Figure 1. NIST CSF 2.0 vs 1.1 at a glance — a decade-apart structural reset with governance moved to the center.
In January 2026, the CISO of a 1,400-employee regional bank in Charlotte, North Carolina, walked into an audit committee review with what she thought was a solid story: SOC 2 Type II renewed, NIST CSF 1.1 self-assessment passed, third-party risk program improved after the 2023 MOVEit wave.
The committee’s new cyber chair — a retired CrowdStrike operator — opened with a single question: “When do we get to Govern, and why aren’t supply chain controls in your top-five risks?”
The bank’s cyber insurance renewal had just landed with a new clause: alignment to NIST Cybersecurity Framework 2.0 expected by Q3 2026 or pricing reopens. The CISO held a respectable CSF 1.1 program. She did not hold a CSF 2.0 plan.
| Key Takeaways — NIST CSF 2.0 vs 1.1 |
| NIST CSF 2.0 vs 1.1 is not a cosmetic version bump. NIST released CSF 2.0 on 26 February 2024 — the first major overhaul in a decade — restructuring the Core around six functions instead of five and elevating governance from a sub-category inside Identify to a standalone Govern function that sits at the center of the wheel. |
| NIST CSF 2.0 vs 1.1 structural counts: functions move from 5 to 6, categories drop from 23 to 22, and subcategories drop from 108 to 106 — but 16 subcategories are conceptually new. The Govern function alone carries 31 subcategories across six categories (Organizational Context, Risk Management Strategy, Roles/Responsibilities/Authorities, Policy, Oversight, Cybersecurity Supply Chain Risk Management). |
| Supply chain risk management doubled: CSF 1.1 had 5 supply chain subcategories buried in Identify; CSF 2.0 moves them under Govern (GV.SC) and expands to 10 subcategories — the largest single category in the framework. |
| NIST CSF 2.0 vs 1.1 scope shifts from critical infrastructure to every organization — small businesses, non-profits, higher education, and state and local government — backed by 21 Quick Start Guides, Organizational Profiles, and Community Profiles including the finalized SP 800-61r3 Incident Response profile (April 2025). |
| Implementation Tiers (Partial, Risk-Informed, Repeatable, Adaptive) survive into CSF 2.0 but are clarified — they describe the rigor of risk governance, not a maturity ladder to climb. Organizations pick the tier that matches their risk tolerance and regulatory exposure. |
| A realistic NIST CSF 2.0 vs 1.1 transition runs 90 days for a mid-sized enterprise: crosswalk mapping, Govern function stand-up, supply chain uplift, target profile selection, remediation sprints, and board reporting. Use the official NIST Transition Spreadsheet; do not rebuild from scratch. |
| NIST CSF 2.0 vs 1.1 adoption trajectory is steep — small-business alignment with NIST jumped from 29% in 2023 to 42% in 2025, driven by cyber insurance underwriting, federal procurement updates, and state cybersecurity laws that reference “NIST” without pinning a version. |
That scenario is the 2026 reality of NIST CSF 2.0 vs 1.1. On 26 February 2024, the National Institute of Standards and Technology released the first major overhaul of the Cybersecurity Framework in ten years. The changes are not cosmetic.
A brand-new Govern function sits at the center of the wheel. Supply chain subcategories doubled. Applicability stretched from critical infrastructure to “every organization.” Sixteen subcategories are conceptually new.
And an ecosystem of Quick Start Guides, Community Profiles, and a revised NIST CSF 2.0 reference on CSRC is reshaping how US practitioners run cybersecurity risk management programs.
This guide compares NIST CSF 2.0 vs 1.1 across seven dimensions risk leaders actually plan against: structural changes to the Core, the new Govern function, supply chain risk management, Implementation Tiers and Profiles, transition mechanics, pitfalls, and a 90-day roadmap.
For the deep operational playbook, see the companion NIST CSF 2.0 Implementation Guide and NIST Cybersecurity Framework Key Risk Indicators. This article is the strategic bridge that a CISO can drop in front of an audit committee.
