NIST Cybersecurity Framework 2.0: Complete Guide to the 6 Core Functions, Tiers & Profiles

What Is the NIST Cybersecurity Framework 2.0?

The NIST Cybersecurity Framework (CSF) 2.0 is a comprehensive guidance document published by the National Institute of Standards and Technology on February 26, 2024. It represents the first major update to the framework since version 1.1 was released in 2018, and it fundamentally reshapes how organizations approach cybersecurity risk management.

At its core, the NIST cybersecurity framework 2.0 provides a taxonomy of high-level cybersecurity outcomes — not a checklist of specific controls or technologies, but a structured way to think about what your organization needs to achieve. The framework is deliberately technology-neutral, sector-agnostic, and country-independent, making it applicable whether you run a Fortune 500 enterprise, a government agency, a university, or a ten-person startup.

The framework consists of three primary components that work together:

• CSF Core — A hierarchy of Functions, Categories, and Subcategories that describe desired cybersecurity outcomes
• CSF Organizational Profiles — Mechanisms to describe an organization's current and target cybersecurity posture
• CSF Tiers — A scale that characterizes the rigor of an organization's cybersecurity risk governance and management practices

Organizations use these three components to understand and assess their cybersecurity posture, prioritize actions based on mission requirements, and communicate about cybersecurity risks using a common language. This last point is especially significant: the CSF has become the lingua franca for cybersecurity discussions between technical teams, executives, boards of directors, regulators, and business partners worldwide.

What Changed: CSF 2.0 vs. CSF 1.1

If you are familiar with the original NIST cybersecurity framework, the 2.0 update introduces several transformative changes. Understanding these differences is essential for organizations that built their programs around version 1.1 and need to evolve their approach.

The Addition of Govern as a Core Function

The most visible change is the introduction of Govern (GV) as a brand-new sixth function, positioned at the center of the framework. In CSF 1.1, governance concepts were scattered across the Identify function and informational references. CSF 2.0 elevates governance to a first-class citizen, recognizing that cybersecurity risk management must be integrated with enterprise risk management and driven by organizational leadership.

Expanded Scope Beyond Critical Infrastructure

The original framework was titled "Framework for Improving Critical Infrastructure Cybersecurity." CSF 2.0 drops that title entirely. The new framework is explicitly designed for all organizations — from small businesses to multinational corporations, from healthcare providers to fintech startups, from academic institutions to nonprofits. This reflects the reality that cybersecurity risk is universal, not limited to organizations designated as critical infrastructure.

Enhanced Supply Chain Risk Management

CSF 2.0 significantly expands guidance on cybersecurity supply chain risk management (C-SCRM), dedicating an entire category within the Govern function. With ten subcategories, C-SCRM now covers supplier prioritization, contract requirements, due diligence, incident coordination, and post-relationship provisions. This addresses the growing threat landscape exemplified by incidents like SolarWinds and Log4Shell.

Restructured Categories and Subcategories

Many categories have been reorganized, merged, or renamed. For example, the Protect function now includes "Platform Security" (PR.PS) instead of the previous "Maintenance" and "Protective Technology" categories. The Detect function was streamlined from three categories to two. Subcategory numbering gaps (like ID.AM-06 being absent) indicate where 1.1 content was relocated or consolidated.

These changes reflect lessons learned from six years of real-world CSF implementation, feedback from thousands of stakeholders during the public comment period, and the rapidly evolving threat landscape that includes ransomware, supply chain attacks, cloud security challenges, and the emergence of AI-powered threats. Organizations currently using CSF 1.1 should plan a structured transition that maps their existing controls to the new framework structure.

The CSF Core: How Functions, Categories & Subcategories Work

The CSF Core is the heart of the NIST cybersecurity framework 2.0. It organizes cybersecurity outcomes into a three-level hierarchy that moves from broad strategic objectives to specific operational outcomes:

A critical design principle of the CSF Core is that the order and size of Functions, Categories, and Subcategories does not imply any sequence or relative importance. All six functions should be addressed concurrently and continuously, not treated as a linear progression. The framework recognizes that Govern, Identify, and Protect outcomes help prevent and prepare for incidents, while Govern, Detect, Respond, and Recover outcomes help discover and manage incidents once they occur.

