NIST CSF 2.0: Understanding and Implementing the Govern Function

Share :

“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” 

— Executive Order 13636
     February 12, 2013 

Eleven years ago, the White House issued Executive Order 13636, which tasked the National Institute of Standards and Technology (NIST) with the creation of a cybersecurity framework (CSF) that would help better protect the nation’s critical infrastructure. NIST CSF 1.0 was published on February 12, 2014, and was quickly adopted by both public and private organizations due to its ability to provide key standards, guidelines, and best practices to help organizations manage and mitigate their cyber risk.  

However, much has changed in the intervening years. Threat actors have continued to innovate and expand attacks, while cloud adoption and hybrid work models have greatly expanded organizations’ attack surfaces. The core “five functions” of the initial NIST CSF — Identify, Protect, Detect, Respond, and Recover — have served organizations well, but the modern threat landscape required an update to NIST’s cybersecurity framework, which has been published this year.   

NIST CSF 2.0 adds a sixth core function to the framework: Govern. While this function previously existed in the NIST CSF, this update escalates Govern into a position as a core function, recognizing the essential role of risk management in all five of the original core functions and raising the value of risk-driven cybersecurity strategies. But what does that mean for your organization, what role does the new function play in your security posture, and how can you best implement the new framework? 

What Is the NIST CSF? 

The NIST Cybersecurity Framework leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like NIST and the International Organization for Standardization (ISO). The NIST CSF is a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues. 

The NIST CSF 1.0 has the least coverage of the major cybersecurity frameworks, and therefore works best for smaller or unregulated businesses. The NIST CSF is often used as a reporting tool to report security to executive leadership, since the core functions make it easier to report complex topics under this perspective. 

But that doesn’t mean adherence is easy. NIST features a framework core with multiple functions, categories and sub-categories, and with so many different capabilities and competencies required, it can feel overwhelming to implement.   

What Are the Core Functions of the NIST CSF? 

The six core functions of the NIST CSF 2.0 — Identify, Protect, Detect, Respond, Recover, and now, Govern — provide a high-level organizational structure to enable positive, proactive cybersecurity outcomes.   

  • Identify: Develop an organizational understanding to managing cybersecurity risk  
  • Protect: Support the ability to limit or contain the impact of a potential cybersecurity event  
  • Detect: Define the appropriate activities to identify the occurrence of a cybersecurity event  
  • Respond: Enable timely discovery of cybersecurity events  
  • Recover: Support the ability to contain the impact of a potential cybersecurity incident 
  • Govern: Establish and monitor risk management strategy, expectations, and policy 

What Is the Govern Function? 

Earlier versions of the framework included elements of the Govern function, but the 2.0 framework update formalizes it all. This addition supports IT and security leaders’ ability to create risk driven security programs, increase organizational engagement and risk ownership, while creating an opportunity for increasing overall program support and funding.  

Additionally, according to NIST, “The CSF 2.0, which supports implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector.” It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation. 

Additionally, the “Govern” function includes several important sub-categories to further help organizations with their risk management and organizational engagement. These include:  

Organizational Context 

NIST CSF 2.0 introduces “Organizational Context” as a category under the “Govern” function, which they define as “The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organization’s cybersecurity.” While previous updates to the CSF focused on asset identification, this update places new emphasis on contextualization, making these efforts more effective.

Risk Management Strategy 

NIST CSF 2.0 places risk management strategy within the “Govern” function to highlight the vital role it plays in an organization’s cybersecurity governance, and underscore its foundational role in cybersecurity governance. A proper risk management strategy, as defined by NIST, is one where “The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.”  

Roles, Responsibilities, and Authorities 

“Roles, Responsibilities, and Authorities” are placed as a separate category within the “Govern” function in NIST CSF 2.0, to ensure that organization’s “Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated.” 


NIST CSF 2.0 places the establishment, communication, and enforcement of cybersecurity policy as an essential aspect of the “Govern” function. Particular emphasis is placed not just on the creation of cybersecurity policy, but on its review and revision to “reflect changes in requirements, threats, technology, and organizational mission.” 


