What are the main differences between NIST CSF 1.1 and NIST CSF 2.0?

The main differences between NIST CSF 1.1 and NIST CSF 2.0 are: (1) A new sixth function — Govern (GV) — was added, covering cybersecurity risk governance, strategy, and supply chain risk management that was previously scattered across other functions; (2) Scope expanded from critical infrastructure to all organisations regardless of size or sector; (3) Supply chain risk management was significantly expanded into its own dedicated category; (4) Better alignment guidance to other frameworks like ISO 27001 and SOC 2 was added; (5) The implementation tiers were clarified and guidance on continuous improvement was strengthened.

Is NIST CSF 2.0 mandatory?

NIST CSF 2.0 is voluntary for most organisations — it is a framework, not a regulation. However, it is effectively mandatory for US federal agencies and contractors through FedRAMP and other federal requirements, and increasingly demanded by enterprise procurement and cyber insurers. Many UK and EU organisations adopt NIST CSF voluntarily as a best-practice framework that complements ISO 27001 and demonstrates cybersecurity maturity to enterprise customers.

What is the new Govern function in NIST CSF 2.0?

The Govern (GV) function was added in NIST CSF 2.0 to address the gap in cybersecurity governance and strategy. It covers: organisational context (understanding the mission and risk appetite), risk management strategy (defining risk tolerance and priorities), cybersecurity supply chain risk management (third-party vendor risk), roles and responsibilities (who is accountable for cybersecurity), policies and procedures (establishing and communicating security expectations), and oversight (how the board and leadership are informed about cyber risk). The Govern function is the foundation for all other functions.

How many policies do you need for NIST CSF 2.0?

There is no fixed policy count for NIST CSF 2.0, but a comprehensive implementation typically requires 15-25 policies covering all 6 functions. The Govern function alone requires: a Cybersecurity Policy, Risk Management Strategy, Roles and Responsibilities Policy, and Supply Chain Risk Policy. The Protect function requires the most policies — Access Control, Data Protection, Training, Change Management, and Secure Configuration. A well-structured NIST CSF 2.0 programme maps each policy to specific subcategory outcomes.

What are the NIST CSF 2.0 implementation tiers?

NIST CSF 2.0 has four implementation tiers that describe cybersecurity risk management maturity: Tier 1 (Partial) — ad hoc, reactive practices with limited awareness of risk; Tier 2 (Risk Informed) — risk management practices exist but are not organisation-wide; Tier 3 (Repeatable) — formal, approved practices that are regularly updated; Tier 4 (Adaptive) — continuously improving practices based on lessons learned and predictive indicators. Tiers describe current state, not a target to achieve — organisations choose the tier appropriate for their risk profile.

Compliance 14 March 2026 • 9 min read

NIST CSF 2.0: What Changed and Which Policies You Need

NIST Cybersecurity Framework 2.0 (CSF 2.0) was released in February 2024, introducing the most significant update to the framework since its original publication in 2014. The headline change is a new sixth function — Govern — but the update goes deeper: expanded scope, stronger supply chain guidance, and improved alignment with ISO 27001 and SOC 2. This guide covers exactly what changed, which function requires which policies, and how to map your existing programme to CSF 2.0.

What Is NIST CSF?

The NIST Cybersecurity Framework is a voluntary framework developed by the National Institute of Standards and Technology (NIST) to help organisations manage cybersecurity risk. Originally designed for US critical infrastructure, it has become the de facto cybersecurity baseline for organisations worldwide — from enterprise technology companies to NHS trusts benchmarking their security posture.

CSF 2.0 is voluntary for most organisations but effectively mandatory for US federal contractors. In the UK and EU, it's increasingly demanded by enterprise buyers and cyber insurers as evidence of systematic security management.

What Changed in NIST CSF 2.0?

1. New Govern Function (GV)

The biggest structural change is the addition of a sixth function: Govern. In CSF 1.1, governance elements were scattered across the Identify function. CSF 2.0 elevates governance to its own function, recognising that effective cybersecurity starts at the board and leadership level.

The Govern function covers: organisational context, risk management strategy, cybersecurity supply chain risk, roles and responsibilities, policies, and oversight. Everything else in the framework depends on Govern being in place first.

