NIST CSF 2.0 and AI Agents: Govern, Identify, Protect, Detect, Respond, Recover
· 6 min read
NIST released Cybersecurity Framework 2.0 in February 2024. The major change from CSF 1.1: a new Govern function was added, making it a six-function framework (GV, ID, PR, DE, RS, RC). The Govern function addresses organizational context, risk management strategy, and cybersecurity supply chain — topics that were scattered across CSF 1.1 but are now first-class functions.
For AI agents, the new Govern function is the most directly relevant addition. It's where organizational accountability for AI systems lives.
NIST CSF is voluntary for most US organizations, but it functions as a de facto standard for:
- Federal contractors and agencies (often required by contract or policy)
- Critical infrastructure operators (energy, water, finance, healthcare)
- Organizations seeking cyber insurance
- Any company using NIST as a security baseline alongside FedRAMP or CMMC