NIST CSF 2.0

NIST CSF 2.0 is the framework you reach for when no single regulation tells you what "good security" means, but somebody still wants proof you have it. A customer's vendor questionnaire asks which framework you align to. An insurer wants a recognized structure behind your application. Your own leadership wants to know the security program is organized around something real instead of whatever the last IT person happened to set up. The Cybersecurity Framework gives all three a common language, and that's most of why a business adopts it.

Unlike CMMC, HIPAA, or the FTC Safeguards Rule, NIST CSF 2.0 is voluntary. No agency enforces it and no penalty attaches to ignoring it. That's exactly why it's useful. It isn't a compliance hammer, it's a way to organize and talk about cyber risk that everyone in the conversation already recognizes, from your insurer to your biggest customer to a board member who doesn't speak IT. This page covers what the framework is, what changed in version 2.0, and how we build a program around it instead of handing you a spreadsheet.

What the framework is

The NIST Cybersecurity Framework is a structure for managing cyber risk, published by the National Institute of Standards and Technology. It doesn't prescribe specific products. It organizes the work of security into a set of outcomes you can assess yourself against, plan toward, and report on in language other people understand. That last part is the point. A framework is only valuable if the customer asking about it, the insurer underwriting you, and the technician implementing it are all reading from the same map.

Version 2.0, released in February 2024, is the current edition and the meaningful update. The headline change is a new sixth function, Govern, which sits alongside the original five. The framework now runs Govern, Identify, Protect, Detect, and Respond, and Recover. Govern covers the part most small and mid-sized businesses skip: who owns cyber risk, how it ties to the rest of the business, what the policies are, and how the organization holds itself accountable. Adding it as its own function was NIST's way of saying security isn't only a technical problem, it's a management one.

What changed in 2.0, and why it matters to you

Two changes in version 2.0 matter for a Wichita business deciding whether to use it.

First, Govern. The old framework let organizations pour effort into the technical functions, the firewalls and the detection and the backups, while leaving the management layer undefined. Nobody owned the risk, no policy connected the controls to the business, and there was no accountability when something slipped. Govern names that gap and makes it a first-class part of the framework. For a business where security has been whoever-touched-it-last, this is the function that turns a pile of tools into a program.

Second, scope. Earlier versions were written with critical infrastructure in mind, power, water, finance, the systems a nation can't lose. Version 2.0 explicitly widened the audience to organizations of every size and sector. A two-location manufacturer, a regional accounting firm, a healthcare practice. The framework now expects to be used by exactly the kind of business that fills the Wichita and Southcentral Kansas market, which is most of why it's worth adopting here.

How the six functions actually map to a business

The functions aren't abstract once you put them against a real company. Identify is knowing what you have: the asset inventory, the data, the systems, the vendors with access, and where the risk concentrates. Protect is the controls that reduce that risk: access management, multi-factor authentication, encryption, training, and the basic hygiene that stops most incidents. Detect is whether you'd actually know an intrusion was happening, monitoring and alerting that someone watches. Respond is what you do in the first hours, the incident response plan that names who decides and who calls whom. Recover is getting back to business, the backups that have actually been restored as a test rather than assumed to work. Govern wraps all of it: who owns the program, how policy connects it to the business, and how it stays accountable over time.

Most businesses we assess are strong in two or three functions and thin in the rest. Plenty of Protect, almost no Detect. Good Recover on paper, a backup nobody has ever test-restored. The value of running against CSF 2.0 is that it surfaces the imbalance, so the money goes where the actual gap is instead of into another tool for the function you were already good at.

How we do the work

We don't deliver a CSF 2.0 assessment as a binder and walk away. The framework describes a security program that's supposed to be live on real systems, and an assessment that isn't connected to the team running those systems is a snapshot that's stale the month after it's written. That's the same reason every framework on our Compliance Services hub is bundled with the IT, not sold beside it.

So the work folds into a Managed IT Services engagement. We assess your environment against the six functions, show you where you actually stand function by function, prioritize the gaps that matter, and then implement and operate the controls, the documentation, and the governance layer as part of running your IT. When a customer questionnaire or an insurer asks which framework you align to and how, you have a real answer backed by systems we run, not a claim. The security controls underneath this live on our Cybersecurity Services page.

Where to start

A short call is enough to figure out whether CSF 2.0 is the right framework for what you're being asked to prove, and roughly where your program stands against it. Bring the questionnaire or the insurance application that raised the question, or come without one. Thirty minutes, no commitment.

Book an exploratory call

Frequently asked questions

Is NIST CSF 2.0 a regulation we have to comply with?
No. It's a voluntary framework, not a law, and no agency enforces it. Businesses adopt it because customers, insurers, and their own leadership want a recognized structure behind the security program. If you're under an actual mandate like CMMC, HIPAA, or the FTC Safeguards Rule, those are the obligations that carry penalties, and CSF 2.0 can sit underneath them as the organizing structure. Our Compliance Services hub covers the mandatory frameworks we work with.

What's the difference between NIST CSF and NIST 800-171?
Different documents for different jobs. NIST 800-171 is a specific 110-control requirement set for protecting Controlled Unclassified Information, and it's contractually mandatory for many government contractors. CSF 2.0 is a voluntary, higher-level framework for organizing cyber risk across any kind of business. One is a binding checklist, the other is a management structure. If you're a defense or government contractor, the page you want is NIST 800-171.

What is the new Govern function?
Govern is the sixth function added in version 2.0. It covers the management side of security: who owns cyber risk, how it connects to the rest of the business, what the policies are, and how the organization stays accountable. It was added because too many security programs were strong on technical controls and silent on ownership and policy. For a smaller business, Govern is usually the function that's been missing entirely.

Do we need CSF 2.0 if we already have cyber insurance?
They reinforce each other. An insurer's application asks about many of the same controls the framework organizes, and aligning to CSF 2.0 gives you a structured, honest way to answer those questions and keep your attestations accurate. Cyber insurance readiness is its own subject, covered on our Cyber Insurance page.

Can you do a CSF 2.0 assessment without taking over our IT?
We bundle it with Managed IT Services, because the framework describes a program that lives on real systems, and an assessment disconnected from the team running those systems goes stale fast. If you have internal IT, Co-Managed IT covers that split with responsibilities documented. What we don't do is assess against a framework and hand you a report for someone else to implement, because that's how the program and the systems stop matching.

Book an exploratory call