Blog
/
Product Updates
/
NIST CSF 2.0 vs 1.1: What changed and why it matters for your cybersecurity program

NIST CSF 2.0 vs 1.1: What changed and why it matters for your cybersecurity program

8
min read
Published on
Apr 10, 2024
Updated on
Jul 6, 2026
Authored by
Megha Thakkar
Technical Content Writer, CISA, ACPA (Australia), CA Intermediate (India)
reviewed by
Team Scrut
Table of contents
Key Takeaways
  • NIST CSF 2.0 is the first major update to the framework since 2018.
  • The biggest change is the new ‘Govern’ function, making cybersecurity governance and leadership accountability central.
  • The framework now applies to all organizations, not just critical infrastructure.
  • CSF 2.0 strengthens supply chain risk management and maps directly to NIST SP 800-53 Rev. 5.
  • It now includes 6 functions, 22 categories, and 106 subcategories.

Cybersecurity programs have changed significantly since the release of NIST CSF 1.1. Cloud adoption, third-party dependencies, evolving threats, and increasing regulatory expectations have made it harder for organizations to manage cyber risk with fragmented processes.

NIST CSF 2.0, released in 2024, addresses these challenges by expanding the framework’s scope, introducing the new Govern function, strengthening supply chain risk management, and providing clearer guidance for organizations of all sizes.

Whether you are transitioning from CSF 1.1 or adopting the framework for the first time, understanding these changes is key to building a cybersecurity program that is measurable, risk-driven, and easier to operationalize.

What is the NIST Cybersecurity Framework (CSF)?

The NIST Cybersecurity Framework (CSF) is a voluntary, outcome-based framework published by the National Institute of Standards and Technology that helps organizations understand, manage, and reduce cybersecurity risk. It does not prescribe specific tools or technologies. Instead, it defines the outcomes a mature security program should achieve.

First released in 2014 and updated to version 1.1 in April 2018, the CSF became the common language for cybersecurity programs, especially across US critical infrastructure. But ransomware, remote work, cloud-native architectures, and supply chain attacks exposed gaps 1.1 was never designed to address. NIST began revising the framework in February 2022 and, according to NIST, received more than 2,500 public comments before publishing CSF 2.0 on February 26, 2024.

How does CSF differ from other NIST publications?

These three publications work as layers, not alternatives:

  • NIST CSF is strategic. It defines what cybersecurity outcomes you should achieve.
  • NIST SP 800-53 is tactical. It catalogs the security and privacy controls that implement those outcomes (csrc.nist.gov SP 800-53 Rev. 5).
  • NIST SP 800-52 is technical. It specifies how to configure TLS so data in transit stays encrypted to federal standards (SP 800-52 Rev. 2).

In practice, CSF sets priorities, while NIST SP 800-53 provides detailed security and privacy controls that organizations can implement.

What is the difference between NIST CSF 2.0 and 1.1?

The short answer: CSF 2.0 adds a sixth core function (Govern), drops the critical infrastructure framing so the framework applies to every organization, deepens supply chain risk coverage, and ships with direct control mappings to SP 800-53 Rev. 5 plus quick-start implementation guides. CSF 1.1 had 5 functions, 23 categories, and 108 subcategories; CSF 2.0 restructures this into 6 functions, 22 categories, and 106 subcategories.

Aspect NIST CSF 1.1 (2018) NIST CSF 2.0 (2024)
Target audience Primarily US critical infrastructure All organizations, any sector or size
Core functions 5 (Identify, Protect, Detect, Respond, Recover) 6 (adds Govern)
Structure 5 functions, 23 categories, 108 subcategories 6 functions, 22 categories, 106 subcategories
Governance Scattered across Identify Dedicated Govern function with leadership accountability
Supply chain risk Limited emphasis Dedicated GV.SC category, aligned to SP 800-53 SR controls
SP 800-53 integration Indirect references Direct mappings to Rev. 5 controls
Secure communications Not explicitly referenced Encourages alignment with SP 800-52 for TLS
Implementation support Few examples Quick-start guides, implementation examples, community profiles, online reference tool
Language Technical, implementation-heavy Simplified for executives and non-specialists

What are the six core functions of NIST CSF 2.0?

