NIST Cybersecurity Framework 2.0: governance, maturity and practical implementation

NIST 2.0 updates the NIST Cybersecurity Framework with stronger governance, supply‑chain risk coverage and measurable outcomes for security teams.

Contents

1. What is NIST?
2. NIST 1.1 vs. 2.0
3. 6 Core Functions
4. NIST 2.0 Implementation
5. Measuring the Maturity Levels
6. Certification
7. NIST 2.0 vs. ISO 27001

Key takeaways: NIST 2.0

• Supports human risk management aligned with the NIST Cybersecurity Framework – from phishing simulations to targeted security awareness training
• Updated version of the NIST Cybersecurity Framework, reflecting current threats, regulatory expectations and supply‑chain risks
• Adds a dedicated Govern function, putting responsibilities, policies and oversight alongside Identify, Protect, Detect, Respond and Recover
• Uses profiles and implementation tiers to make the NIST Cybersecurity Framework measurable and risk‑based
• Not certifiable, but widely used as a governance reference and mappable to ISO 27001 or NIS2

What Is the NIST Cybersecurity Framework?

The National Institute of Standards and Technology (NIST) is a non-regulatory research agency within the US Department of Commerce. Its work spans atomic clocks and encryption standards to cybersecurity guidelines, all of which serve as global reference points. The National Vulnerability Database (NVD) catalogues security vulnerabilities using the Security Content Automation Protocol (SCAP), helping organisations stay on top of known weaknesses and automate much of their monitoring.

Anyone asking what the NIST framework is should know that it goes well beyond vulnerability tracking. NIST’s SP 800-207 defines the Zero Trust Architecture, a security model that has reshaped how organisations think about access and identity. “Never trust, always verify” sounds simple, but it represents a fundamental break from older perimeter-based thinking. Every user, every device, every request gets checked. Continuously.

As for the NIST Cybersecurity Framework itself: it started in 2014, born out of a US presidential executive order to protect critical infrastructure. When NIST CSF 2.0 arrived on 26 February 2024, it came with a broader mandate: any organisation, any sector. Govern, the new sixth core function, made sure cybersecurity risk management was no longer just an IT concern.

NIST CSF 1.1 vs. 2.0: The most important changes

Version 2.0 was not a cosmetic update. For security leaders comparing NIST 1.1 vs. 2.0, the changes run deep: the NIST Cybersecurity Framework was rebuilt to reflect how organisations actually operate today, and who needs to be involved in managing cyber risk.

Key Changes in NIST CSF 2.0

• A sixth core function, Govern: Governance is no longer scattered across the framework. In NIST CSF 2.0, it has its own core function and sits at the centre of the model, shaping how the other functions are planned, prioritised and measured.
• Wider scope: NIST CSF 1.1 was originally aimed at critical infrastructure. NIST CSF 2.0 broadens the audience and is intended for organisations of any size, sector or level of cyber maturity.
• Supply chain risk management: NIST CSF 2.0 puts more weight on third-party risk. The framework now gives organisations clearer direction on supplier dependencies, security expectations in vendor relationships and how to prioritise supply chain risks instead of treating them as a separate side issue.
• Secure software development: Software security also has a more visible role. The updated framework connects cyber risk management more closely with secure development practices, including DevSecOps and software supply chain security.
• Plain language: The wording is more practical than before. That matters because the framework is not only read by security teams, but also by leaders, risk owners and operational teams who need to turn guidance into action.
• Stronger alignment: NIST CSF 2.0 connects more clearly with related NIST publications, including SP 800-161 for cyber supply chain risk management and SP 800-218 for secure software development. For teams working with several frameworks at once, this makes cross-referencing and implementation easier.

Look at the two diagrams side by side and the shift becomes clear. NIST CSF 1.1 shows five functions in a cycle. NIST CSF 2.0 adds Govern at the centre, making oversight and accountability part of the structure rather than something implied in the background.

The 6 Core Functions of the NIST Cybersecurity Framework 2.0

The NIST Cybersecurity Framework 2.0 is built around six core functions: Govern, Identify, Protect, Detect, Respond and Recover. Together, these NIST core functions give organisations a structured way to understand, prioritise and manage cybersecurity risk across leadership, operations, technology, people and third-party relationships.

Govern (GV)

Governance provides the strategic foundation for cybersecurity risk management in the NIST Cybersecurity Framework 2.0. It covers risk management strategy, roles and responsibilities, policies, oversight and cybersecurity supply chain risk management. The key shift is that cybersecurity is treated as part of enterprise risk management, alongside financial, operational and other business risks. A human risk management platform can support this function by making human risk more measurable and helping leaders base security decisions on data rather than assumptions.

