What is NIST CSF 2.0 and what changed from version 1.1?

NIST released Cybersecurity Framework 2.0 in February 2024. The headline change is a sixth Function, Govern, added alongside the existing Identify, Protect, Detect, Respond, and Recover. Version 2.0 also broadened the framework's intended audience from critical infrastructure to organizations of every size and sector, and added implementation resources such as Quick Start Guides and Community Profiles aimed at smaller organizations.

What are the six Functions of NIST CSF 2.0?

Govern, Identify, Protect, Detect, Respond, and Recover. Govern covers the organizational decisions that wrap around everything else: roles and responsibilities, policy, risk strategy, and supply chain oversight. Identify is knowing your assets and risks. Protect is the safeguards. Detect is noticing when something is wrong. Respond is acting on it. Recover is restoring normal operations.

Is NIST CSF 2.0 suitable for small local government IT teams?

Yes. Version 2.0 was explicitly broadened to serve organizations of all sizes, and NIST added quick-start guides and community profiles to lower the barrier for small teams. A two-person township IT shop is an intended user, not an afterthought. The framework scales by letting you choose how formal your program needs to be rather than requiring an enterprise-sized program.

What is the difference between a Tier and a Profile in NIST CSF 2.0?

Tiers (Partial, Risk-Informed, Repeatable, Adaptive) describe how rigorous and formalized your cybersecurity risk practices are. They are a deliberate choice, not a grade to maximize. A Profile describes your actual situation: a Current Profile captures where you are today, and a Target Profile captures where you intend to be. The gap between the two is your roadmap and your budget request.

How does a small agency start with NIST CSF 2.0?

Inventory your assets and document your governance basics first, then draft a Current Profile of where you stand against the framework, choose a realistic Target Profile, and fund the highest-priority gaps. A budget-constrained agency can complete a first pass in roughly 90 days, producing the gap list and documentation that auditors and cyber-insurance carriers ask for.

Does NIST CSF 2.0 help with cyber insurance and audits?

Yes. Cyber-insurance carriers increasingly reference recognized cybersecurity frameworks on renewal questionnaires, and public-sector auditors expect documented risk management. Aligning to NIST CSF 2.0 produces exactly the artifacts they ask for: an asset inventory, a documented risk posture, a gap list, and a roadmap. The framework is widely accepted, so the documentation translates across insurers and audit programs.

A public-sector IT manager mapping security controls onto a printed NIST Cybersecurity Framework chart with sticky notes in a county government operations room.

Cybersecurity / Compliance

NIST CSF 2.0 for Public Sector IT: A Local Government Implementation Guide

What changed in 2.0, the six Functions in plain English, Tiers and Profiles without the jargon, and a 90-day starting path a budget-constrained agency can actually run.

By William Bradshaw | June 8, 2026 | 9 min read

Your cyber-insurance renewal, your next audit, and a growing list of state and grant expectations all point at the same thing: adopt a recognized cybersecurity framework and be able to show your work. For most public-sector IT teams, county offices, townships, fire and EMS districts, school districts, and small state agencies, the NIST Cybersecurity Framework is that recognized framework. The 2.0 release made it more approachable, not less.

This guide does not sell you a tool. NIST CSF 2.0 is vendor-neutral by design, and so is this walkthrough. The goal is to explain what changed in version 2.0, what the six Functions actually mean for an organization that answers to elected officials and auditors, how Tiers and Profiles turn the framework into a budget request, and what the first 90 days look like for a team that does not have an enterprise security department.

If you want the broader view of how scan findings map across several frameworks at once, start with our SMB compliance mapping guide. This article goes deep on one framework, the one most public-sector teams are being asked for by name.

What Changed in CSF 2.0

NIST released Cybersecurity Framework 2.0 in February 2024, the first major revision since 1.1 landed in 2018. Three changes matter for a public-sector reader.