NIST CSF 2.0 vs 1.1: What Each Version Actually Is
NIST CSF 2.0 vs 1.1 in one sentence: CSF 1.1 (April 2018) was a five-function voluntary framework aimed at US critical infrastructure; CSF 2.0 (February 2024) is a six-function framework aimed at every organization, with a standalone Govern function, doubled supply chain subcategories, and a library of Quick Start Guides, Organizational Profiles, and Community Profiles.
NIST CSF 2.0 vs 1.1: The 1.1 Baseline
CSF 1.1 was published by NIST in April 2018 as an iterative update to the original February 2014 Framework for Improving Critical Infrastructure Cybersecurity. It organized cybersecurity outcomes into 5 Functions (Identify, Protect, Detect, Respond, Recover), 23 Categories, and 108 Subcategories.
Governance was a category inside Identify (ID.GV) with four subcategories. Supply chain risk management was also inside Identify (ID.SC) with five subcategories.
The Framework was voluntary, outcome-based, and became the de facto US cyber security risk management framework for federal contractors, state agencies, and Fortune 500 CISOs.
NIST CSF 2.0 vs 1.1: The 2.0 Reset
CSF 2.0 was released on 26 February 2024 as NIST Cybersecurity White Paper (CSWP) 29, replacing CSF 1.1. It keeps the Core’s plain-language, outcome-based design but introduces 6 Functions (Govern, Identify, Protect, Detect, Respond, Recover), 22 Categories.
106 Subcategories — 16 of which have no direct 1.1 predecessor. The release also ships with 21 Quick Start Guides, Organizational Profiles for before/after comparisons, Community Profiles (the first finalized being SP 800-61r3 Incident Response in April 2025), and deeper cross-mapping to NIST SP 800-53 Rev. 5, ISO/IEC 27001:2022, and COBIT.
Coverage now applies to any US organization — not just the original 16 critical-infrastructure sectors.
| Dimension | CSF 1.1 | CSF 2.0 | What changed |
| Released | April 2018 | 26 February 2024 | First major overhaul in a decade |
| Functions | 5 (Identify, Protect, Detect, Respond, Recover) | 6 (Govern added) | Governance is now Function #1, center of wheel |
| Categories | 23 | 22 | Restructured; ID.GV and ID.SC moved to Govern |
| Subcategories | 108 | 106 | 16 new; many merged or reworded |
| Supply chain | 5 subcats inside ID.SC | 10 subcats inside GV.SC | Doubled; largest single category |
| Applicability | US critical infrastructure focus | Every organization, every sector, any size | Explicit global and SMB framing |
| Supporting docs | NIST CSF v1.1, Roadmap | CSWP 29 + 21 Quick Start Guides + Profiles | Full implementation ecosystem |
NIST CSF 2.0 vs 1.1: The Govern Function Changes Everything
NIST CSF 2.0 vs 1.1 pivots on one change above all others: Govern. In CSF 1.1, governance was a category (ID.GV) with four subcategories, tucked inside Identify.
In CSF 2.0, Govern is its own function with six categories and 31 subcategories that sit at the center of the wheel, informing and constraining every other function. If your CSF 1.1 program did not have executive-level cyber oversight, CSF 2.0 expects it documented and reviewed.
NIST CSF 2.0 vs 1.1: Why Govern Became a Function
NIST’s public record on the CSF 2.0 development explicitly calls governance the missing structural piece of CSF 1.1. Boards and senior leaders had adopted the Framework as a dashboard, but the subcategory-level expectations for policy, roles, risk appetite, and oversight were not visible enough.
Elevating Govern to a function forces boards, audit committees, and executive teams to see cybersecurity as an enterprise risk on the same plane as enterprise risk management framework integration and operational risk management framework oversight.
It also aligns CSF 2.0 with ISO/IEC 27001:2022 Clause 5 (Leadership) and COSO ERM, closing a mapping gap that had grown awkward by 2023.
