Fast Facts: What the New NIST Cybersecurity Framework Govern Function Means

When the Framework for Improving Critical Infrastructure Cybersecurity made its debut in 2014, it laid the foundation for how cyber risk managers would begin to address cybersecurity in core U.S. verticals.

A decade later in February 2024, the National Institute of Standards and Technology (NIST) released a much-anticipated update to the original framework. Included in this 2.0 version are an official name change to the Cybersecurity Framework (CSF)—recognizing the informal name practitioners have long used for the 10-year-old work and acknowledging that the framework is applicable to high-risk sectors and small-to medium-sized business, too.

The update also builds on what Kevin Stine, chief of the applied cybersecurity division in the NIST Information Technology Laboratory (ITL), calls the CSF’s greatest value proposition: a common language to talk about cybersecurity.

“That common language that the framework provides is a really great way to express your own capabilities, express your requirements of other organizations, or your expectations,” he adds. “But doing so in a way that can be understood and acted on by not only the technologists but the risk managers and all the different parts of that cybersecurity ecosystem.”

Key to this expression is the new function that NIST has added to the framework: Govern. The video below explains what this function is and how it fits into the five other pillars of the framework.