Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
NIST CSF 2.0 · Govern function included

NIST CSF 2.0, Govern function on day one.

CSF 2.0 added the Govern function in February 2024, and most teams still describe their program in 5 functions to the board. All 6 functions, 22 categories, 106 subcategories, with the Govern deep-dive, 1.1 → 2.0 transition mapper, Tier 1-4 maturity ladder, and the board-translation outputs that make Govern coherent to non-technical leadership.

  • Govern function (NEW v2.0), all 6 categories with board-translated outputs
  • 1.1 → 2.0 transition mapper, carry forward existing scoring
  • Tier 1-4 maturity per function (Partial → Adaptive)
  • 106 subcategories with NIST Implementation Examples
Start 30-day free trialWatch 4-min platform tour
No credit card · CSF 2.0 + 1.1 transition mapping ships day 1
app.riskwatch.com / nist-csf
Live · 6 functions
CSF 2.0 maturity · portfolio
0/100
0 vs Q3
Govern (NEW)T2 · 64%
IdentifyT3 · 84%
ProtectT3 · 78%
DetectT3 · 82%
Subcategories scored
0/106
Tier 3 functions
0/6
Net-new in 2.0
0 subcats
Cross-mapped
0 frameworks
Top open subcategories · by maturity tier gap
GV.SC-04 · Suppliers known + prioritized
0d
GV.OC-03 · Legal + regulatory requirements
0d
PR.AA-05 · Access management hygiene
0d
DE.CM-09 · Computing hardware monitoring
0d
RC.RP-03 · Recovery integrity verification
0d
What it is

What is NIST CSF compliance software?

Govern isn’t an add-on, it’s the load-bearing wall. RiskWatch ships GV.OC, GV.RM, GV.RR, GV.PO, GV.OV, GV.SC as first-class categories with board-translation examples per section, maps the CSF 1.1 → 2.0 carry-forward per function, and shows where your maturity actually is vs where the board thinks it is on the four-tier ladder. Aligned to the NIST Cybersecurity Framework 2.0 , all 6 functions, 22 categories, 106 subcategories.

Why teams move to RiskWatch

Govern is the new function. Most CISOs are still explaining 5 to the board.

The CSF 2.0 transition isn't a tooling problem, it's an organizational-translation problem. Govern is cross-functional by design (legal + compliance + ops + IT). The pain isn't implementing the controls; it's explaining them to leadership in ways that make sense.

Pain #1

Govern is new. Your CISO already explains 5 functions to the board.

CSF 2.0 placed Govern at the top of the model deliberately, risk strategy, expectations, oversight, supply-chain risk all sit there. Yet C-suite executives have limited knowledge of the framework's impact. Board-translation views per Govern category, risk strategy in business terms, oversight metrics with trend lines, supply-chain risk in dollar exposure. The CISO presentation writes itself.

Pain #2

CSF 1.1 maps you got. CSF 2.0 maps need work.

Transitioning from 1.1 to 2.0 means re-mapping existing practices to new outcomes, and translating progress in ways non-security stakeholders understand. Per-function transition mapper: every subcategory you've already scored carries through. Where 2.0 added new outcomes (especially in Govern), you see the deltas with no re-baselining.

Pain #3

Cross-functional collaboration is the hidden CSF 2.0 requirement.

Govern needs legal (regulatory). Identify needs ops (asset inventory). Detect needs the SOC. Respond needs IR. The framework assumes cross-functional input that most orgs don't have governance for. Per-function ownership matrix with role-based assignments to legal, compliance, ops, IT, security, the org chart that the CSF 2.0 implementation actually requires.

Govern function · NEW in 2.0

The function that finally makes the board care.

Most CSF 1.1 implementations stalled at Tier 2 because Govern wasn't structured. CSF 2.0 places Govern at the top of the model deliberately, it's where risk strategy, organizational context, oversight, and supply-chain risk live. RiskWatch ships with all 6 Govern categories pre-loaded plus the board-translation views that turn cybersecurity outcomes into business language.

When the board asks “what's our cybersecurity strategy?” you have an answer in business terms, not a control list. When the audit committee asks “how do you oversee third-party risk?” GV.SC outputs answer it. The Govern function exists to bridge cyber and the rest of the org; the platform makes that bridge usable.

See the Govern function in action
Govern function · NEW in CSF 2.0
6 categories. Board-translated. Not just IT.
GV.OC
Organizational Context

Mission, stakeholders, legal/regulatory requirements, threats and opportunities.

Board says“Our mission is X; cybersecurity priorities Y and Z support it.”
GV.RM
Risk Management Strategy

Risk objectives, appetite, tolerance, integrated with enterprise risk.

