Thoughts on the new NIST CSF 2.0 "Govern" function?
NIST CSF 2.0 added "Govern" as a sixth core function alongside Identify, Protect, Detect, Respond, Recover. This puts organizational governance (risk management, roles, policies) as a top-level concern.
Is anyone actually restructuring their security programs around this? Or is it just a checkbox exercise for auditors?
We're using it as leverage to get board-level buy-in. The "Govern" function explicitly calls out leadership accountability. It's the best ammo I've had for budget conversations.
For our clients, we map Govern to their existing governance docs and show gaps. Most small businesses have zero documented risk tolerance or security roles. Govern makes them confront that.
It's not just a checkbox if you use it right. We restructured our quarterly security reviews around CSF 2.0 functions. The Govern function forced us to define who owns what — which was embarrassingly unclear before.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access