NIST CSF 2.0 vs 1.1: Six Categories Inside Govern
Govern (GV) is structured in six categories: Organizational Context (GV.OC) — understanding mission, stakeholders, legal environment; Risk Management Strategy (GV.RM) — risk appetite, tolerance, objectives, communication;
Roles, Responsibilities, and Authorities (GV.RR) — accountability, executive ownership, workforce awareness; Policy (GV.PO) — policy development, approval, review; Oversight (GV.OV) — performance measurement, adjustment, improvement;
Cybersecurity Supply Chain Risk Management (GV.SC) — third-party and supply chain controls.
Each category maps cleanly to board reporting lines that audit committees already understand, which is why risk appetite statements examples and risk committee charters become mandatory evidence under NIST CSF 2.0 vs 1.1 gap assessments.
| Govern Category | CSF 1.1 Home | CSF 2.0 Status |
| Organizational Context (GV.OC) | Scattered across ID.BE, ID.GV | New category, 5 subcategories; explicit mission/stakeholder framing |
| Risk Management Strategy (GV.RM) | ID.RM (Identify) | Moved to Govern; 7 subcategories including risk appetite and tolerance |
| Roles, Responsibilities, Authorities (GV.RR) | ID.AM-6, ID.GV-2 | Consolidated; 4 subcategories including executive accountability |
| Policy (GV.PO) | ID.GV-1 policy subcategory | Dedicated category with 2 subcategories; policy lifecycle |
| Oversight (GV.OV) | Implicit across 1.1 | New; 3 subcategories for performance review and improvement |
| Cybersecurity Supply Chain Risk (GV.SC) | ID.SC (5 subcategories) | Moved to Govern; 10 subcategories — doubled |
NIST CSF 2.0 vs 1.1: Structural Shifts Across Core, Categories, and Subcategories
Figure 2. NIST CSF 2.0 vs 1.1 structural footprint — one more function, one fewer category, two fewer subcategories, but a much heavier governance spine.
NIST CSF 2.0 vs 1.1 structural shift in numbers: 5 → 6 functions; 23 → 22 categories; 108 → 106 subcategories, with 16 conceptually new and dozens renamed or merged.
The “smaller” numbers hide a larger governance load — Govern alone accounts for 31 subcategories, making it the largest single function in the framework.
NIST CSF 2.0 vs 1.1: Where Subcategories Moved
Most 1.1 subcategories survived into 2.0, but their function address changed. ID.GV (Governance) collapsed into GV.OC, GV.RR, and GV.PO. ID.SC (Supply Chain) migrated into GV.SC and doubled in size. ID.RM (Risk Management Strategy) moved to GV.RM.
Inside Protect, several access-control and data-security subcategories were consolidated and rewritten to match modern zero-trust language.
Detect and Respond received new subcategories reflecting real-world incident response patterns — threat-intelligence sharing, adverse-event analysis, and coordinated external communications.
Recover added subcategories for communications and restoration validation that map cleanly to disaster recovery vs business continuity plan expectations.
NIST CSF 2.0 vs 1.1: What the 16 New Subcategories Cover
The 16 conceptually new subcategories cluster into four themes: governance maturity (oversight, risk appetite, review of performance), supply chain depth (supplier criticality tiers, incident response integration, contract requirements), modern detection (adverse-event analysis, threat intelligence sharing), and improvement (post-incident lessons-learned, suppressed vulnerabilities, restoration verification).
Practitioners mapping a cyber security risk management plan from CSF 1.1 into CSF 2.0 should flag these 16 subcategories as net-new work — they almost always require new evidence artifacts, not just updated language.
NIST CSF 2.0 vs 1.1: Supply Chain Risk Management Evolution
NIST CSF 2.0 vs 1.1 elevates supply chain risk from a 5-subcategory corner of Identify to a 10-subcategory category under Govern (GV.SC) — the largest single category in the framework.
Expect explicit supplier criticality tiers, contract clauses, incident response integration, and executive oversight. If your CSF 1.1 program treated vendor security as a questionnaire, CSF 2.0 expects a continuous program.
