyber insurance renewal support, customer security review response, vendor risk management, and PE portfolio standardization, uses NIST CSF 2.0 as the default organizing structure. We map each control to the corresponding CSF function, maintain the evidence under that structure and produce the reporting in that language. When a carrier or customer asks “what framework do you operate under,” the answer is documentable and defensible.

SOC 2 readiness work layers on top of this for companies pursuing formal Type I or Type II audits. NIST 800-171 applies when there is federal supply-chain exposure. Both use CSF as a conceptual scaffolding even when the specific control set differs.

If your organization is preparing for a cyber insurance renewal, a customer security review or a PE diligence cycle and the CSF 2.0 reference has surfaced, schedule a discovery call. We can talk through where your current program maps and where the gaps are.