What are the functions of NIST CSF 2.0?

Six core functions: Govern, Identify, Protect, Detect, Respond and Recover. Govern was added in the 2.0 release to emphasise that managing cyber risk is an organisation-wide governance responsibility.

Is NIST CSF only for large or US organisations?

No. While it originated in the US and was initially focused on critical infrastructure, version 2.0 explicitly applies to organisations of all sizes and sectors worldwide, including small businesses.

How does NIST CSF relate to the Essential Eight?

They are complementary. NIST CSF provides a high-level structure for managing cyber risk, while the Essential Eight prescribes specific, prioritised technical mitigations. Many organisations use both together.

NIST Cybersecurity Framework 2.0: a practical primer

The NIST Cybersecurity Framework is the world’s most widely adopted way to organise a security program. Its 2.0 release in 2024 added a sixth function and broadened its audience well beyond critical infrastructure. Here is a primer for businesses encountering it for the first time.

Key takeaways

NIST CSF 2.0 was released in 2024 and applies to organisations of all sizes and sectors.
It is built around six functions: Govern, Identify, Protect, Detect, Respond and Recover.
Govern is the new function, elevating security as a business-wide responsibility.
Recover is where backups and tested restoration live.

What the framework is

The NIST Cybersecurity Framework (CSF) is a voluntary framework from the US National Institute of Standards and Technology. It does not prescribe specific products; instead it gives a common language and structure for managing cyber risk. Although American in origin, it is used globally and pairs naturally with regional guidance like Australia’s Essential Eight.

What changed in 2.0

The 2024 release made two notable moves. First, it broadened scope explicitly to all organisations, not just critical infrastructure. Second, it introduced Govern as a new core function, recognising that cyber risk is an enterprise governance issue, not just an IT one.

The six functions

Govern — set strategy, roles, policy and risk appetite; make security a leadership responsibility.
Identify — understand your assets, data, suppliers and risks.
Protect — put safeguards in place: access control, training, data security.
Detect — find incidents quickly through monitoring.
Respond — act on detected incidents to contain and manage them.
Recover — restore capabilities and data, and learn from the event.

How to use it as an SMB

You do not implement the CSF in one go. Assess your current state against each function, define a target profile appropriate to your risk, and close gaps over time. Its value is in giving leadership a structured conversation about where you are strong and where you are exposed.

Where backups sit

Backups live primarily in the Recover function — but they touch Protect (safeguarding data) and Respond (enabling clean restoration after an incident) too. A framework can describe recovery beautifully, but it only works if the backups behind it are real: independent, retained and tested. For cloud accounting data, that means an independent copy of your Xero file with clear recovery objectives.

What the framework is

What changed in 2.0

The six functions

How to use it as an SMB

Where backups sit

Frequently asked questions

What are the functions of NIST CSF 2.0?

Is NIST CSF only for large or US organisations?

How does NIST CSF relate to the Essential Eight?

The Essential Eight, explained for Australian small businesses

ISO 27001 vs SOC 2: which security framework do you need?

How to build a disaster recovery plan for a cloud-first business