Identify (ID)

Before organisations can manage risk in NIST CSF 2.0, they need to understand what they are protecting. This includes data, hardware, software, systems, employees, suppliers and the risks connected to them. The Identify function creates the basis for risk-based prioritisation and helps align operational security work with the broader Govern strategy. Cybersecurity awareness training can support this process by helping employees recognise threats, report suspicious activity and contribute to a clearer picture of organisational risk.

Protect (PR)

Protect focuses on safeguards that reduce the likelihood and potential impact of cybersecurity events. In the NIST Cybersecurity Framework 2.0, this includes identity management, authentication, access control, data security, platform security, awareness and training, and technology infrastructure resilience. Awareness training plays an important role here because many attacks still rely on human behaviour, especially in social engineering scenarios. When employees know how to spot manipulation attempts and respond correctly, they become a more reliable part of the organisation’s defence.

Detect (DE)

Detection is where theory meets reality. Even well-protected organisations need to know when something is starting to look wrong: a login that does not fit the usual pattern, a sudden change in user behaviour, or a phishing email that gets further than it should. In NIST CSF 2.0, Detect brings these signals together through continuous monitoring and adverse event analysis. For the human side of risk, phishing simulations are especially useful because they show how people react before a real incident forces the issue.

Respond (RS)

A detected incident is only useful if the organisation knows how to act on it. Respond is about making that next step clear: who investigates, who contains the damage, who communicates, and how decisions are documented. This should not be decided in the middle of an incident. Teams need agreed processes for involving leadership, partners, affected stakeholders and, where necessary, authorities. The real value of this function is coordination: fewer delays, less confusion and a better chance of limiting the impact.

Recover (RC)

Recover is about getting the organisation back to stable operations after an incident. That means activating recovery plans, keeping stakeholders in the loop and restoring systems without losing sight of what went wrong. Waiting until an incident hits to figure this out is a gamble most organisations cannot afford. Teams that have rehearsed recovery come out of incidents faster and with something useful: a clearer picture of what to do differently next time.

Implementing the NIST Cybersecurity Framework 2.0: step by step towards adaptive cybersecurity risk management

Implementing the NIST Cybersecurity Framework 2.0 usually starts with four practical steps. Together, they help organisations understand where they stand today, define where they want to go and turn that gap into a workable roadmap.

Step 1: Take stock of where you are

Start by creating a Current Profile that reflects your organisation’s current security posture in NIST CSF 2.0. Which outcomes across the six core functions do you already meet? Which controls are in place, and where are the gaps? Without it, your NIST Cybersecurity Framework implementation risks being built on guesswork.

Step 2: Define your Target Profile

The Target Profile describes the outcomes your organisation wants to achieve through the NIST Cybersecurity Framework 2.0. These should be aligned with your strategic objectives, risk management priorities and the risk appetite and risk tolerance thresholds defined under Govern. The result is a more realistic picture of where your organisation should be in the medium term, and what needs to change to get there.

Step 3: Prioritise your actions

The gap between your Current Profile and Target Profile is where the real work begins. Rank findings by risk impact and be honest about what is actually achievable with the resources available. Document your priorities in a risk register, a risk detail report or a Plan of Action and Milestones. That way, the output of this step is something teams can pick up and run with, not a report that gets filed away.

Step 4: Build a roadmap with clear ownership

Every measure needs a name next to it: who owns it, what it costs and when it needs to be done. Progress should be tracked continuously through a monitoring process, and once measures have been implemented, update your Current Profile regularly and adjust the Target Profile where needed. That way, your work with the NIST Cybersecurity Framework 2.0 stays grounded in what is actually happening in the organisation, not frozen at the point of the last assessment.

Implementation tiers: moving towards adaptive security

The NIST Cybersecurity Framework 2.0 describes four Implementation Tiers. They do not act as a formal maturity score, but they do help organisations understand how consistently cybersecurity risk is managed across the business.

Tier 1 – Partial: Security processes are limited, inconsistent or mainly reactive. Risk management may be handled on a case-by-case basis, and the organisation is not yet well prepared to respond to cyber incidents in a coordinated way.

Tier 2 – Risk-Informed: Security policies exist and the organisation has a working understanding of its key risks. The gap at this stage is consistency: awareness does not yet translate into standardised practices across teams and business areas, and there is no shared method for evaluating and prioritising risk decisions.

Tier 3 – Repeatable: Security practices are documented, embedded and reviewed on a regular basis. Teams follow clear procedures rather than improvising, which makes it far easier to maintain consistency and catch gaps early. At this stage, NIST Cybersecurity Framework incident response activities are also more likely to be planned, tested and connected to the wider risk management approach.