First, and biggest, version 2.0 added a sixth Function: Govern. The framework used to have five Functions (Identify, Protect, Detect, Respond, Recover). Govern now sits alongside them and wraps around the rest. It formalizes the organizational decisions, roles, policy, risk appetite, oversight, and supply chain management, that a township board or an agency director already makes and answers for. For government, this is the most natural addition the framework could have made, because government already runs on documented authority and accountability.

Second, version 2.0 widened the intended audience. CSF 1.0 was written with critical infrastructure in mind. CSF 2.0 is explicitly for organizations of every size and sector. A two-person township IT team and a county with a single shared sysadmin are intended users, not exceptions to be scaled down from an enterprise template.

Third, NIST shipped implementation resources to lower the barrier: Quick Start Guides for specific audiences (including small organizations), Community Profiles that let a sector share a common baseline, a reference tool for browsing the framework, and Informative References that map CSF to other standards. You do not have to interpret the framework from first principles. The on-ramps are part of the release.

The Six Functions in Plain English

The framework Core is organized into six Functions, each broken into Categories and Subcategories. You do not need the full taxonomy to start. You need to understand what each Function is asking, in plain language, with a public-sector example.

Govern (new in 2.0)

Who is accountable, what the policy says, and how cybersecurity risk fits the organization's broader risk decisions. Example: the township trustees formally assign IT security oversight, approve an acceptable-use policy, and decide how much risk the township will carry on aging systems. Govern is the Function auditors most want documented.

Identify

Know what you have and what could go wrong with it: assets, data, systems, and the risks to each. Example: a current inventory of servers, workstations, network gear, and the line-of-business and records systems the agency depends on, plus the known weaknesses in each.

Protect

The safeguards that reduce the chance and impact of an incident: access control, multi-factor authentication, patching, backups, encryption, and training. Example: MFA on email and remote access, a documented patch cadence, and an annual security-awareness program for staff.

Detect

Noticing that something is wrong, ideally before a citizen or a reporter does. Example: endpoint protection that alerts on suspicious activity, log review, and a way for staff to report a suspected phishing email and have it looked at.

Respond

What you do when an incident is confirmed: contain it, communicate, and follow a plan rather than improvising. Example: a one-page incident response plan that names who to call, how to isolate an affected system, and when to notify leadership, counsel, and the cyber-insurance carrier.

Recover

Restoring normal operations and learning from the event. Example: tested backups that can actually bring records and 911 or dispatch-adjacent systems back, plus a short after-action review that feeds improvements back into Govern and Protect.

The human side of Protect and Detect deserves its own attention. Our articles on why your employees are your biggest security risk and what a phishing simulation actually reveals cover the staff-facing controls that most public-sector incidents hinge on.

Tiers and Profiles (Where the Framework Becomes a Budget Request)

Two concepts trip people up, and both are simpler than they sound. Tiers describe rigor. Profiles describe position.

The four Tiers (Partial, Risk-Informed, Repeatable, and Adaptive) describe how formal and consistent your cybersecurity risk practices are. Tier 1 Partial is ad hoc and reactive. Tier 4 Adaptive is a mature program that adjusts in real time. The common mistake is treating Tiers as a grade to maximize. They are not. A small agency does not need to reach Adaptive any more than it needs an enterprise SOC. The right Tier is a deliberate choice that matches your risk, your obligations, and your budget. For many local-government teams, moving from Partial to a solid Risk-Informed posture is the realistic and defensible goal.

Profiles are where the framework earns its keep. A Current Profile is an honest snapshot of where you stand against the framework today. A Target Profile is where you intend to be, given your risks and resources. The gap between the two is, quite literally, your roadmap. It is also the single most useful artifact you can hand to a board or a fiscal officer, because it converts "we should do more on cybersecurity" into a prioritized, framework-anchored list of specific gaps with specific costs.

