In early 2013, the White House issued Executive Order 13636, which tasked the National Institute of Standards and Technology (NIST), a U.S. government federal agency, with the creation of a cybersecurity framework (CSF) that would help foster best practices for cybersecurity and better protect the nation’s critical infrastructure.
NIST CSF 1.0 was published on February 12, 2014, and was quickly adopted by both public and private sector organizations due to its ability to provide key standards, guidelines, and best practices to help organizations manage and mitigate their cyber risk.
However, much has changed in the intervening years. Threat actors have continued to innovate and expand attacks, while cloud adoption and hybrid work models have greatly expanded organizations’ attack surfaces. The core “five functions” of the initial NIST CSF — Identify, Protect, Detect, Respond, and Recover — have served organizations well, but the modern threat landscape required a NIST cybersecurity framework update, which was published in 2024.
NIST CSF 2.0 adds a sixth core function to the framework: Govern. While this function previously existed in the NIST CSF, this update establishes governance as a core function, recognizes the essential role of risk management in all five of the original core functions, and raises the value of risk-driven cybersecurity strategies.
But what do these changes mean for your organization? What role does the new Govern function play in your security posture, and how can your organization best implement the new framework?
What Is the NIST CSF?
The NIST Cybersecurity Framework is a risk-based compilation of guidelines that creates a common language for internal and external communication of cybersecurity issues and can help organizations identify, implement, and improve cybersecurity practices. This framework leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like NIST and the International Organization for Standardization (ISO).
NIST CSF 1.0 is considered to be the most basic of the major cybersecurity frameworks (as compared with other frameworks such as ISO-27001 or CIS Controls), largely because it is not prescriptive. In other words, while it provides broad guidance, it does not specifically state what to do, or how to do it. This grants organizations broad latitude regarding how they interpret the framework and seek to implement corresponding security controls.
Therefore, NIST CSF works best for less cyber-mature organizations or businesses that do not adhere to compliance regulations, which typically require more specific approaches. The NIST CSF is often used as an outline when reporting security assessment findings to executive leadership, since the core functions make it easier to report complex topics from a business perspective.
But that doesn’t mean adherence is easy. NIST features a framework core with multiple functions, categories, and subcategories, and with so many different capabilities and competencies required, it can feel overwhelming to implement.
What Are the Core Functions of the NIST CSF?
The six core functions of the NIST CSF 2.0 — Identify, Protect, Detect, Respond, Recover, and now, Govern — provide a high-level organizational structure to enable positive, proactive cybersecurity outcomes.
The core functions of NIST CSF are:
1. Identify: Develop an organizational understanding of all cyber risks, including all assets, applications, and suppliers. This function also includes the identification, and subsequent improvement opportunities for an organization’s cybersecurity risk management efforts (i.e plans, policies, processes, and procedures).
2. Protect: Support the ability to secure identified assets and lower/prevent the likelihood of a cybersecurity event. This function includes actions such as identity management, security awareness training, data security, access controls, and more.
3. Detect: Enable the timely discovery and analysis of cybersecurity events, including but not limited to anomalies, indicators of compromise (IOC), and other events that indicate an attack is in progress.
4. Respond: Act on given cybersecurity events detected through the prior detect function and contain any subsequent effects. Key features of the respond function include incident management, analysis, mitigation, reporting, and communication.
5. Recover: Restore assets and systems affected by a cyber incident and enable appropriate communications.
6. Govern: Establish an overall cyber risk management strategy, expectations, and policy, which is continually improved, monitored, and communicated. The success of every function listed above is dependent on strong governance.
What Is the Govern Function of NIST CSF?
Earlier versions of the NIST CSF framework included elements of the Govern function, but the 2.0 framework update formalizes it. This addition supports IT and security leaders’ ability to create risk-driven security programs, increase organizational engagement and risk ownership, all while creating an opportunity for increasing security program support and funding.
According to NIST, “The CSF 2.0, which supports implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector.”
This update encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.
The Govern function includes several important subcategories to further help organizations with risk management and organizational engagement. These include:
Organizational Context
NIST CSF 2.0 introduces “organizational context” as a category under the govern function, which the organization defines as, “The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organization’s cybersecurity.” While previous updates to the CSF focused on asset identification, this update places new emphasis on contextualization of those assets in regard to risk and overall security, making these efforts more effective.