Tier 4 – Adaptive: Cybersecurity risk management is integrated across the organisation and can adjust to changes in the threat landscape. Risk assessments are not treated as occasional exercises, but as part of continuous decision-making. At Tier 4, cyber risk is not a separate conversation. It sits at the same table as financial and operational risk, and security has a real say in how the business plans ahead.
Adaptive cybersecurity means that security measures evolve as risks change. Modern human risk management platforms can support this by providing current data on employee behaviour and risk levels. This helps organisations adapt training, interventions and controls more dynamically and strengthen their overall work with the NIST Cybersecurity Framework 2.0 over time.

How to measure NIST Cybersecurity Framework maturity levels

The NIST Cybersecurity Framework 2.0 does not measure maturity through a single score. Instead, it gives organisations two practical reference points: Profiles and Implementation Tiers. Current Profiles show where your organisation stands today, while Target Profiles define the outcomes you want to achieve across the framework’s core functions. The four Tiers, from Partial to Adaptive, then help you understand how consistently cybersecurity risk is managed and how closely it is tied to business decision-making.

Numbers help, but they only tell part of the story. A patch backlog that keeps growing, a phishing simulation that flags the same department three months in a row, a response that takes six hours when it should take one – security leaders know what these things mean without needing a framework to explain it. KPIs give those observations something to stand on. KRIs catch the quieter signals, the ones that do not show up as incidents yet but probably will. These metrics should be reviewed regularly with executive stakeholders, so decisions are based on current risk, not assumptions.

When should an organisation aim for a higher Tier in the NIST Cybersecurity Framework 2.0? Usually, when the risk environment changes, regulatory expectations increase or the business case is strong enough to justify the investment. Moving up a Tier should not be treated as a box-ticking exercise. It should reflect a real improvement in how the organisation identifies, prioritises and manages cyber risk.

The long-term goal for many organisations is Tier 4, Adaptive, within NIST CSF 2.0. At this level, security evolves with the threat landscape rather than reacting to it. Adaptive organisations monitor their systems continuously, update policies as risks and best practices change, and use security data across teams, not only inside the security function. A measurable view of maturity also helps CISOs show the value of their investments in the NIST Cybersecurity Framework 2.0. When progress is backed by data, budgets are easier to explain and easier to defend.

Certification: how does NIST Cybersecurity Framework certification work?

Unlike ISO 27001, the NIST Cybersecurity Framework 2.0 does not require formal certification or external audits. It is voluntary guidance, designed to be adapted to each organisation’s specific risk environment.

NIST does not hand out certificates. What exists instead are third-party qualifications for professionals who work with the framework: a “NIST CSF 2.0 Lead Implementer” certificate, for example, covers how to build and run security programmes based on the NIST Cybersecurity Framework. Useful for individuals, but it says nothing about whether the organisation they work for is compliant.

As for NIST Cybersecurity Framework certification cost at the organisational level, there is no official NIST certification fee, because NIST does not certify organisations against the framework. Organisations are free to adopt the NIST Cybersecurity Framework 2.0 without going through an audit. Implementation is usually documented through self-assessments, Implementation Tiers and Organisational Profiles. Formal evidence is optional unless a contract, customer requirement or regulation specifically asks for it. For security leaders, the more useful question is often not the price of a certificate, but what level of documentation, assurance and evidence the organisation actually needs.

NIST Cybersecurity Framework vs. ISO 27001: Differences and synergies

The NIST Cybersecurity Framework and ISO 27001 are after the same thing. Where they differ is in what they ask of you.

ISO 27001 is a standard. It comes with mandatory requirements, an external audit and a certificate at the end. The NIST Cybersecurity Framework 2.0 is guidance. It tells you what good looks like and leaves the how largely up to you. No auditor, no certificate, no single correct way to implement it.

For many organisations, that distinction shapes the sequence. The NIST Cybersecurity Framework 2.0 tends to come first: it helps teams get a clear picture of where risks sit, what controls are actually working and how to talk about security with leadership without drowning them in technical detail. ISO 27001 enters the picture when external proof is needed, whether a customer requires it, a regulator expects it or the business wants the credibility that comes with accredited certification.

Treating the NIST Cybersecurity Framework vs. ISO 27001 question as a binary choice tends to create more problems than it solves. Security teams that work with both usually find the overlap manageable. Mapping NIST CSF 2.0 controls to ISO 27001 requirements has become a practical way to get there without doing everything twice.

This article is for general information only. It does not constitute legal advice and is not a substitute for professional legal or regulatory guidance. When the question gets specific to your sector, your contracts or your regulatory environment, that is where a qualified legal adviser or accredited certification body comes in.