Home / Frameworks / NIST CSF 2.0 — Practitioner Reference Notes
NIST CSF 2.0

NIST CSF 2.0 — Practitioner Reference Notes

Field notes on NIST Cybersecurity Framework 2.0 — the six functions, core categories, and how they map to practical security operations in federal and enterprise environments.

What Changed in CSF 2.0

NIST CSF 2.0 (released February 2024) introduced significant updates from version 1.1:

  1. New “GOVERN” function — Elevated organizational governance to a first-class function
  2. Expanded audience — Now explicitly addresses all organizations, not just critical infrastructure
  3. Supply chain risk — Integrated throughout as a cross-cutting concern
  4. Profiles and Tiers — Refined guidance on implementation target states

The Six Functions

FunctionPurposeKey Question
GOVERNSet strategy, roles, accountabilityWho owns security decisions?
IDENTIFYUnderstand your assets and risksWhat do we have and what’s at risk?
PROTECTImplement safeguardsHow do we prevent incidents?
DETECTFind events fastHow do we know something is happening?
RESPONDAct when events occurWhat do we do when we detect it?
RECOVERRestore and learnHow do we get back to normal?

GOVERN (New in 2.0)

The GOVERN function establishes the organizational context for cybersecurity risk management. Key categories:

  • GV.OC — Organizational Context
  • GV.RM — Risk Management Strategy
  • GV.RR — Roles, Responsibilities, and Authorities
  • GV.PO — Policy
  • GV.OV — Oversight
  • GV.SC — Cybersecurity Supply Chain Risk Management

Practitioner Note

GOVERN is where policy meets practice. In federal environments, this maps directly to the RMF Step 2 (Categorize) and the System Security Plan (SSP) governance sections. For 2210/ISSO candidates, demonstrating GOVERN awareness is increasingly expected in interviews.

IDENTIFY

Key sub-functions:

  • ID.AM — Asset Management
  • ID.RA — Risk Assessment
  • ID.SC — Supply Chain Risk Management

Detection Engineering angle: Without solid ID.AM, you can’t scope a threat hunt. Knowing what systems are in scope, what OS versions exist, and what data flows between them is foundational.

DETECT

The most operationally relevant function for threat hunters and SOC analysts:

  • DE.AE — Adverse Event Analysis
  • DE.CM — Continuous Monitoring

Control examples:

DE.CM-01: Networks and network services are monitored
DE.CM-03: Personnel activity and technology usage are monitored
DE.CM-06: External service provider activities are monitored

These map directly to SIEM coverage requirements. When scoping a threat hunt program, trace your data sources back to DE.CM controls to demonstrate coverage depth.

Mapping to RMF

RMF StepCSF FunctionKey Artifact
1. PrepareGOVERN, IDENTIFYRisk management strategy
2. CategorizeIDENTIFYSystem categorization (FIPS 199)
3. SelectPROTECT, DETECTControl selection
4. ImplementPROTECTControl implementation evidence
5. AssessAllSecurity assessment report (SAR)
6. AuthorizeGOVERNATO decision
7. MonitorDETECT, RESPONDConMon reports

Interview Prep Notes

Common ISSO/2210 interview questions related to CSF:

  1. “Walk me through how you’d use CSF 2.0 to prioritize security investments at a new agency.”
  2. “What’s the difference between a CSF Profile and a Tier?”
  3. “How does CSF 2.0 align with NIST SP 800-53?”

Quick answers:

  • Profile = your current state vs target state, documented by function/category
  • Tier = how rigorous your risk management practice is (1=Partial → 4=Adaptive)
  • SP 800-53 = the control catalog; CSF = the framework. CSF categories map to 800-53 controls via the NIST online mapping tool.