NIST CSF 2.0 vs 1.1: What GV.SC Demands
GV.SC covers ten outcomes: supply chain risk management strategy; supplier identification and prioritization; contract requirements; supplier due diligence; integration of supplier risk into the enterprise risk register;
Monitoring of supplier performance; planning and coordination of response; coordinated incident response with suppliers; post-incident activity and lessons learned; and exit/off-boarding.
This reshapes how to manage third party risk from a procurement checklist to an enterprise program tightly coupled with the CSF 2.0 Incident Response Community Profile and broader supply chain risk management plan artifacts.
For regulated industries — banking under FFIEC guidance, healthcare under HIPAA, federal contractors under FAR 52.204-21 — GV.SC effectively codifies what examiners have been asking for since SolarWinds.
NIST CSF 2.0 vs 1.1: Why the Supply Chain Category Doubled
The decision to double GV.SC was driven by three realities: the 2020 SolarWinds SUNBURST campaign, the 2023 MOVEit Transfer exploitation, and the steady rise in ransomware delivered through managed service providers. NIST’s public feedback corpus cited these incidents repeatedly.
The 1.1 ID.SC structure was adequate for pre-2020 procurement diligence but not for continuous visibility into fourth-party and software-supply-chain risk. GV.SC codifies lessons from those incidents by requiring documented supplier criticality, measurable contract clauses, incident-response integration, and ongoing monitoring — the core ingredients of managing supply chain risk as it is practiced in 2026.
| Supply Chain Outcome | CSF 1.1 (ID.SC) | CSF 2.0 (GV.SC) |
| Strategy + program ownership | Implicit | Explicit in GV.SC-01, GV.SC-02 |
| Supplier criticality tiering | Not specified | GV.SC-04 — required prioritization |
| Contract clauses | ID.SC-3 generic | GV.SC-05 explicit contractual requirements |
| Due diligence / risk assessment | ID.SC-2 | GV.SC-06 ongoing, risk-based |
| Incident response coordination | Not covered | GV.SC-08 planning + GV.SC-10 execution |
| Performance monitoring | ID.SC-4 audit-style | GV.SC-07 continuous |
| Post-incident learning | Not covered | GV.SC-10 |
NIST CSF 2.0 vs 1.1: Implementation Tiers, Profiles, and Examples
NIST CSF 2.0 vs 1.1 keeps Implementation Tiers (Partial, Risk-Informed, Repeatable, Adaptive) but clarifies they describe rigor — not maturity to climb. CSF 2.0 introduces Organizational Profiles (Current vs Target), Community Profiles (sector baselines), and Implementation Examples across all 106 subcategories — three artifacts that 1.1 either lacked or under-specified.
NIST CSF 2.0 vs 1.1: The Four Implementation Tiers
Both versions share four tiers: Tier 1 Partial — ad-hoc, reactive; Tier 2 Risk-Informed — considered but inconsistent; Tier 3 Repeatable — documented, consistently applied; Tier 4 Adaptive — data-informed, agile, integrated. CSF 2.0 sharpens the guidance: tiers are not rungs on a ladder, and Tier 4 is not the goal for every organization.
A small non-profit may rationally sit at Tier 2 for most categories. A systemically important bank cannot justify anything below Tier 3 in Govern, Respond, and Recover.
For practitioners, the tier discussion becomes a board-level conversation about risk appetite statements examples and regulatory exposure, not an aspirational grade.
NIST CSF 2.0 vs 1.1: Organizational and Community Profiles
CSF 2.0 formalizes Profiles — a mechanism under-used in 1.1. A Current Profile describes the cybersecurity outcomes an organization is actually achieving; a Target Profile describes the outcomes it commits to achieve.
The gap between them is the remediation plan. Community Profiles are sector-specific baselines: the NIST SP 800-61r3 Incident Response Community Profile was finalized in April 2025; the CSF 2.0 Manufacturing Profile is in initial draft.
This Profile architecture makes CSF 2.0 far easier to operationalize inside a risk management lifecycle and connects directly to key risk indicators dashboard work.
