The Evolution of the Govern Function in the Cybersecurity Framework: A Closer Look at CSF 2.0

In the realm of cybersecurity, staying ahead of threats necessitates not just reactive measures but a proactive and structured approach to safeguarding digital assets. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) has been a cornerstone for organizations striving to achieve this level of preparedness. With the introduction of CSF 2.0, several enhancements and refinements have been made across its structure, most notably within the “Govern” function. This blog post delves into the specific changes and their implications for organizations striving to align with cybersecurity best practices.

Understanding the “Govern” Function  

Initially, the NIST CSF categorized its core functions into Identify, Protect, Detect, Respond, and Recover. These provided a high-level, strategic view of the lifecycle of managing and mitigating cybersecurity risk. The “Govern” function is a new addition to CSF 2.0, embodying a strategic pivot towards emphasizing governance, risk management, and the importance of leadership in cybersecurity.  

Specific Changes in CSF 2.0  

  1. Introduction of Organizational Context

CSF 2.0 introduces “Organizational Context” as a category under the “Govern” function, highlighting the necessity for organizations to understand and continually assess the cybersecurity landscape in which they operate. This is a departure from the 2018 version, which emphasized identifying assets and related cybersecurity risks without contextualizing these efforts within the broader organizational and external environment.  

  1. Risk Management Strategy

While both versions of the CSF emphasize risk management, CSF 2.0 places it directly under the “Govern” function to underscore its foundational role in cybersecurity governance. This change signifies a strategic shift from viewing risk management as a task to recognizing it as an integral part of governance that informs and shapes policy, strategy, and operational decisions.  

  1. Roles, Responsibilities, and Authorities

CSF 2.0 delineates “Roles, Responsibilities, and Authorities” as a separate category within “Govern,” suggesting a more structured and explicit approach to defining and delegating cybersecurity roles within an organization. Unlike the 2018 framework, which implied these aspects within broader discussions on governance, the explicit categorization in CSF 2.0 aims to eliminate ambiguity and foster a clearer understanding of accountability.  

  1. Cybersecurity Supply Chain Risk Management

Another notable enhancement is the inclusion of “Cybersecurity Supply Chain Risk Management” as a category under the “Govern” function. This acknowledges the increasing importance of supply chain security in an organization’s overall cybersecurity posture.  This consideration, while explicitly addressed in the 2018 version of the framework, is given increased emphasis in CSF 2.0.   

Implications for Organizations  

The refinements in the “Govern” function of CSF 2.0 reflect a maturation in understanding what effective cybersecurity governance entails. By providing a more detailed and structured approach, organizations are encouraged to adopt a holistic view of cybersecurity that encompasses risk management, leadership, and the broader ecosystem, including supply chains.  

Organizations aiming to align with CSF 2.0 must reassess their cybersecurity strategies and policies to encapsulate the nuanced elements introduced in the “Govern” function. This may involve redefining roles and responsibilities, integrating supply chain considerations into risk management processes, and aligning cybersecurity measures with the organization’s strategic objectives and external requirements.  


The introduction and expansion of the “Govern” function in CSF 2.0 underscores the evolving nature of cybersecurity as a strategic organizational concern. By explicitly addressing aspects of governance, such as risk management and supply chain security, CSF 2.0 provides a comprehensive framework that addresses the technical aspects of cybersecurity and integrates them within the broader context of organizational strategy and risk management. For organizations committed to maintaining a robust cybersecurity posture, adapting to these changes will be crucial in navigating the complexities of today’s digital landscape. 

Stay tuned for the next blog post on the “Identify” function.


Brent Gage

After beginning his career as a roustabout on an offshore drilling rig, Brent is now the Manager of Cybersecurity at who performs client consultation and assessments while maintaining and monitoring the platform’s hosting infrastructure.

Share this post


Recent Articles

About Us

Contact Us