Board says“Our cyber risk appetite is moderate; we accept up to $5M residual exposure on Tier-2 risks.”
GV.RR
Roles & Responsibilities

Cybersecurity roles, authorities, accountabilities, defined and communicated.

Board says“CISO accountable; CRO informed; CFO consulted on budget.”
GV.PO
Policy

Cybersecurity policy established, communicated, enforced.

Board says“Acceptable use, access management, incident response, 12 policies, board-reviewed annually.”
GV.OV
Oversight

Cybersecurity strategy outcomes reviewed by leadership; metrics translated to business terms.

Board says“Q4 oversight metrics: 94% control coverage, 12-day mean time to remediate, 0 material incidents.”
GV.SC
Supply Chain Risk Mgmt

Supplier inventory, prioritization, contract clauses, monitoring.

Board says“47 Tier-1 suppliers; 6 high-risk; SOC 2 reports collected on 100%.”
All 6 Govern categories →Board-ready outputs, not control lists
CSF 1.1 → 2.0 transition · per function
Carry forward what works. Score only what's new.
GV
Govern
31 new
Entirely new function in 2.0
ID
Identify
24 carried4 new
Reorganized; ID.IM (Improvement) added
PR
Protect
28 carried6 new
PR.IR (Infrastructure Resilience) consolidated
DE
Detect
11 carried2 new
DE.AE renamed; subcategories refined
RS
Respond
13 carried3 new
RS.MA (Management) adds incident-mgmt subcategories
RC
Recover
6 carried1 new
RC.CO refined for stakeholder communication
1.1 scoring carries forwardScore only the 47 net-new subcategories
CSF 1.1 → 2.0 transition

Carry forward what works. Score only the 47 net-new subcategories.

CSF 2.0 didn't throw out 1.1, it expanded it. Identify, Protect, Detect, Respond, and Recover all carry forward most of their subcategories. Govern is entirely new (31 net-new subcategories). The transition mapper visualizes which existing scoring carries through and which subcategories are net-new work, so you don't re-baseline, you only score the additions.

  • Govern, 31 net-new subcategories, entirely new function in 2.0
  • Identify + Protect, carry forward most existing scoring; modest expansions in IR.IM and PR.IR
  • Detect + Respond + Recover, minor refinements, most 1.1 subcategories transfer 1:1
Implementation Tiers · 1 → 4

Tiers aren't maturity levels. They're integration depth.

The most common misunderstanding about CSF Tiers is that they map to CMMI maturity. They don't. Tiers describe how deeply integrated cybersecurity practices are with overall enterprise risk management. Tier 3 (Repeatable) is where most enterprises target; Tier 4 (Adaptive) is the aspiration. RiskWatch tracks tier per function, so Identify can be Tier 3 while Govern is still Tier 2 (typical state during 2.0 transition).

Per-function tier scoring matters because the Govern function's tier translates to how seriously the org takes cyber risk strategy. That's a number boards understand: Tier 2 means cyber is approved at management level; Tier 3 means it's embedded in org policy. The translation becomes a board metric, not a controls metric.

CSF Implementation Tiers · 1 → 4
Not maturity levels, risk-management integration depth.
T1
Tier 1 · Partial
  • ·Risk management informal, ad hoc
  • ·Limited awareness of cyber risk at org level
  • ·External info-sharing not consistent
Small orgs starting their CSF journey
T2
Tier 2 · Risk Informed
  • ·Risk management approved by management
  • ·Org-wide cyber priorities defined
  • ·Info-sharing happens but not formalized
Most orgs at start of CSF 2.0 transition
T3
Tier 3 · Repeatable
  • ·Risk management formal + part of org policy
  • ·Updated based on changes in risk landscape
  • ·Active info-sharing with peers + suppliers
Most enterprise targets, defensible posture
T4
Tier 4 · Adaptive
  • ·Cybersecurity adapts based on lessons learned
  • ·Predictive indicators inform decisions
  • ·Continuous improvement embedded in culture
Aspiration, few orgs sustainably operate here
Most enterprises target Tier 3Per-function tier scoring · trend over time
The Govern function gave us the language to brief the board. For the first time, cybersecurity strategy made sense to people who don't do cybersecurity.
AS
Anita S.
CISO · SaaS · 2,400 employees · CSF 2.0 transition Q1 2026
Functions covered
6/6
incl. Govern Tier 3
Board-meeting prep
↓ 65%
with GV.OV outputs
Time-to-deploy
3 weeks
1.1 to 2.0 transition
CSF 2.0 Pack · 38 pages
CSF 2.0
All 6 Functions · 106 Subcategories · Govern Deep-dive
PDF · 38 pages · Govern function included

NIST CSF 2.0 Maturity Pack

Thirty-eight pages walking all 6 functions, 22 categories, 106 subcategories. Includes Implementation Examples, Tier 1-4 maturity scoring worksheets, the 1.1 → 2.0 transition delta summary, and the Govern function board-translation framework.