This structure allows organizations to map their existing security controls, policies, and tools directly to specific subcategories, quickly identify coverage gaps, and communicate priorities using a standardized language that resonates from the server room to the boardroom. Organizations like those implementing EU AI Act compliance requirements will find that CSF 2.0 provides a complementary risk management structure.

Govern: The New Central Function

The Govern (GV) function is the most significant addition in CSF 2.0 and the change that most clearly differentiates it from version 1.1. Positioned at the center of the framework's visual model — with the other five functions orbiting around it — Govern establishes the strategic foundation for everything else.

The Govern function addresses a gap that many organizations experienced with CSF 1.1: cybersecurity programs were technically sound but disconnected from organizational strategy, insufficiently funded, or lacking executive accountability. Govern fixes this by explicitly requiring that cybersecurity risk management be integrated into the broader enterprise risk management (ERM) strategy.

Govern encompasses six categories with 28 subcategories:

• Organizational Context (GV.OC) — Understanding mission, stakeholder expectations, legal requirements, critical dependencies, and the broader environment in which cybersecurity decisions are made
• Risk Management Strategy (GV.RM) — Establishing risk appetite, tolerance statements, risk response options, communication lines, and standardized methods for calculating and prioritizing cybersecurity risks
• Roles, Responsibilities, and Authorities (GV.RR) — Defining who is accountable, ensuring adequate resources, fostering a risk-aware culture, and integrating cybersecurity into HR practices
• Policy (GV.PO) — Creating, communicating, and enforcing cybersecurity policies that reflect organizational priorities and adapt to changing threats and technologies
• Oversight (GV.OV) — Reviewing cybersecurity risk management performance, adjusting strategy based on results, and ensuring organizational requirements are continuously met
• Cybersecurity Supply Chain Risk Management (GV.SC) — Managing third-party risk across the entire supplier lifecycle, from due diligence through contract requirements to post-relationship provisions

The supply chain risk management category (GV.SC) alone contains ten subcategories, making it one of the most detailed areas of the entire framework. This emphasis reflects the reality that modern organizations depend on complex webs of suppliers, cloud providers, and technology partners — and that a breach at any point in the supply chain can cascade to devastating effect.

Identify, Protect & Detect: Prevention and Preparedness

The Identify, Protect, and Detect functions — together with Govern — form the preventive and preparedness pillars of the NIST cybersecurity framework 2.0. These functions work together to help organizations understand what they need to protect, implement appropriate safeguards, and detect when something goes wrong.

Identify (ID): Understanding Your Cybersecurity Risks

The Identify function ensures that the organization's current cybersecurity risks are understood. It covers three critical categories:

• Asset Management (ID.AM) — Maintaining inventories of hardware, software, services, data, and network flows, and prioritizing assets based on criticality and mission impact
• Risk Assessment (ID.RA) — Identifying vulnerabilities, gathering threat intelligence, assessing potential impacts and likelihoods, and prioritizing risk responses. New subcategories in 2.0 include assessing hardware/software authenticity (ID.RA-09) and evaluating critical suppliers (ID.RA-10)
• Improvement (ID.IM) — A new category that identifies improvements from evaluations, security tests, exercises, and operational processes across all six functions

Protect (PR): Implementing Safeguards

The Protect function focuses on safeguards to manage cybersecurity risks. CSF 2.0 reorganizes this function into five categories:

