Frameworks
5 min

NIST CSF 2.0: Why the New GOVERN Function Changes Everything

The addition of GOVERN as a sixth function in NIST CSF 2.0 elevates cybersecurity governance to a board-level concern. Here is what it means for your programme.

Netallion Team·April 15, 2026

NIST CSF 2.0: Why the New GOVERN Function Changes Everything

When NIST released version 2.0 of the Cybersecurity Framework in February 2024, the biggest change was not an update to existing functions — it was an entirely new one. GOVERN joins Identify, Protect, Detect, Respond, and Recover as the sixth core function, and it fundamentally reshapes how organisations should think about cybersecurity governance.

What is the GOVERN Function?

GOVERN addresses the organisational context, risk management strategy, roles, policies, and oversight that form the foundation of a cybersecurity programme. In CSF 1.1, these elements were scattered across the Identify function. In 2.0, they have their own dedicated function — signalling that governance is not a subset of identification, but a peer concern equal in importance to protection and detection.

The GOVERN Categories

GV.OC — Organisational Context

Understand your mission, stakeholders, legal obligations, and the critical services that others depend on. This category ensures cybersecurity is aligned with what the organisation actually does and needs.

GV.RM — Risk Management Strategy

Establish risk appetite, risk tolerance, and a standardised approach to calculating and prioritising cybersecurity risks. This is where the board sets the boundaries that the rest of the programme operates within.

GV.RR — Roles, Responsibilities, and Authorities

Define who is accountable for cybersecurity risk management. This includes allocating adequate resources and integrating cybersecurity into human resources practices.

GV.PO — Policy

Establish, communicate, and enforce a cybersecurity policy based on your organisational context and risk strategy.

GV.OV — Oversight

Monitor and review your cybersecurity risk management strategy. This is where board-level reporting, KPIs, and continuous improvement live.

GV.SC — Supply Chain Risk Management

Establish processes for identifying, assessing, and managing supply chain cybersecurity risks. This has become critical as supply chain attacks proliferate.

Why It Matters

Board Accountability

GOVERN makes it explicit: the management body is responsible for cybersecurity risk. This aligns NIST CSF with DORA (which has similar governance requirements for financial entities) and the EU AI Act (which requires board-level oversight of high-risk AI systems).

Programme Foundation

Without governance, the other five functions lack direction. Protect and Detect are meaningless without a risk strategy defining what you are protecting and detecting against. GOVERN provides that strategy.

Audit Readiness

Auditors increasingly ask about governance first. "Show me your cybersecurity policy" and "who is accountable for cybersecurity risk?" are now opening questions, not afterthoughts. GOVERN gives you a structured way to answer them.

Mapping GOVERN in Netallion

Netallion's NIST CSF 2.0 module includes 5 GOVERN controls covering organisational context, risk strategy, roles, policy, and oversight. Cross-framework mapping links these directly to ISO 27001 governance controls and DORA Pillar 1 requirements.

Start your NIST CSF 2.0 assessment at grc.netallion.app.

NIST CSF
Cybersecurity
Governance
Framework

Ready to build your compliance evidence pack?

Start with a free starter kit or create your first assurance pack.