NIST CSF 2.0: the new Govern function explained

March 17, 2026

CSF 2.0's biggest change is a new function that wraps the other five: Govern. It moves cybersecurity from a technical checklist to an enterprise-risk discipline.

Five functions became six

The original NIST CSF had five functions: Identify, Protect, Detect, Respond, and Recover. CSF 2.0, released in 2024, added a sixth — Govern — and positioned it as the function that informs all the others.

What Govern covers

Govern is about the organizational context for cybersecurity: risk-management strategy, roles and responsibilities, policy, oversight, and the integration of cyber risk into enterprise risk management. It asks not "do you have a firewall" but "who owns this risk, what is your risk appetite, and how does leadership oversee it."

Why it was added

Practitioners had long treated governance as implicit. Making it an explicit function reflects how regulators and boards now view cybersecurity — as an enterprise risk that requires accountability, not just a set of technical controls. It also aligns CSF more closely with frameworks like COBIT 2019, which is governance-first.

How it relates to the other five

Govern does not replace Identify–Protect–Detect–Respond–Recover; it surrounds them. Your governance decisions — risk appetite, ownership, policy — shape how you execute the other five functions. In practice, mapping Govern outcomes to your existing controls is the fastest way to adopt CSF 2.0 if you already run another framework.