William Tulaba Natick NIST CSF 2.0 Cybersecurity Framework

NIST CSF 2.0 – Govern (GV) 

Leave a Comment / InfoSec / By

Understanding the New “Govern” (GV) Function in NIST CSF 2.0

When NIST released the Cybersecurity Framework (CSF) 2.0, one of the most notable changes was the introduction of a sixth core function: Govern (GV).

While the original CSF focused on technical and operational activities, Identify, Protect, Detect, Respond, and Recover—the addition of Govern reflects a growing recognition: cybersecurity is no longer just a technical problem. It’s a strategic business risk that demands executive oversight, policy alignment, and accountability across the enterprise.

So what exactly is Govern, and why does it matter?

What is the Govern (GV) Function?

According to csf.tools, the Govern Function is defined as:

“Establishing and monitoring the organization’s cybersecurity risk management strategy, expectations, and policy.”

In essence, Govern sets the rules of the game—defining who’s responsible, how decisions are made, and how cybersecurity aligns with business objectives. It ensures that all security efforts are driven by leadership vision, grounded in policy, and measured by results.

The 6 Categories of Govern (GV) – 31 Controls

Govern is broken into six key categories, each aimed at institutionalizing cybersecurity at the governance level:

    1. GV.OC – Organizational Context (5 controls)
      Understands the internal and external factors—such as mission, stakeholder expectations, legal and regulatory requirements, and dependencies—that shape cybersecurity risk decisions.

    2. GV.RM – Risk Management Strategy (7 controls)
      Develops and communicates the organization’s risk tolerance, appetite, and constraints to guide informed operational risk-taking and prioritization.

    3. GV.RR – Roles, Responsibilities, and Authorities (4 controls)
      Clearly defines and communicates cybersecurity responsibilities and authorities to promote accountability, performance measurement, and continuous improvement.

    4. GV.PO – Policy (2 controls)
      Establishes, communicates, and enforces cybersecurity policy that reflects leadership intent and supports consistent implementation across the organization.

    5. GV.OV – Oversight (3 controls)
      Uses the results of cybersecurity risk management activities and performance metrics to refine and adjust strategies and ensure alignment with organizational objectives.

    6. GV.SC – Cybersecurity Supply Chain Risk Management (10 controls)
      Identifies, manages, monitors, and improves cyber supply chain risk management processes through collaboration with internal and external stakeholders.

Why Governance Matters More Than Ever

Governance is the foundation that translates intention into action. Without it, cybersecurity programs risk becoming reactive, fragmented, or misaligned with business priorities. Govern forces organizations to ask:

  • Do we have clear roles and responsibilities?

  • Are our policies enforceable, up-to-date, and understood?

  • Are cybersecurity risks considered in strategic decisions?

  • Is leadership engaged in oversight and accountability?

As threats evolve and regulatory pressure increases, these questions become not just helpful, but essential.

Getting Started with Govern

For teams adopting NIST CSF 2.0, beginning with the Govern Function offers clarity and direction. Here are a few practical starting points:

  • Review and update cybersecurity policies to reflect current threats and business needs.

  • Define or refine governance roles, especially in cross-functional areas like product security, IT, and compliance.

  • Assess supply chain risk by mapping vendors and evaluating third-party controls.

  • Establish a governance dashboard for leadership visibility, including KPIs, incident trends, and risk posture.

If you’re using maturity assessment tools like SentiCon Security’s CSF Maturity Tool, you’ll find that the Govern Function often reveals gaps in documentation, ownership, and alignment. Addressing these first creates a solid base for progress across the other functions.

Final Thoughts

Govern isn’t just a new function, it’s a paradigm shift. It challenges organizations to elevate cybersecurity from a technical function to a strategic pillar of business resilience. By embracing the Govern Function, security leaders can build programs that are not only defensible but also measurable, sustainable, and boardroom-ready.

In future posts, we’ll explore how to assess maturity across each Govern category and provide examples and questions to guide your policy and governance improvements.

Next up: GV.OC: The circumstances – mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements – surrounding the organization’s cybersecurity risk management decisions are understood

NIST CSF 2.0

Leave a Comment

Your email address will not be published. Required fields are marked *

Get all the latest news and info sent to your inbox.

en_USEnglish
en_USEnglish
Powered by TranslatePress