In early 2024, NIST released Cybersecurity Framework 2.0 — the first major revision to the framework since its initial release in 2014. The headline change: a new sixth function called Govern. For organizations already aligned to CSF 1.1, this isn't a minor update. It's a structural addition that sits above the other five functions and fundamentally changes how the framework approaches organizational accountability for cybersecurity risk.

What the Govern Function Is

The Govern function addresses cybersecurity risk management strategy, expectations, and policy. It's designed to establish the organizational context in which the other five functions (Identify, Protect, Detect, Respond, Recover) operate. Think of it as the management layer that ensures the rest of the framework is being implemented with accountability, prioritization, and executive oversight.

The Six Categories Within Govern

• GV.OC — Organizational Context: Understanding your operating environment and mission-critical assets

• GV.RM — Risk Management Strategy: Establishing risk tolerance, appetite, and management approach

• GV.RR — Roles, Responsibilities, and Authorities: Defining who owns what in your security program

• GV.PO — Policy: Developing and communicating cybersecurity policy across the organization

• GV.OV — Oversight: Senior leadership review and adjustment of cybersecurity risk management

• GV.SC — Cybersecurity Supply Chain Risk Management: Managing risk from vendors, suppliers, and third parties

Where Most Organizations Are Starting from Zero

For most organizations aligned to CSF 1.1, the Govern function will reveal gaps immediately. The most common deficiencies we see in assessments: no documented risk appetite statement, security roles that are informally understood but not formally defined, policy libraries that exist but haven't been reviewed in 2+ years, and no structured process for board or senior leadership oversight of cybersecurity risk.

The Fastest Path to Govern Implementation

Start with GV.RR — Roles and Responsibilities. This is the foundational category that enables everything else. Before you can establish risk appetite (GV.RM) or oversight processes (GV.OV), you need documented clarity on who owns the cybersecurity risk management function, who is accountable to the board, and how security decisions get made. A RACI matrix mapped to CSF Govern categories is a practical first deliverable that many organizations can produce within 2-4 weeks.

From there, GV.PO (Policy) is usually the next priority because most organizations have a policy library that needs updating to reflect the Govern requirements rather than starting from scratch.

How ARC Accelerates CSF 2.0 Gap Assessment

Manual gap assessment against NIST CSF 2.0 — including the new Govern function — typically takes 60-120 hours depending on documentation quality. Symosis ARC automates the mapping and gap identification process, reducing this to approximately 1.5 hours for an end-to-end assessment. The platform maps your existing policies and procedures to both CSF 1.1 and 2.0 simultaneously, making the delta analysis straightforward.

If you're working through CSF 2.0 implementation or need to assess your gap against the Govern function, reach out to discuss a scoping call.