NIST’s Cybersecurity Framework (CSF) 2.0 is the closest thing security has to a common language across industries. Unlike CMMC and NIST 800-171 — which are tied to defense contracts and Controlled Unclassified Information — CSF 2.0 is voluntary and built for any organization, in any sector, at any size. That’s exactly why customers, cyber insurers, and boards increasingly ask about it: it gives everyone a shared way to talk about risk. Here’s what it actually covers and how to start using it.
What NIST CSF 2.0 is
Released in February 2024, CSF 2.0 is the first major update to the framework since 2018. It organizes cybersecurity risk management into a small set of outcomes rather than a long checklist of technical controls — part of why it’s so widely adopted outside government and defense. It isn’t a certification. There’s no CSF “pass” or “fail,” and no third-party assessor issues a CSF credential — it’s a structure you use to organize, measure, and communicate your security program.
Why it applies beyond defense contractors
CMMC and NIST 800-171 exist because of a specific relationship: a contract with the DoD that involves Controlled Unclassified Information. CSF 2.0 has no such trigger. The 2.0 update explicitly broadened its scope from critical infrastructure to organizations of every type and size — manufacturers protecting intellectual property, professional services firms protecting client data, and any business fielding a security questionnaire from a customer or cyber insurer. If you don’t already have a framework you’re required to follow, CSF 2.0 is usually the most practical place to start.
The six functions
CSF 2.0 organizes everything into six Functions. The biggest change from the previous version is the addition of a sixth: Govern.
- Govern — setting risk strategy, roles, policy, and oversight (new in 2.0)
- Identify — knowing your assets, data, and risk exposure
- Protect — safeguards that limit or contain an incident
- Detect — finding security events as they happen
- Respond — containing and managing an active incident
- Recover — restoring capabilities and services afterward
Implementation Tiers
Alongside the six Functions, CSF 2.0 uses four Tiers — Partial, Risk Informed, Repeatable, and Adaptive — to describe how mature and consistent an organization’s risk management practices are. Tiers aren’t a maturity score to chase for its own sake; they’re a way to have an honest conversation about where you actually are today versus where the business needs you to be.
How it fits with frameworks you may already have
If you’re already working in CMMC, NIST 800-171, or SOC 2, CSF 2.0 isn’t a fourth thing competing for your attention — it’s usually the umbrella that ties them together. Its structure maps cleanly onto other control sets, which is why we frequently use it as the connective layer across multiple compliance obligations rather than tracking each framework in isolation.
Where organizations typically start
Most engagements begin with a current-state profile: a straightforward look at where you stand across the six Functions, an honest Tier rating, and a prioritized list of what to close first. From there it becomes an ongoing part of how the business manages risk, not a one-time project.
How Mythos helps
We help you build a current-state profile, prioritize the gaps that matter most, and — if you’re already working in CMMC, NIST 800-171, or SOC 2 — map CSF 2.0 across what you’ve already built rather than starting from zero.
Related resources
Not sure where NIST CSF 2.0 fits for your business?
A Security & Compliance Review gives you an honest read on where you stand and a prioritized path forward.
Schedule a Security ReviewSchedule a Security & Compliance Review
Tell us about your organization and we’ll get back to you within one business day.