That is the reframe worth keeping: NIST CSF 2.0 is not a test you pass. It is a structured way to know where you are, decide where you need to be, and fund the distance in between. The compliance-mapping perspective in our compliance framework mapping guide shows how the same gap list also answers CIS, PCI-DSS, and SOC 2 questions at the same time.

You Already Generate Most of the Evidence

The most common reason public-sector teams stall on a framework is the belief that it requires buying a platform first. It does not. The framework organizes evidence you are already producing, or should be, in the normal course of running IT.

An asset inventory feeds Identify. A vulnerability scan feeds Identify and Protect by surfacing the weaknesses you then prioritize. Patch records show the Protect Function in action. Backup and restore tests are direct evidence for Recover. Endpoint alerts and log review support Detect. Even an end-of-life operating system, the kind we walk through in the Windows Server EOL decision guide, is simply a concrete Identify finding that drives a Protect decision.

The work, then, is mostly mapping and governance, not procurement. Take the artifacts you have, line them up against the six Functions, write down where the coverage is thin, and document who owns each decision. That mapping exercise is the Current Profile, and it is achievable without a new line item in many cases. Where a genuine gap needs funding, you now have a framework-anchored justification for it.

A 90-Day Starting Path for a Small Agency

You do not adopt the whole framework at once. A budget-constrained team can complete a credible first pass in about 90 days and come out with a Current Profile, a Target Profile, and a funded gap list.

Days 1-30

Inventory and Govern

Build or refresh the asset inventory (Identify) and document the governance basics (Govern): who owns IT security, what policies exist, and how risk decisions get made. Pull together what you already have, scans, patch logs, backup test results, so the evidence is in one place.

Days 31-60

Draft the Current Profile and pick a Target

Map your evidence to the six Functions and write down where coverage is thin. That is the Current Profile. Then choose a realistic Target Profile and Tier, not Adaptive for its own sake, but the posture that matches your risk and obligations. The difference between the two is your prioritized gap list.

Days 61-90

Fund and execute the top gaps

Cost the highest-priority gaps, take them to the board or fiscal officer as a framework-anchored request, and start the quick wins that need no budget (MFA coverage, a one-page incident response plan, a backup restore test). Keep the documentation current as each gap closes, because that record is what the auditor and the insurer will ask to see.

Why the Budget Cycle Makes This Timely

For Ohio local government, the fiscal year ends June 30. That makes early summer the moment when remaining funds get committed and next year's priorities get shaped. A NIST CSF 2.0 gap assessment is one of the cleaner cybersecurity line items to fund in that window, because it is framework-anchored, modest in cost relative to a breach, and it produces the documentation that auditors and cyber-insurance carriers ask for regardless of what you do next.

The assessment is also a forcing function in the good sense: it turns a vague "we should improve security" into a specific, prioritized, costed plan that survives staff turnover and budget scrutiny. Whether you run the gap assessment in-house or bring in outside help, doing it before the year closes means the next budget conversation starts from a roadmap instead of a blank page.

Want a Framework-Anchored Gap Assessment?

Bullium works with Ohio agencies, townships, fire districts, and school districts to run NIST CSF 2.0 gap assessments scoped to a public-sector budget. We inventory your environment, draft your Current and Target Profiles, and hand you a prioritized, costed gap list your board and your auditor can both use. No commitment to engage further.

Request a Gap Assessment → vCIO Practice

NIST CSF 2.0 for Public Sector IT: A Local Government Implementation Guide

What Changed in CSF 2.0

The Six Functions in Plain English

Tiers and Profiles (Where the Framework Becomes a Budget Request)

You Already Generate Most of the Evidence

A 90-Day Starting Path for a Small Agency

Why the Budget Cycle Makes This Timely

Want a Framework-Anchored Gap Assessment?

Related Reading

SMB Compliance Mapping Guide

How to Run a Vulnerability Scan

Your Employees Are Your Biggest Security Risk

Windows Server 2016 EOL Decision Guide

Related Services

Security Consulting

vCIO Engagement

Managed IT Services

Business Continuity