• Identity Management, Authentication, and Access Control (PR.AA) — Managing identities, credentials, authentication, and access permissions using least privilege and separation of duties principles
• Awareness and Training (PR.AT) — Ensuring all personnel, including those in specialized roles, possess necessary cybersecurity knowledge
• Data Security (PR.DS) — Protecting data at rest, in transit, and — new in 2.0 — in use, plus maintaining tested backups
• Platform Security (PR.PS) — Managing configuration, software maintenance, hardware lifecycle, logging, and secure development practices
• Technology Infrastructure Resilience (PR.IR) — Protecting networks from unauthorized access, defending against environmental threats, and maintaining adequate capacity for resilience

Detect (DE): Finding Attacks and Compromises

The Detect function focuses on finding possible cybersecurity attacks and compromises. CSF 2.0 streamlines this to two focused categories:

• Continuous Monitoring (DE.CM) — Monitoring networks, physical environments, personnel activity, external service providers, and computing environments for adverse events
• Adverse Event Analysis (DE.AE) — Analyzing anomalies, correlating information from multiple sources, assessing impact and scope, integrating threat intelligence, and sharing information with authorized staff

Organizations building comprehensive risk management programs will find parallels between these prevention-focused functions and the risk analysis approaches described in reports like the WEF Global Risks Report 2025, which highlights cyber insecurity as a top global risk.

Respond & Recover: Managing Cybersecurity Incidents

When prevention fails — and eventually it will — the Respond and Recover functions define how organizations manage cybersecurity incidents and restore operations. Together with Govern and Detect, these functions form the incident management backbone of the NIST cybersecurity framework 2.0.

Respond (RS): Taking Action on Incidents

The Respond function ensures that actions regarding a detected cybersecurity incident are taken. It encompasses three categories:

• Incident Management (RS.MA) — Executing incident response plans, triaging and prioritizing incidents, categorizing events, escalating as needed, and performing forensic analysis
• Incident Analysis (RS.AN) — Investigating incidents to determine scope, understanding root causes, and assessing the effectiveness of response actions
• Incident Response Reporting and Communication (RS.CO) — Coordinating with internal and external stakeholders, sharing incident information with designated parties, and reporting to authorities as required

Recover (RC): Restoring Operations

The Recover function focuses on restoring assets and operations affected by a cybersecurity incident. Its two categories address:

• Incident Recovery Plan Execution (RC.RP) — Executing recovery plans, selecting recovery actions, verifying data and system integrity, and considering mission-critical functions during restoration sequencing
• Incident Recovery Communication (RC.CO) — Coordinating restoration activities with internal and external parties, communicating recovery progress, and managing public communications including disclosure requirements

The Respond and Recover functions are tightly linked. Effective response limits damage and informs recovery priorities, while well-planned recovery ensures the organization can resume critical operations with minimal disruption. Both functions feed lessons learned back into the Identify function's Improvement category, creating a continuous improvement cycle that strengthens the overall cybersecurity posture over time.

Implementation Tiers: Measuring Cybersecurity Rigor

The CSF Tiers provide a mechanism for organizations to characterize the rigor of their cybersecurity risk governance and management practices. Ranging from Tier 1 to Tier 4, they describe increasingly sophisticated approaches to managing cybersecurity risk.

An important distinction: tiers are not maturity levels. NIST explicitly states that progression to higher tiers is appropriate only when it would reduce cybersecurity risk in a cost-effective manner consistent with the organization's mission. A Tier 2 organization that understands its risks and manages them appropriately for its context may be perfectly positioned. The goal is not to reach Tier 4 for its own sake, but to reach the tier that best aligns with your risk tolerance and business objectives.

Tiers can also be applied selectively across different functions or categories. An organization might operate at Tier 3 for Protect activities while remaining at Tier 2 for Detect — and that may be the right posture given its specific risk landscape and resource constraints.

Organizational Profiles: Current State to Target State

CSF Organizational Profiles are one of the most practically useful components of the NIST cybersecurity framework 2.0. A profile describes an organization's current or target cybersecurity posture in terms of the CSF Core's outcomes — essentially a customized selection of Functions, Categories, and Subcategories that are most relevant to the organization's specific situation.

