What changed in NIST CSF 2.0?

Version 2.0, released in February 2024, adds a sixth core function (Govern) focusing on cybersecurity governance and risk management strategy. It also broadens the target audience beyond critical infrastructure to all organisations and improves integration with other frameworks.

Is NIST CSF mandatory?

NIST CSF is voluntary for most organisations. However, it may be effectively required for US federal contractors (via NIST SP 800-171 alignment) and is often referenced in regulations and insurance requirements. Many organisations adopt it voluntarily as best practice.

How does NIST CSF relate to ISO 27001?

NIST CSF is outcome-focused and less prescriptive, while ISO 27001 is certifiable and process-focused. Many organisations use NIST CSF to assess and prioritise risk, then implement ISO 27001 controls to address identified gaps. GRCTrack maps between both frameworks.

All Frameworks

108 Controls

NIST CSF 2.0

NIST Cybersecurity Framework

The NIST Cybersecurity Framework provides guidance for organisations to assess and improve their ability to prevent, detect, and respond to cyber attacks. Version 2.0, released in February 2024, adds a Govern function and broadens applicability beyond critical infrastructure.

Start Free Trial Request Demo

Ideal For

Critical InfrastructureGovernmentDefence ContractorsFinancial Institutions

What is NIST CSF 2.0?

The NIST Cybersecurity Framework provides guidance for organisations to assess and improve their ability to prevent, detect, and respond to cyber attacks. Version 2.0, released in February 2024, adds a Govern function and broadens applicability beyond critical infrastructure.

NIST CSF is voluntary and applicable to organisations of all sizes and sectors. It is widely adopted by critical infrastructure operators (energy, healthcare, financial services, telecommunications), government agencies, defence contractors, and increasingly by private-sector organisations seeking a risk-based cybersecurity programme.

Key Requirements

Core areas of NIST CSF 2.0 that organisations must address.

Establish cybersecurity governance and risk management strategy

Identify assets, business environment, and risk exposures

Implement protective safeguards for critical services

Deploy detection capabilities for cybersecurity events

Develop response plans for detected incidents

Establish recovery plans to restore services after incidents

How GRCTrack Supports NIST CSF 2.0

Six core functions: Govern, Identify, Protect, Detect, Respond, Recover

Implementation tiers assessment

Current and target profiles

Supply chain risk management

Framework integration

Continuous improvement

Flexible Framework

Adaptable to any organisation size or sector.

Risk-Based

Focus on outcomes, not prescriptive controls.

Widely Recognised

Accepted by regulators and customers.

Frequently Asked Questions

Ready to Simplify NIST CSF 2.0 Compliance?

Join hundreds of organisations using GRCTrack to manage compliance.

Start Free Trial View All Frameworks