2. Expanded Scope

CSF 1.1 was explicitly scoped to critical infrastructure. CSF 2.0 removes this restriction — it is designed for all organisations, regardless of size, sector, or geographic location. This reflects the reality that every organisation with digital assets has cybersecurity risk.

3. Strengthened Supply Chain Risk Management

Supply chain risk management was a minor element of CSF 1.1. CSF 2.0 dedicates an entire category (GV.SC) to cybersecurity supply chain risk, reflecting high-profile incidents like SolarWinds and the growing regulatory focus on vendor risk (DORA, NIS2).

4. Better Framework Alignment

CSF 2.0 includes informative references mapping outcomes to ISO/IEC 27001:2022, CIS Controls v8, NIST SP 800-53, and other frameworks — making cross-framework compliance significantly easier to document.

The 6 Functions and the Policies They Require

Function	Code	Key Policies Required
Govern	GV	Cybersecurity Policy, Risk Management Strategy, Roles & Responsibilities, Supply Chain Risk Policy
Identify	ID	Asset Management Policy, Risk Assessment Policy, Business Environment Policy
Protect	PR	Access Control Policy, Data Protection Policy, Security Awareness Training Policy, Change Management Policy, Secure Configuration Policy
Detect	DE	Security Monitoring Policy, Anomaly Detection Policy, Log Management Policy
Respond	RS	Incident Response Policy, Communication Policy, Incident Analysis Policy
Recover	RC	Business Continuity Policy, Disaster Recovery Policy, Recovery Testing Policy

Deep Dive: The Govern Function

Because Govern is new in CSF 2.0, most organisations need to create or update policies specifically for it:

GV.OC — Organisational Context

Requires documenting your organisation's mission, stakeholders, legal and regulatory requirements, and cybersecurity objectives. Typically captured in a Cybersecurity Risk Strategy document reviewed annually by senior leadership.

GV.RM — Risk Management Strategy

A Risk Management Strategy policy that defines: risk appetite and tolerance, how risk is expressed (qualitative vs quantitative), risk acceptance criteria, and how the risk register is maintained and reviewed. This is distinct from a risk assessment — it's the framework for how risk decisions are made.

GV.SC — Supply Chain Risk Management

A standalone Vendor and Supply Chain Risk Policy covering: how vendors are classified by risk tier, security requirements per tier (questionnaire, contract clauses, audit rights), onboarding and off-boarding procedures, and periodic review cadence. CSF 2.0 expects this to be a mature, documented process — not ad hoc vendor reviews.

GV.RR — Roles and Responsibilities

Documents who is responsible for each cybersecurity function — not just "the CISO" but named roles down to team level. Often captured in a RACI matrix or embedded in the Information Security Policy.

GV.PO — Policies

Meta-requirement: you need a policy about your policies. A Policy Management Policy that defines: how policies are created, approved, distributed, and reviewed; version control requirements; and how employees are trained on and acknowledge policies.

Implementing NIST CSF 2.0: Where to Start

The four-step implementation path:

Current state assessment — Map existing policies and controls to CSF 2.0 categories to identify gaps
Target state definition — Choose your target tier (1-4) for each function based on risk profile
Gap remediation — Write missing policies, update existing ones, implement required controls
Ongoing improvement — Annual reviews, incident-driven updates, framework alignment checks

Prioritisation for First-Time Implementations

If you're starting from scratch, prioritise in this order: Govern (you can't manage what you haven't defined), then Identify (you can't protect what you don't know you have), then Protect (controls with the highest risk reduction ROI), then Detect, Respond, and Recover.

NIST CSF 2.0 vs ISO 27001:2023

NIST CSF 2.0 and ISO 27001:2023 are complementary, not competing. ISO 27001 is a certifiable standard with prescriptive control requirements. CSF 2.0 is a flexible framework for understanding and managing cybersecurity risk. Organisations pursuing ISO 27001 certification will find that CSF 2.0 implementation covers approximately 80% of ISO 27001 policy requirements. CSF 2.0's new Govern function maps closely to ISO 27001's strengthened leadership and planning clauses.

NIST CSF 2.0 Policy Pack

PolicySuite includes a NIST CSF 2.0 policy bundle with all 18 policies mapped to framework subcategories. Built-in gap analysis shows exactly which CSF 2.0 outcomes your current policies cover.

Get Started