Risk Management Strategy
NIST CSF 2.0 places risk management strategy within the Govern function to highlight the vital role risk management plays in an organization’s cybersecurity governance. A proper risk management strategy is one where, as defined by NIST, “The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.” This outlook personalizes the strategy, helping organizations understand their own risk and how it relates back to the broader threat landscape.
Roles, Responsibilities, and Authorities
“Roles, responsibilities, and authorities” are placed as a separate category within the Govern function in NIST CSF 2.0, to ensure that organizations’ “cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated.” This subsection outlines the vital role humans play in cybersecurity across the organization, and encourages organizations to bring humans into the fold, instead of relying solely on technology investments to solve all cybersecurity issues.
Policy
NIST CSF 2.0 makes the establishment, communication, and enforcement of cybersecurity policy an essential aspect of the Govern function. Particular emphasis is placed not just on the creation of organization-wide cybersecurity policies, but on its review and revision to “reflect changes in requirements, threats, technology, and organizational mission.” This policy creation will help organizations benchmark their own risk, cybersecurity goals, and current state.
Oversight
NIST CSF 2.0 also places more of a focus on the continuous review and revision of an organization’s risk management activities through the “Oversight” category in the Govern function to inform and adjust strategy and direction and ensure adequate coverage of requirements and risks. This function emphasizes the need for continuous reflection and adjustment of policies and strategies as business and security goals change alongside the always-evolving threat landscape.
Cybersecurity Supply Chain Risk Management
Finally, NIST CSF 2.0 adds “cybersecurity supply chain risk management” as a category under the Govern function. With cyber attacks against supply chains and third-party vendors a constant threat — as they can often provide a means of initial access into a target network — this category aims to ensure that “cyber supply chain risk management process are identified, managed, monitored, and improved by organizational stakeholders.”
Why the Govern Function is Critical to Cybersecurity
The addition of the Govern function in NIST CSF 2.0 addresses the rise of risk management and governance as an essential task for IT and security teams. While it has existed in previous versions, this elevation to a core function places it in a position of necessary prominence for any organization looking to proactively assess, mitigate, and transfer their cyber risk through risk-driven cybersecurity strategies.
Risk is now viewed as a driver for security strategy, investments, measurements, and continuous improvement by cybersecurity experts.
Additionally, the centralization of the Govern function emphasizes how, in the modern threat landscape, cybersecurity has become a multi-pronged strategy for any organization. By utilizing the tenants of the Govern function, organizations are creating an opportunity to look at cybersecurity from multiple perspectives, obtain senior leadership support, and continually improve to meet current and future security challenges and risks.
How To Implement NIST CSF 2.0
According to ESG, there are four key operating principles that must be understood as an organization begins to implement and operationalize their risk management program and adhere to the NIST Cybersecurity Framework:
1. Risk transparency. Assessing internal risk through an organization-specific lens is a core operating principle. As risk is identified, it must be accurately and honestly represented, shared, and assessed. This drives mitigation prioritization decisions and facilitates overall risk posture assessment and management.
2. Risk communications. Clearly defined communications covering timing, details, and mechanisms, as well as risk owners, must be clearly identified and maintained over time. This ensures that timely risk analysis, assessment, and mitigation decision-making can take place.
3. Risk ownership. Each aspect of risk consideration requires a risk owner. Risk owners must have the authority to make timely risk decisions and must be accountable for risk tolerance and the impact of decisions within their specific functions.
4. Risk decision-making. A clearly defined process for making risk decisions enables both new and ongoing risks to be considered, adjusted, and mitigated as they occur. Some aspects of the organization will require faster decision-making than others, but the process should be consistent and well understood.
Explore how NIST-CSF 2.0 helps your organization operationalize risk management.
NIST CSF 2.0 and Artic Wolf
Arctic Wolf takes an operations approach to security, providing a suite of solutions that align with all six core functions of the NIST CSF framework, all with an eye toward enhanced governance and continuous risk reduction.
Not only do Arctic Wolf’s proactive, reactive, and risk transference solutions drive security outcomes, but Arctic Wolf also offers a Cyber Resilience Assessment (CRA) based on multiple cybersecurity frameworks, including NIST CSF 2.0. The CRA allows your organization to map your security posture against NIST CSF 2.0, identify priority areas for risk mitigation, and communicate that information to key stakeholders as needed.
Learn more about the Arctic Wolf Cyber Resilience Assessment.
Take a deep dive into NIST CSF 2.0 with our webinar, NIST CSF 2.0: A Blueprint for Operationalizing Risk Management Within Your Security Program.