NIST CSF 2.0 vs 1.1: Implementation Examples
CSF 2.0 adds non-prescriptive Implementation Examples to every subcategory — concrete, action-oriented ideas that help practitioners see what “good” looks like without turning the framework into a checklist. CSF 1.1 provided Informative References (NIST SP 800-53, ISO 27001, COBIT) but no examples.
The Implementation Examples are updated by NIST on a rolling basis via the CSF 2.0 Informative References tool and the Cybersecurity and Privacy Reference Tool (CPRT).
For teams translating CSF 2.0 outcomes into internal controls, pair the Examples with the Informative References and you have roughly 80% of a nist risk assessment build-out.
NIST CSF 2.0 vs 1.1: A Practical 90-Day Transition Roadmap
Figure 3. A 90-day NIST CSF 2.0 vs 1.1 transition roadmap — six phases, sequenced to land a board-ready Target Profile and Govern function charter.
NIST CSF 2.0 vs 1.1 transition does not require a rebuild. A realistic 90-day plan runs: Days 1-20 map 1.1 → 2.0 via the NIST Transition Spreadsheet; Days 15-40 stand up Govern; Days 30-55 uplift supply chain (GV.SC); Days 45-70 set Target Profile and tier; Days 55-85 remediation sprints; Days 75-90 board report and continuous monitoring.
NIST CSF 2.0 vs 1.1: Use the Official Crosswalk, Don’t Rebuild
NIST publishes an official transition crosswalk — the CSF 1.1 to 2.0 spreadsheet — that shows which 1.1 subcategories map 1:1 to 2.0, which were merged, and which have no predecessor. Use it verbatim.
Practitioners who skip the crosswalk and rebuild from scratch inevitably recreate the same controls under new identifiers, inflate documentation burden, and miss the 16 new subcategories.
Tie the crosswalk to your existing five steps of the risk management process artifacts so the transition enhances rather than duplicates existing risk work.
NIST CSF 2.0 vs 1.1: The Six-Phase 90-Day Sequence
The sequence the Charlotte bank above ended up running — and that matches current practitioner consensus — has six phases. Phase 1 (Days 1-20): baseline inventory, CSF 1.1 evidence collection, crosswalk mapping.
Phase 2 (Days 15-40): Govern function stand-up including charter, RACI, risk appetite restatement. Phase 3 (Days 30-55): supply chain uplift — vendor tiering, contract clauses, incident response integration. Phase 4 (Days 45-70):
Target Profile selection, tier setting, gap analysis. Phase 5 (Days 55-85): remediation sprints on Protect, Detect, Respond gaps. Phase 6 (Days 75-90): board reporting, KRI refresh, continuous monitoring activation. Each phase produces artifacts that satisfy audit committee questions and guide to audit risk assessment expectations.
NIST CSF 2.0 vs 1.1: KRIs That Survive the Transition
Many CSF 1.1 KRIs map cleanly onto CSF 2.0 — mean time to detect, mean time to respond, percentage of critical vendors reviewed, patch compliance on critical systems, privileged access review completion.
The transition adds governance KRIs (board cyber-review frequency, risk appetite breaches, policy currency) and supply chain KRIs (supplier criticality coverage, contract clause compliance, supplier incident MTTR).
The NIST Cybersecurity Framework Key Risk Indicators guide maps 40+ KRIs to the six functions and is the fastest way to rewire dashboards without losing board continuity.
NIST CSF 2.0 vs 1.1: Frequently Asked Questions
Is NIST CSF 1.1 still valid under NIST CSF 2.0 vs 1.1 comparisons?
NIST CSF 1.1 remains a legitimate reference but is no longer NIST’s current framework — CSF 2.0 replaced it on 26 February 2024.
Most regulators, insurers, and federal contracting guidance now reference “NIST Cybersecurity Framework” with an implicit expectation of CSF 2.0. If contracts or policies explicitly pin to CSF 1.1, renegotiate the reference rather than freeze your program on a superseded version.
NIST CSF 2.0 vs 1.1: How long does the transition take?
Transition time depends on CSF 1.1 maturity. A well-documented CSF 1.1 program at Tier 3 typically lands CSF 2.0 in 60-90 days.
