BIPI
BIPI

NIST CSF 2.0 vs 1.1: A Practical Mapping for Teams That Already Adopted

Compliance

CSF 2.0 added the Govern function and reorganised the rest. If you built your security program on CSF 1.1, the migration is not cosmetic. Here is what changes and how to remap.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 10, 2024 · 6 min read

#nist-csf#compliance#framework

NIST released CSF 2.0 in February 2024 after a two-year drafting cycle. For organisations that adopted CSF 1.1, the new framework is not a tweak. It adds a sixth function, redistributes 20 percent of the subcategories, and reframes how supply chain risk fits into the model. We have helped two financial services clients and a state government agency migrate their existing programs over the last 14 months. The work is more interesting than the version number suggests.

The Govern function is the headline

CSF 1.1 had five functions: Identify, Protect, Detect, Respond, Recover. CSF 2.0 adds Govern as the sixth. It is not bolted on; it is positioned as the function that sits across all the others. The subcategories under Govern absorb pieces that used to live under Identify, plus brand new content on organisational context, risk management strategy, roles and responsibilities, policy, and oversight.

If you wrote a CSF 1.1 control narrative for ID.GV-1 about cybersecurity policy, that subcategory does not exist in 2.0. Its descendants live under GV.PO. We built a translation table for one client that mapped 108 1.1 subcategories to 106 2.0 subcategories. About 30 percent moved cleanly, 50 percent moved with reframing, and 20 percent split or merged.

Supply chain gets its own subdomain

CSF 1.1 had supply chain risk management scattered across Identify and Protect. CSF 2.0 consolidates it under GV.SC with ten subcategories. This is a real upgrade. The new content covers cybersecurity supply chain risk management programs, supplier assessment processes, contract requirements, and integration with the broader procurement lifecycle.

For a financial services client, this changed how they reported to the board. Under 1.1 they had supply chain mentions in three different sections of their quarterly report. Under 2.0 they pulled it into a single supply chain risk dashboard tied directly to GV.SC. The board liked it; the procurement team liked it; the auditors liked it.

What got emphasised

  • Cybersecurity governance as a board-level activity with explicit oversight subcategories
  • Risk appetite and tolerance statements as a documented input to the program
  • Cybersecurity workforce considerations including roles, responsibilities, and capacity
  • Cybersecurity awareness and training broken out from the broader Protect function
  • Improvement as an explicit subcategory under each function rather than implicit

The mapping work nobody talks about

If you have a control library mapped to CSF 1.1 subcategories, that mapping is now stale. NIST published an informative reference between 1.1 and 2.0 on the OLIR portal, but the mapping is many-to-many for about 35 percent of subcategories. You cannot run a script and call it done.

We approach this in three passes. First pass: take every 1.1 subcategory you have evidence for and find its 2.0 home using the OLIR mapping. Second pass: review the new 2.0 subcategories and identify which have no 1.1 ancestor; those are your gaps. Third pass: rewrite your control narratives in 2.0 language because the wording changed even where the meaning did not.

When migration is worth it

There is no regulatory deadline forcing the move from 1.1 to 2.0. NIST has not deprecated 1.1, and most contractual references to CSF do not specify a version. So the question becomes: when is the migration worth the effort?

Three triggers we have seen justify the work. Your board or audit committee asks for a governance view that 1.1 cannot cleanly produce. Your supply chain risk program has matured past what 1.1 subcategories can describe. You are doing a major program refresh anyway and the marginal cost of jumping to 2.0 is small. If none of these apply, hold on 1.1 until your next major review cycle. There is no penalty for being on the older version.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.