NIST CSF 2.0 also places more of a focus on the continuous review and revision of an organization’s risk management activities through the “Oversight” category in the “Govern” function, in an effort to inform and adjust strategy and direction and ensure adequate coverage of requirements and risks.  

Cybersecurity Supply Chain Risk Management 

Finally, NIST CSF 2.0 adds “Cybersecurity Supply Chain Risk Management” as a category under the “Govern” function. With cyber attacks against supply chains and third-party vendors rising — as they can often provide a means of initial access into a target network — this category aims to ensure that “cyber supply chain risk management process are identified, managed, monitored, and improved by organizational stakeholders.”  

NIST Cybersecurity Framework

How To Implement NIST CSF 2.0 

This latest version of the NIST Cybersecurity Framework places an emphasis on risk-driven cybersecurity strategies, and the creation of a robust risk management program, which takes time and effort to create and implement. This new framework — especially the newly elevated “Govern” function — provides organizations with an opportunity to accelerate along their security journey through a risk-driven agenda and a focus on proper risk management. 

According to Enterprise Strategy Group, a leader in cybersecurity market research, there are four key operating principles that must be understood as an organization begins to implement and operationalize their risk management program and adhere to the NIST Cybersecurity Framework:  

Risk Transparency 

Assessing a true risk perspective is a core operating principle. As risk is identified, it must be accurately and honestly represented, shared, and assessed. This drives mitigation prioritization decisions and facilitates overall risk posture assessment and management.   

Risk Communications  

Clearly defined communications timing, details, and mechanisms, as well as risk owners, must be clearly identified and maintained over time. This ensures that timely risk analysis, assessment, and mitigation decision-making can take place.  

Risk Ownership  

Each aspect of risk consideration requires a risk owner. Risk owners must have the authority to make timely risk decisions and must be accountable for risk tolerance and the impact of decisions within their specific functions.   

Risk Decision-Making  

A clearly defined process for making risk decisions enables both new and ongoing risks to be considered, adjusted, and mitigated as they occur. Some aspects of the organization will require faster decision-making than others, but the process should be consistent and well understood. 

Why the Govern Function is Critical to Cybersecurity 

The addition of the “Govern” function in NIST CSF 2.0 addresses the rise of risk management and governance as an essential task for IT and security teams. While it has existed in previous versions, this elevation to a core function places it in a position of necessary prominence for any organization looking to proactively assess, mitigate, and transfer their cyber risk through risk-driven cybersecurity strategies.   

Risk is now viewed as a driver for security strategy, investments, measurements, and continuous improvement by cybersecurity experts. Elevating “Govern” to a core function of the NIST CSF creates an opportunity for IT and security leaders to accelerate investments in risk-driven cybersecurity strategies that can lead to improving security outcomes in both efficacy and efficiency,” according to ESG. 

How Arctic Wolf Can Help 

Arctic Wolf’s security operations solutions provide coverage across all six of the NIST core functions and provide expert, 24×7 assistance with a continuous risk-based management program:  

Identify, Protect, Detect, Govern, Respond 

Arctic Wolf® Managed Detection and Response provides 24×7 monitoring of networks, endpoints, and cloud environments to help organizations detect, respond, and recover from modern cyber attacks. 

Arctic Wolf® Managed Risk enables organizations to discover, assess, and harden their environment against digital risks by contextualizing their attack surface coverage across networks, endpoints, and cloud environments. 

Protect, Govern 

Arctic Wolf Managed Security Awareness® leverages people to provide security across the core NIST CSF functions, preparing employees to recognize and neutralize social engineering attacks and human error, and helping to reduce human risk. 

Respond, Recover 

Arctic Wolf® Incident Response provides a full-service incident response (IR) team with the skills and expertise needed to stop an attack and quickly restore an organization to pre-incident business operations. 

Discover where you stand on your security journey with our Security Assessment. 

Explore our market-leading security operations solutions and discover how they can help you adhere to the NIST CSF.  

Dive deeper into the new “Govern” control in our webinar, NIST CSF 2.0: A Blueprint for Operationalizing Risk Management within Your Security Program. 

Picture of Arctic Wolf

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Share :
Table of Contents
Subscribe to our Monthly Newsletter