The primary audience is the people who build and lead security programs. But NIST wrote the outcomes to be readable by a much wider group: executives and boards, acquisition and technology staff, risk managers, lawyers, HR, auditors, and policy makers. That breadth is intentional. CSF 2.0 is meant to connect a security team’s day-to-day work to the language that leadership and the board already use for enterprise risk.

The CSF organizes cybersecurity outcomes at the highest level into six Functions. Each is named with a verb that summarizes its job. These are the exact NIST definitions:

• Govern (GV): The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
• Identify (ID): The organization’s current cybersecurity risks are understood.
• Protect (PR): Safeguards to manage the organization’s cybersecurity risks are used.
• Detect (DE): Possible cybersecurity attacks and compromises are found and analyzed.
• Respond (RS): Actions regarding a detected cybersecurity incident are taken.
• Recover (RC): Assets and operations affected by a cybersecurity incident are restored.

The Functions are drawn as a wheel because they relate to one another. You categorize assets under Identify and secure them under Protect; planning in Govern and Identify makes Detect, Respond, and Recover work when an incident hits.

Two shifts define this release.

Govern moved to the center. In version 1.1, governance ideas were spread across the framework. CSF 2.0 pulls them into a standalone Function and places it at the center of the wheel because it informs how you carry out the other five. Govern covers organizational context; risk management strategy; roles, responsibilities, and authorities; policy; oversight; and cybersecurity supply chain risk management.

The scope opened up. Before 2.0, the framework was titled “Framework for Improving Critical Infrastructure Cybersecurity.” NIST retired that title. CSF 2.0 is now written for organizations of all sizes and sectors, including industry, government, academia, and nonprofits, at any maturity level.

The CSF Core is a hierarchy: Functions → Categories → Subcategories. Categories are related outcomes inside a Function; Subcategories are more specific technical and management outcomes (not an exhaustive list). The Core applies across IT, IoT, and operational technology, and across cloud, mobile, and AI environments.

Version 2.0 has 22 Categories across the six Functions:

• Govern (6): Organizational Context (GV.OC), Risk Management Strategy (GV.RM), Roles/Responsibilities/Authorities (GV.RR), Policy (GV.PO), Oversight (GV.OV), Cybersecurity Supply Chain Risk Management (GV.SC)
• Identify (3): Asset Management (ID.AM), Risk Assessment (ID.RA), Improvement (ID.IM)
• Protect (5): Identity Management, Authentication and Access Control (PR.AA), Awareness and Training (PR.AT), Data Security (PR.DS), Platform Security (PR.PS), Technology Infrastructure Resilience (PR.IR)
• Detect (2): Continuous Monitoring (DE.CM), Adverse Event Analysis (DE.AE)
• Respond (4): Incident Management (RS.MA), Incident Analysis (RS.AN), Incident Response Reporting and Communication (RS.CO), Incident Mitigation (RS.MI)
• Recover (2): Incident Recovery Plan Execution (RC.RP), Incident Recovery Communication (RC.CO)

Tiers describe the rigor of your cybersecurity risk governance and management, from informal to adaptive. There are four:

• Tier 1 (Partial): risk strategy applied ad hoc; limited organization-level awareness; case-by-case.
• Tier 2 (Risk Informed): management approves practices, but they are not yet organization-wide policy; prioritization is informed by risk objectives and the threat environment.
• Tier 3 (Repeatable): practices are formal policy, implemented as intended and reviewed; an organization-wide approach exists.
• Tier 4 (Adaptive): an organization-wide, continuously improving approach; the program adapts from lessons learned and predictive indicators, and executives track cyber risk alongside financial risk.

A common mistake is treating Tiers as a maturity ladder where everyone must reach Tier 4. NIST is explicit that they are not. You pick the Tier that fits your threat environment and is cost-effective for your organization.

A CSF Organizational Profile describes your cybersecurity posture in terms of the Core’s outcomes. It has two parts:

• A Current Profile captures the outcomes you are achieving today and to what extent.
• A Target Profile captures the outcomes you want, accounting for new requirements, new technology, and threat trends.

The gap between Current and Target is your roadmap. You use it to prioritize work, justify budget, and communicate progress to stakeholders.

• Read the outcomes in the Govern and Identify Functions first; they set context.
• Build a Current Profile for the 22 Categories, honestly.
• Set a Target Profile based on your risks and obligations.
• Prioritize the gaps; map each to specific controls using NIST’s Informative References.
• Pick a Tier that matches your risk tolerance and revisit it annually.

NIST, *The NIST Cybersecurity Framework (CSF) 2.0*, NIST CSWP 29, February 26, 2024. doi:10.6028/NIST.CSWP.29.