CSF 2.0 organizes cybersecurity outcomes into six functions. Govern surrounds the other five functions in NIST’s CSF 2.0 model because it guides how cybersecurity risk management is established and maintained.

 

Core functions of NIST CSF 2.0

  1. Govern: Establish and monitor the cybersecurity risk management strategy, policies, roles, and oversight.
  2. Identify: Understand organizational context, assets, risks, and supply chain dependencies.
  3. Protect: Safeguard systems and data through access management, training, and data security controls.
  4. Detect: Discover anomalies and security events in time to act.
  5. Respond: Execute incident response plans to contain and mitigate incidents.
  6. Recover: Restore operations and apply lessons learned to improve resilience.

Each function breaks down into categories and subcategories that describe specific, measurable outcomes.

What are the major changes introduced in NIST CSF 2.0?

1. The new ‘Govern’ function makes leadership accountable

Govern is the headline change. It formalizes cybersecurity governance: defined responsibilities, risk appetite, policy oversight, and executive accountability. The signal is unambiguous: cybersecurity is an enterprise risk owned by leadership, not an IT problem delegated downward.

In our experience at Scrut, this is the change that lands hardest in practice. Compliance teams we work with frequently report that the Govern function is what finally gets board-level attention and budget for programs that previously stalled at the IT director level.

2. The framework now applies to every organization

CSF 1.1 was written for critical infrastructure. CSF 2.0 deliberately removes that framing. The official title changed from “Framework for Improving Critical Infrastructure Cybersecurity” to simply “The NIST Cybersecurity Framework,” and the language now addresses startups, SMBs, schools, and nonprofits alongside federal contractors.

3. Supply chain risk gets its own category

Supply chain compromise is now mainstream attack tradecraft, and according to the Verizon Data Breach Investigations Report, third-party involvement in breaches has risen sharply year over year. CSF 2.0 responds with the GV.SC (Cybersecurity Supply Chain Risk Management) category under the Govern function, which covers vendor oversight, contractual security requirements, and continuous third-party monitoring, operationalized through SP 800-53's SR control family.

4. Direct mappings to SP 800-53 Rev. 5

CSF 2.0 ships with informative references that map each subcategory to specific SP 800-53 Rev. 5 controls. This closes the long-standing gap between framework objectives and technical execution and makes it far easier to unify CSF work with FISMA, FedRAMP, and StateRAMP obligations.

5. Better profiles, tiers, and implementation guidance

The Current Profile and Target Profile model is retained but now comes with templates, worked examples, and community profiles for specific sectors. NIST also published quick-start guides for small businesses and enterprise risk managers, plus a searchable CSF 2.0 Reference Tool.

6. Emphasis on securing data in transit

Under Protect and Detect, CSF 2.0 points implementers toward SP 800-52 Rev. 2 for TLS configuration: modern protocol versions, approved cipher suites, and certificate management. CSF stays outcome-focused; SP 800-52 supplies the technical specifics.

7. Expanded mappings to international and industry standards

CSF 2.0 maps to ISO/IEC 27001:2022, CIS Controls v8, and the CSA Cloud Controls Matrix, and organizations commonly cross-walk it to GDPR, HIPAA, and PCI DSS requirements. For teams managing several frameworks at once, this is the difference between one unified control set and five parallel audits. See Scrut's guide on choosing a cyber risk management framework for how these standards interrelate.

What stayed the same in CSF 2.0?

Continuity matters: organizations adhering to CSF 1.1 are not starting over.

