Products
PostureIQRiskCommandClioComplianceGuardVigil VRMCompassVigil Platform
Solutions
For CISOs & Security LeadersFor vCISO PracticesFor Cyber Insurance BrokersFor IT & GRC ConsultanciesFor Regulated Industries
Company
PricingResourcesAboutContact
Request a DemoStart Free Trial
← Vigil Insights·Framework Updates

What Is NIST CSF 2.0 and Why the New "Govern" Function Changes Everything

V
Vigil Research
Jan 20, 2026 · 7 min read

CSF 2.0 added a sixth function — Govern — that makes the board accountable for cybersecurity risk. Here's what that means for your program.

NIST released Cybersecurity Framework 2.0 in February 2024. The headline change: a new sixth function, **Govern**, was added alongside the original five (Identify, Protect, Detect, Respond, Recover). This isn't just a structural change — it represents a fundamental shift in how cybersecurity governance is framed.

Why Govern Changes Everything

CSF 1.1 treated governance as an implicit part of cybersecurity. Boards and executives were stakeholders but not explicitly accountable. CSF 2.0 makes governance a first-class function with its own category and subcategory structure.

The Govern function includes six categories:

  • GV.OCizational Context
  • GV.RMManagement Strategy
  • GV.RR, Responsibilities, and Authorities
  • GV.POy
  • GV.OVight
  • GV.SCsecurity Supply Chain Risk Management

**GV.OV (Oversight)** is the most significant for boards. It requires documented evidence of board-level oversight of cybersecurity risk — meeting minutes, board reporting cadence, and defined escalation paths. This is new. Previously, boards could claim passive oversight. Under CSF 2.0, oversight must be demonstrable.

The Board Reporting Implication

GV.OV explicitly connects to board reporting. For PostureIQ users, this means:

  1. 1Your posture score now needs to include a Govern function score — not just the original five
  2. 2Your board report needs to demonstrate that the board reviewed and acknowledged the posture report
  3. 3Your risk management strategy (GV.RM) needs to be documented and board-approved

CSF 2.0 vs CSF 1.1 — The Scoring Difference

Organizations that were previously scoring themselves on CSF 1.1's five functions will often see their overall score improve or stay similar in CSF 2.0, because the Govern function formalizes controls many organizations already had informally. However, organizations with immature governance practices (no documented risk management strategy, no formal board reporting cadence) will see material scoring differences in the GV category.

PostureIQ scores all six CSF 2.0 functions and generates board-facing reports that satisfy GV.OV oversight documentation requirements.

Vigil Platform

See how Vigil automates this.

Start a free 14-day trial or book a demo to see how PostureIQ, Clio, and ComplianceGuard handle this automatically for your organization.

Start Free TrialRequest a Demo
← Back to Vigil Insights