This article was originally published in Architecture and Governance Magazine on 29 April 2024.
When NIST released version 2.0 of the Cybersecurity Framework in February 2024, the most significant change was not a new control or a revised category. It was the audience. The framework is no longer scoped to federal agencies or critical infrastructure. It is now explicitly designed for organisations “of all sizes and sectors.”
This matters because the threat landscape of 2024 looks nothing like 2014. Organisations are far more interconnected, relying on third-party vendors and cloud services where a breach in one system cascades across partners and customers. The data organisations collect, store, and process has expanded dramatically. And cyberattacks have become more sophisticated, targeting weaknesses indiscriminately rather than focusing on specific sectors.
The most notable structural change in version 2.0 is the addition of a sixth core function: Govern. The original five functions (Identify, Protect, Detect, Respond, Recover) remain, but Govern now sits as an overarching layer that establishes the cybersecurity risk management strategy, roles, responsibilities, and policies. It is the acknowledgement that cybersecurity is not a technical problem isolated in the CISO’s office. It is an enterprise risk that requires attention from the top.
The framework remains non-prescriptive. It defines desirable outcomes, not specific solutions. Organisations map those outcomes to the controls that make sense for their context, maturity level, and risk appetite. The accompanying Quick Start Guides and Informative References provide the practical implementation detail.
For practitioners, the value of NIST 2.0 is less about any single control and more about the structured methodology it provides for making cybersecurity a strategic concern rather than a tactical afterthought.
Read the full article in Architecture and Governance Magazine →