 

  • The original five functions remain. Identify, Protect, Detect, Respond, and Recover are unchanged in intent. Govern complements them rather than replacing anything.
  • The risk-based, outcomes-focused approach remains. CSF still avoids prescribing tools and lets you prioritize by your own threat landscape.
  • Tiers and profiles remain. The four implementation tiers (Partial, Risk Informed, Repeatable, Adaptive) still describe risk management maturity, and the profile model still drives gap analysis.
  •  Interoperability remains. CSF 2.0 still functions as the bridge between governance and detailed technical guidance like SP 800-53 and SP 800-52.

 

Who needs the NIST Cybersecurity Framework?

Any organization that manages cybersecurity risk can use the CSF, and although adoption is voluntary, the framework is referenced so often in RFPs, vendor assessments, and cyber insurance questionnaires that it functions as a de facto requirement in many industries.

 

Typical adopters include enterprises and federal contractors maturing existing programs, SMBs needing a structured starting point, government agencies responding to executive orders, and SaaS vendors demonstrating readiness to enterprise buyers. One Scrut customer, a mid-market healthtech company, adopted CSF 2.0 because three hospital prospects asked for CSF alignment in security questionnaires before signing.

How do you transition from CSF 1.1 to CSF 2.0?

Based on migration projects Scrut's compliance experts have supported, a practical transition follows five steps:

  1. Map your current state. Crosswalk your existing 1.1 profile to the 2.0 structure using NIST's transition resources.
  2. Stand up the ‘Govern’ function. Document risk strategy, assign named owners, and establish board reporting. This is usually the largest net-new effort.
  3. Assess supply chain coverage. Compare your vendor risk process against the GV.SC category outcomes.
  4. Rebuild your target profile. Define where you want to be in 12 to 24 months using the 2.0 categories.
  5. Close gaps with mapped controls. Use the SP 800-53 Rev. 5 mappings to translate each gap into concrete controls.

How Scrut helps you operationalize CSF 2.0

 

Scrut helps teams move from CSF 2.0 requirements to an actionable cybersecurity program with pre-mapped controls, guided risk assessments, and automated evidence collection.

Teams can manage the new ‘Govern’ function, track control ownership, and identify gaps across the CSF 2.0 framework.

With continuous monitoring and cross-framework mapping, Scrut helps security teams stay audit-ready while aligning CSF 2.0 with standards like ISO 27001 and SOC 2.

Build a CSF 2.0-aligned security program without the manual effort. Schedule a demo today.

FAQs
Is NIST CSF 2.0 mandatory?

No. CSF 2.0 is voluntary for private organizations. However, federal agencies are directed to use it, and it is frequently required

When was NIST CSF 2.0 released?

NIST published CSF 2.0 on February 26, 2024, following a two-year revision process that drew more than 2,500 public comments.

What is the main difference between CSF 1.1 and CSF 2.0?

The single biggest difference is the new Govern function, which elevates cybersecurity governance and executive accountability to a core function. Expanded scope and supply chain coverage are the other two headline changes.

Do I need to restart my program if I built it on CSF 1.1?

No. The five original functions carry over largely intact. Most organizations transition by cross-walking their existing profile, then building out Govern and supply chain coverage as net-new work.

How does CSF 2.0 relate to ISO 27001?

They are complementary. CSF 2.0 is a free, outcomes-based framework; ISO 27001 is a certifiable management system standard. NIST publishes informative references mapping CSF 2.0 to ISO/IEC 27001:2022, so evidence collected for one substantially supports the other.

Liked the post? Share on:
Choose risk-first compliance that’s always on, built for you.
Book a Demo
Book a Demo
Enjoyed this post? Let us know!

About Scrut Automation

Scrut Automation is a modern GRC platform designed to help fast-growing organizations simplify security, compliance, and risk management.

By combining continuous automation with expert guidance, Scrut reduces manual workloads, accelerates audit readiness, and empowers teams to scale their security posture confidently.

From HIPAA and SOC 2 to ISO 27001, GDPR, PCI, and beyond; Scrut helps teams achieve multi-framework compliance with ease.

Join our community and be the first to know about updates!

Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Choose risk-first compliance that’s always on, built for you, and never in your way.

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Book a Demo
Book a Demo