SideGuy · Compliance clarity · reviewed 2026-06-09

NIST CSF 1.1 vs 2.0: the 6th function and a framework for everyone

CSF 2.0 (2024) is the first major revision since 2018. Two big shifts: it added a sixth function — GOVERN — and it explicitly broadened from 'critical infrastructure' to every organization, with implementation examples and quick-start guides to make it usable for small teams.

The operator's bottom line: Use NIST CSF 2.0 — 1.1 is superseded and there's no reason to start new work on it. The two changes that matter: 2.0 adds a sixth core function, GOVERN (so the framework goes from 5 functions to 6 — Identify, Protect, Detect, Respond, Recover, plus GOVERN for strategy, roles, policy, and oversight), and it drops the "critical infrastructure" framing to explicitly cover all organizations of any size or sector. If you already mapped to 1.1, migration is small: add the GOVERN function and re-check your supply-chain risk coverage — you don't rebuild your program.

Side-by-side

DimensionNIST CSF 1.1NIST CSF 2.0
Core functions5: Identify, Protect, Detect, Respond, Recover6: adds GOVERN (wraps the other five with strategy, roles, policy, oversight)
Intended audienceFramed around critical infrastructureAll organizations — any size, any sector, explicitly
Supply chainPresent but lighterElevated — cybersecurity supply-chain risk management is emphasized throughout
UsabilityFramework core + tiers + profilesAdds implementation examples, quick-start guides, and online reference tool
GovernanceDistributed across categoriesConsolidated into GOVERN — strategy, expectations, policy, roles, oversight
ProfilesCurrent/Target profilesStrengthened profile guidance + community profiles
The honest verdict.
The defining change is GOVERN — CSF 2.0 says cybersecurity is a governance problem, not just an ops problem, and gives it its own function (strategy, roles, policy, oversight). Pair that with the explicit 'for all organizations' scope and the new quick-start material, and 2.0 is meaningfully more usable for small and mid-size teams than 1.1 was. If you mapped to 1.1, the work is adding GOVERN and re-checking supply-chain coverage.

Which one do you actually need?

Pick NIST CSF 1.1 if…

Nothing forward-looking — 1.1 is superseded by 2.0. If you're starting fresh, start on 2.0.

Pick NIST CSF 2.0 if…

Everyone adopting or updating a CSF program. Add the GOVERN function (most orgs were doing pieces of it informally), and lean on the new implementation examples to operationalize it.

Questions operators actually ask

What is the new GOVERN function?

CSF 2.0's sixth function. It covers organizational context, risk-management strategy, roles and responsibilities, policy, and oversight — the governance layer that decides and supervises how the other five functions are run. It reflects that cybersecurity outcomes depend on governance, not just controls.

Is NIST CSF 2.0 only for critical infrastructure?

No — that's the biggest scope change. 1.1 was framed around critical infrastructure; 2.0 is explicitly for all organizations regardless of size or sector, with quick-start guides aimed at smaller teams.

Do I have to migrate from 1.1 to 2.0?

CSF is voluntary, so there's no mandate — but 2.0 is the current version and new work should use it. Migrating mostly means adding the GOVERN function and revisiting supply-chain risk coverage.

How does CSF 2.0 relate to SOC 2 or ISO 27001?

CSF is a flexible framework you can map to certifiable standards. Its functions and categories crosswalk to ISO 27001 and SOC 2 controls, so many teams use CSF 2.0 as the organizing layer above whichever certification their buyers require.

Not sure which fits your stage? No meeting required — text the question and get an operator-honest answer.
See the Compliance department →

Related compliance comparisons

Written by PJ Zonis · SideGuy Solutions · operator-honest, vendor-neutral · Compliance hub

💬 Text PJ