Skip to content
FortaRisks
Back to the glossaryCompliance and regulation

NIST CSF 2.0

The NIST Cybersecurity Framework (CSF) 2.0 is a voluntary cyber risk-management framework published by the US agency NIST. It organizes cybersecurity into six functions (Govern, Identify, Protect, Detect, Respond, Recover) and serves as a common language to assess and steer maturity across any sector.

Updated on July 2, 2026

What is the NIST CSF 2.0?

The NIST Cybersecurity Framework is a framework published by the National Institute of Standards and Technology, the US standards agency. Originally designed for critical infrastructure, it has become one of the most widely used cybersecurity frameworks in the world, precisely because it is simple, flexible and non-prescriptive.

Rather than mandating specific controls, it offers a structure to organize and communicate cybersecurity activities, from the technical floor up to the board.

Why it matters for your organization

The NIST CSF provides a common language between technical teams and leadership. Its six functions let you summarize a complex posture into a readable picture, useful for prioritizing investment and reporting on risk.

It also acts as a backbone for aligning multiple frameworks: many organizations map ISO 27001, SOC 2 or their regulatory obligations onto the CSF functions to avoid managing everything in silos.

The six functions

  • Govern: define strategy, roles and risk management.
  • Identify: understand your assets, risks and dependencies.
  • Protect: put security controls in place.
  • Detect: spot security events and anomalies.
  • Respond: react effectively to an incident.
  • Recover: restore capabilities after an incident.

Where organizations most often fall short

A common mistake is treating the CSF as a checklist to tick, when its value comes from comparing a current profile against a target profile. Without that measured gap, the framework stays descriptive and guides no decision. The Govern function, new in 2.0, is still often neglected in favor of the technical functions.

Frequently asked questions

What does version 2.0 of the NIST CSF add?

Published in 2024, version 2.0 adds a sixth function, Govern, which puts governance and risk management at the center of the framework. It also explicitly broadens the scope to all organizations, not just critical infrastructure as in the original version.

Is the NIST CSF certifiable?

No. The NIST CSF is a voluntary self-assessment framework, not a certification scheme. You use it to measure maturity, define a target profile and prioritize effort. It combines well with certifiable standards such as ISO 27001.

Related resources

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.