Organizations at Tier 1 or without a CSF 1.1 baseline should budget six months to a year and sequence Govern and supply chain first. Do not compress the Govern stand-up — board and executive alignment is the rate-limiting step.
Does NIST CSF 2.0 vs 1.1 change compliance obligations?
NIST CSF 2.0 vs 1.1 does not by itself create new US federal obligations — both are voluntary frameworks. But regulated entities face downstream pressure: FFIEC guidance references the latest NIST CSF; FTC enforcement of reasonable security cites
NIST frameworks; state laws (New York DFS 23 NYCRR 500, Ohio Data Protection Act) reference “NIST Cybersecurity Framework” without pinning a version; cyber insurance underwriting routinely requires CSF 2.0 alignment at renewal.
NIST CSF 2.0 vs 1.1: Do small businesses really need to adopt it?
Yes — NIST CSF 2.0 was explicitly redesigned with small and mid-size businesses in mind. The Small Business Quick Start Guide translates Core outcomes into steps a 25-employee firm can run without a full-time CISO.
Adoption among US small businesses grew from 29% in 2023 to 42% in 2025. Cyber insurance carriers increasingly require NIST CSF self-attestation from SMB applicants.
How does NIST CSF 2.0 vs 1.1 align with ISO/IEC 27001:2022?
NIST CSF 2.0 vs 1.1 aligns with ISO/IEC 27001:2022 far better than 1.1 did. The new Govern function maps cleanly to ISO 27001 Clause 5 (Leadership), Clause 6 (Planning), and Annex A controls A.5 (Organizational) and A.6 (People).
Organizations certified to ISO 27001 can use their existing evidence to satisfy most of Govern, Identify, and Protect in CSF 2.0. See the
NIST CSF 2.0 Informative References tool for the formal mapping updates published through 2025 and 2026.
NIST CSF 2.0 vs 1.1: What is a Community Profile?
A Community Profile is a sector-specific or use-case-specific baseline of CSF 2.0 Subcategories that multiple organizations can adopt together.
The first finalized Community Profile is the April 2025 Incident Response Profile (SP 800-61r3). Drafts in progress include Manufacturing and Small Business profiles. Community Profiles are the fastest route to a defensible Target Profile when your sector has one published.
NIST CSF 2.0 vs 1.1: What about cyber insurance implications?
Most US cyber insurance carriers updated their 2025 and 2026 underwriting language to reference NIST CSF 2.0 alignment — especially Govern, supply chain, and incident response outcomes.
Firms still running CSF 1.1 self-assessments face harder renewals, higher retentions, and occasional non-renewals. Present a CSF 2.0 Target Profile and a 90-day transition roadmap at renewal — underwriters credit the plan, not just the end state.
NIST CSF 2.0 vs 1.1: Common Transition Pitfalls
| Pitfall | Root Cause | Remedy |
| Rebuilding from scratch instead of using the crosswalk | Teams treat 2.0 as a greenfield rather than a structural update | Use the official NIST Transition Spreadsheet; map existing 1.1 evidence into 2.0 subcategories |
| Skipping the Govern stand-up | Cyber team treats governance as already covered by policy docs | Treat Govern as a separate program track with board sponsorship; charter, RACI, risk appetite restatement |
| Treating tiers as a maturity ladder | Legacy 1.1 interpretations that Tier 4 is the goal | Match tier to risk profile; accept Tier 2 or 3 where defensible; document the rationale |
| Under-investing in GV.SC | Supply chain still treated as procurement questionnaire | Stand up a GV.SC program with supplier tiering, contract clauses, and incident response integration |
| Ignoring the 16 new subcategories | Assumption that subcategories only consolidated | Flag the 16 new subcategories as net-new work; budget net-new evidence collection |
| Tool-first transition | Vendor pressure to buy a CSF 2.0 module | Set outcomes first, then map tools; most CSF 1.1 tool stacks cover 70-80% of 2.0 with configuration changes |
| One-off transition project | Transition framed as a program with an end date | Embed CSF 2.0 Profiles, tiers, and KRIs into the continuous risk cycle |
NIST CSF 2.0 vs 1.1: Looking Ahead to 2026 and Beyond
NIST CSF 2.0 vs 1.1 is a 10-year structural reset, not a one-year project. Through late 2026, expect three compounding drivers to push adoption: additional Community Profiles (Manufacturing, Small Business, Federal), deeper integration with NIST SP 800-53 Rev. 5 and the forthcoming SP 800-53 Rev. 6, and sharper alignment with the SEC cybersecurity disclosure rule, FTC safeguards updates, and state-level attorneys general enforcement.