Current Profiles

A Current Profile documents the cybersecurity outcomes an organization is currently achieving. It serves as an honest assessment of where you stand today, mapping your existing policies, processes, and technical controls to CSF subcategories. Creating a Current Profile requires input from multiple stakeholders — IT, security, legal, compliance, operations, and leadership — to build an accurate picture.

Target Profiles

A Target Profile describes the desired cybersecurity outcomes, reflecting the organization's risk management goals, sector requirements, regulatory obligations, and available resources. Target Profiles should be informed by organizational context from the Govern function, particularly risk appetite statements (GV.RM-02) and strategic direction (GV.RM-04).

Gap Analysis

The most powerful use of profiles is gap analysis: comparing the Current Profile against the Target Profile to identify where the organization falls short. These gaps become the foundation for a prioritized action plan. Each gap can be assessed for business impact, remediation cost, implementation timeline, and risk reduction potential. Organizations looking at technology-driven risk management may find parallels in how companies like those analyzed in the Apple 10-K Annual Report communicate their cybersecurity risk posture to stakeholders.

Community Profiles — created by sectors, industries, or groups — can accelerate this process. Rather than building a Target Profile from scratch, organizations can start with a community profile developed by peers in their sector and customize it to their specific needs.

Practical Steps to Implement NIST CSF 2.0

Implementing the NIST cybersecurity framework 2.0 does not require starting from zero, even if your organization has never formally used the CSF. Here is a practical, phased approach that works for organizations of any size:

Phase 1: Establish Governance (Weeks 1-4)

1. Secure executive sponsorship — The Govern function requires organizational leadership to be responsible and accountable (GV.RR-01). Get a C-suite champion.
2. Define organizational context — Document your mission, stakeholder expectations, legal requirements, and critical dependencies (GV.OC-01 through GV.OC-05).
3. Establish risk appetite — Create and communicate risk appetite and tolerance statements (GV.RM-02). These will guide every subsequent decision.
4. Assign roles and responsibilities — Clarify who is responsible for cybersecurity risk management at each level (GV.RR-02).

Phase 2: Assess Current State (Weeks 5-10)

1. Inventory assets — Catalog hardware, software, services, data, and network flows (ID.AM subcategories).
2. Conduct risk assessment — Identify vulnerabilities, threats, impacts, and likelihoods (ID.RA subcategories).
3. Build Current Profile — Map existing controls to CSF subcategories. Be honest about gaps.
4. Select current tier — Assess your current rigor level across the four tier dimensions.

Phase 3: Define Target State (Weeks 11-14)

1. Build Target Profile — Select the CSF outcomes most relevant to your organization, informed by risk appetite, sector requirements, and regulatory obligations.
2. Set target tier — Determine the appropriate rigor level for your context. Remember: higher is not always better.
3. Perform gap analysis — Compare Current Profile against Target Profile to identify and prioritize gaps.

Phase 4: Execute and Improve (Ongoing)

1. Create action plan — Prioritize gap remediation based on risk impact, cost, and feasibility.
2. Implement controls — Deploy technical, administrative, and physical safeguards aligned with Protect subcategories.
3. Monitor and detect — Establish continuous monitoring capabilities per Detect requirements.
4. Test and exercise — Regularly test incident response and recovery plans (ID.IM-02).
5. Review and adjust — Use Govern's Oversight category (GV.OV) to continuously review and improve your cybersecurity program.

NIST provides extensive online resources, informative references, and quick-start guides to support implementation. These resources include mappings to other frameworks and standards like ISO 27001, CIS Controls, and COBIT, making it easier to integrate CSF 2.0 with existing compliance programs.

For organizations that also navigate financial regulatory landscapes, the structured risk management approach in CSF 2.0 aligns well with the risk assessment methodologies discussed in the Federal Reserve Financial Stability Report and the strategic planning insights from the PwC Global CEO Survey 2025, both of which highlight cybersecurity as a top enterprise concern.