  • All 6 functions including Govern
  • Tier 1-4 maturity scoring per function
  • 1.1 → 2.0 transition delta map
  • Board-translation framework for GV.OV
Get the pack

Looking for CSF ↔ ISO 27001 ↔ SOC 2 ↔ NIST 800-53 crosswalk? Find it on the compliance frameworks hub.

FAQ

Common questions, answered up front.

About NIST CSF 2.0, the new Govern function, the 1.1 → 2.0 transition, Tier maturity, and how RiskWatch covers all of them.

What is NIST CSF compliance software?
NIST CSF compliance software is a platform that helps organizations assess, score, and report on their cybersecurity maturity against the NIST Cybersecurity Framework. The 2026 reality is CSF 2.0, released February 2024, which added the Govern function as the 6th function, expanded coverage to all organizations beyond critical infrastructure, and added Implementation Examples per subcategory. RiskWatch covers all 6 functions, 22 categories, 106 subcategories, Tier 1-4 maturity tracking, the 1.1 → 2.0 transition mapping, and the board-translation outputs that make Govern coherent to non-technical leadership.
What's new in CSF 2.0?
CSF 2.0 added the Govern function as the 6th function (alongside Identify, Protect, Detect, Respond, Recover), covering Organizational Context (GV.OC), Risk Management Strategy (GV.RM), Roles & Responsibilities (GV.RR), Policy (GV.PO), Oversight (GV.OV), and Supply Chain Risk Management (GV.SC). It also broadened the framework's audience beyond critical infrastructure to all organizations, refined outcome categories and subcategories, and added Implementation Examples per subcategory. The framework now ships with 22 categories and 106 subcategories total.
What is the Govern function and why does it matter?
Govern is the new function in CSF 2.0 (added February 2024) and sits at the top of the framework deliberately. It covers the strategic and oversight elements that the 5 original functions didn't address explicitly: cybersecurity risk strategy, expectations and policy, organizational context, oversight by leadership, and supply-chain risk management. NIST placed Govern at the top because cybersecurity outcomes don't happen without governance, and most CSF 1.1 implementations stalled at Tier 2 because Govern wasn't structured. Implementing Govern requires cross-functional input from legal, compliance, ops, IT, and security.
How does the CSF 1.1 → 2.0 transition work?
All existing CSF 1.1 scoring carries forward to 2.0, the platform maps your previous subcategory scores to their 2.0 equivalents. New outcomes (especially in the Govern function, 31 net-new subcategories) are flagged as net-new work with no baseline. You don't re-baseline the work you've done; you only score the additions. The transition mapper visualizes this per function: Govern is 100% net-new, Identify carries forward 24/28, Protect carries forward 28/34, Detect carries forward 11/13, Respond carries forward 13/16, Recover carries forward 6/7.
How do CSF Tiers (1-4) work?
Tiers describe how well-integrated cybersecurity practices are with overall risk management, they're NOT CMMI-style maturity levels (a common misunderstanding). Tier 1 (Partial) means risk management is informal; Tier 2 (Risk Informed) means practices are approved by management but may not be enterprise-wide; Tier 3 (Repeatable) means risk management is formally part of org policy and updated based on changes; Tier 4 (Adaptive) means cybersecurity adapts based on lessons learned and predictive indicators. Most enterprises target Tier 3 across all 6 functions; Tier 4 is the aspiration.
Does the platform support cross-framework mapping?
Yes, but cross-framework mappings (CSF ↔ ISO 27001, CSF ↔ SOC 2, CSF ↔ NIST 800-53, CSF ↔ CIS v8) live on the /compliance-frameworks/ hub rather than this page. Score CSF once on this page, then visit the hub for the multi-framework crosswalks and the cross-framework decision tree.
Is there a free trial?
Yes. The 30-day free trial requires no credit card and includes full access, every CSF 2.0 function, all 106 subcategories, Implementation Examples, Tier 1-4 maturity tracking, the 1.1 → 2.0 transition mapper, and the Govern function deep-dive. You can run a real CSF maturity assessment against your own organization and decide before purchasing.
Ready for CSF 2.0?

Run your first CSF 2.0 assessment this week.

Start a 30-day free trial, every function including the new Govern, all 106 subcategories, Implementation Examples, Tier maturity tracking, and the 1.1 → 2.0 transition mapper. No credit card required.

Start free trialBook a demo

No credit card required · 30-day free trial · Cancel anytime

Request a Demo