Insurers and federal contracting officers will ratchet expectations; laggard programs will feel it in pricing and procurement outcomes.
On the governance side, Govern maturity will become the new differentiator between “checked the NIST box” and “has a real program.”
Expect US boards and audit committees to adopt Govern-function KPIs as standard quarterly reporting — policy currency, risk appetite breaches, third-party tier coverage, cyber-incident materiality assessments — and to tie executive compensation to cyber outcomes in regulated industries.
This mirrors the post-SOX trajectory of financial-reporting controls and strengthens the case for a unified integrated risk management approach rather than separate cyber, compliance, and ERM programs.
Supply chain will remain the single most visible NIST CSF 2.0 vs 1.1 delta. The 2025 wave of ransomware-via-MSP incidents and continuing software-supply-chain exploits will push GV.SC from aspirational to audit-critical.
Regulated sectors — banking, healthcare, defense contractors under CMMC 2.0 — will embed GV.SC expectations into contractual flow-down clauses. Practitioners should plan a continuous supplier-intelligence capability, not a once-a-year questionnaire, as part of their supply chain risk management plan.
Finally, watch the NIST Cybersecurity Framework roadmap on the CSRC site. NIST has committed to a rolling update cadence rather than another decade of silence — incremental revisions, new Community Profiles, and integration with the AI RMF 600-1
Generative AI Profile, the Privacy Framework 1.1, and the Secure Software Development Framework (SSDF). NIST CSF 2.0 vs 1.1 is the headline story of 2024-2026, but the story continues. Programs that treat CSF 2.0 as the ceiling will be behind again by 2028; programs that treat it as the current floor will stay aligned through the next cycle.
Ready to Plan Your NIST CSF 2.0 vs 1.1 Transition?
At riskpublishing.com we help US organizations design and deliver NIST CSF 2.0 transitions grounded in ISO 31000, ISO/IEC 27001:2022, NIST SP 800-53 Rev. 5, and the NIST CSF 2.0 implementation guide.
Practical deliverables: 1.1-to-2.0 crosswalk, Govern function charter, supply chain uplift plan, Target Profile, tier selection, remediation backlog, and a board-ready CSF 2.0 KRI dashboard.
Explore our cybersecurity risk advisory services — or contact us to scope a NIST CSF 2.0 vs 1.1 readiness review tailored to your sector, size, and regulatory exposure.
NIST CSF 2.0 vs 1.1: Authoritative References
1. NIST — The NIST Cybersecurity Framework (CSF) 2.0 (CSWP 29)
2. NIST — Cybersecurity Framework home
3. NIST — Releases Version 2.0 of Landmark Cybersecurity Framework (Feb 2024)
4. NIST CSRC — The NIST CSF 2.0 is Here!
5. NIST — CSF 2.0 Informative References
7. NIST SP 800-53 Rev. 5 — Security and Privacy Controls
8. NIST SP 800-61r3 — Incident Response CSF 2.0 Community Profile (April 2025)
9. NIST CSRC — CSF 2.0 Manufacturing Profile (initial draft)
10. NIST Cybersecurity Framework Updates Archive
11. Cooley — NIST Unveils Cybersecurity Framework 2.0
12. CSO Online — NIST releases expanded 2.0 version of the Cybersecurity Framework
13. IBM Think — Unpacking the NIST Cybersecurity Framework 2.0
14. ISO/IEC 27001:2022 — Information security management systems
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.