Who should read this cybersecurity article?

This article is written for compliance professionals, CISOs, GRC managers, audit teams, and risk officers working in cybersecurity. It provides actionable insights relevant to organizations managing compliance programs.

How can I apply these cybersecurity insights?

Use our AI-powered compliance platform to map your requirements across 692 frameworks with 819,000+ control mappings. Start with a free account to explore relevant frameworks, run gap analyses, and build remediation plans.

NIST CSF 2.0: The Govern Function and Why It Matters

NIST Cybersecurity Framework 2.0 added a sixth function — Govern — elevating cybersecurity to a board-level concern. We explore what this means for risk management, resource allocation, and organisational accountability.

From Five Functions to Six

When NIST released Cybersecurity Framework 2.0 in February 2024, the most significant addition was the new Govern function. For the first time, the framework explicitly addresses the organisational context, strategy, and oversight needed to make cybersecurity effective:not just the technical and operational measures.

The original five functions remain: Identify, Protect, Detect, Respond, and Recover. But Govern now sits at the centre, informing and connecting all of them.

What the Govern Function Covers

Govern encompasses six categories:

Organisational Context (GV.OC): Understanding the organisation's mission, stakeholder expectations, and legal/regulatory requirements that shape cybersecurity strategy
Risk Management Strategy (GV.RM): Establishing risk tolerance, defining risk appetite, and integrating cybersecurity risk into enterprise risk management
Roles, Responsibilities, and Authorities (GV.RR): Defining who is accountable for cybersecurity at every level, from the board to individual contributors
Policy (GV.PO): Establishing, communicating, and enforcing cybersecurity policies
Oversight (GV.OV): Reviewing and adjusting cybersecurity strategy based on results and changing conditions
Cybersecurity Supply Chain Risk Management (GV.SC): Managing risk across the supply chain, including third-party vendors and service providers

Why This Matters

The addition of Govern solves a persistent problem: organisations that implement excellent technical controls but lack the governance structure to sustain them. Security programmes fail not because of inadequate technology, but because of unclear accountability, insufficient resources, and disconnected strategy.

By making governance an explicit, equal function alongside technical measures, NIST CSF 2.0 sends a clear message: cybersecurity is a business risk issue, not just an IT issue. Boards and executives have a direct role to play.

Expanded Scope

The other major change in CSF 2.0 is its expanded scope. The original framework was designed for critical infrastructure. Version 2.0 explicitly applies to organisations of all sizes and sectors. NIST also improved the framework's international alignment, making it more compatible with ISO 27001 and other global standards.

NIST CSF 2.0: The Govern Function and Why It Matters

From Five Functions to Six

What the Govern Function Covers

Why This Matters

Expanded Scope

Getting Started with CSF 2.0

Frequently Asked Questions

Explore this topic on our compliance platform

More on Cybersecurity

Essential Eight Maturity: Where Most Australian Organisations Stand

Put compliance intelligence to work