NIST released the Cybersecurity Framework (CSF) 2.0 in February 2024, marking the first major overhaul of the framework since its original publication in 2014. While CSF 1.1 was designed primarily for critical infrastructure operators, version 2.0 explicitly broadens its scope to organizations of all sizes and sectors — including the small and mid-sized businesses that make up the majority of IT service provider client bases.
For SMBs, the revision lowers the barrier to adoption. For the MSPs serving them, it creates a common language for scoping security services.
The sixth function: Govern
CSF 1.1 organized cybersecurity activities into five functions: Identify, Protect, Detect, Respond, and Recover. Version 2.0 adds a sixth: Govern.
The Govern function addresses cybersecurity risk management strategy, expectations, and policy at the organizational level. It covers:
- Organizational context — understanding the business environment, stakeholders, and legal/regulatory requirements that shape cybersecurity needs
- Risk management strategy — defining risk tolerance and the process for making cybersecurity investment decisions
- Roles and responsibilities — assigning accountability for cybersecurity outcomes across the organization
- Policy — establishing and maintaining cybersecurity policies informed by the organization's context and risk strategy
- Oversight — board-level and executive engagement with cybersecurity risk
- Supply chain risk management — managing cybersecurity risk in relationships with suppliers, including IT service providers
For small businesses, the Govern function formalizes something most have been doing informally (if at all): deciding how much cybersecurity risk they're willing to accept, and who's responsible for managing it.
The Govern function makes explicit what CSF 1.1 left implicit: cybersecurity isn't just a technical problem. It's a risk management decision that starts with leadership.
Profiles and tiers: practical tools for SMBs
CSF 2.0 refines the concept of "profiles" — descriptions of an organization's current and target cybersecurity posture. A current profile maps existing practices to CSF categories; a target profile describes the desired state. The gap between them defines the work.
For SMBs working with an MSP, profiles create a structured way to scope services. Instead of selling a generic "cybersecurity package," a provider can assess the client's current profile, define a target profile based on the client's risk tolerance and regulatory requirements, and build a service agreement that closes specific gaps.
NIST also provides "community profiles" — pre-built profiles for specific sectors or use cases. These give SMBs a starting point rather than forcing them to map the entire framework from scratch.
Supply chain risk management gets its own category
CSF 2.0 elevates supply chain risk management from a supplementary topic to a full subcategory under Govern. This has direct implications for IT service providers: your clients' CSF compliance now explicitly includes managing the cybersecurity risk you introduce as a supplier.
Practically, this means clients — or their auditors — may start asking MSPs for:
- Documentation of the MSP's own cybersecurity practices
- Evidence of incident response capabilities
- Contractual commitments around security controls and breach notification
- Proof of compliance with relevant standards (SOC 2, ISO 27001, or CSF profiles)
Providers who can produce this documentation on demand have a competitive advantage. Those who can't will face increasing friction in sales cycles, particularly with clients in regulated industries.
Implementation guidance for smaller organizations
Recognizing that CSF 1.1's complexity deterred many SMBs, NIST 2.0 includes new implementation guides specifically designed for smaller organizations with limited cybersecurity resources. These "quick start guides" provide simplified pathways through the framework, focusing on the highest-impact activities first.
For MSPs, these guides are a sales tool. Walking a prospect through the NIST quick-start assessment identifies gaps that map directly to services. The framework provides the justification; the provider delivers the solution.
What MSPs should do now
Immediate actions
- Learn the Govern function — it's the framework's new foundation and will shape how clients think about cybersecurity investment decisions
- Build CSF 2.0 profiles into your assessment process — current-state and target-state profiles give clients measurable progress and give you a roadmap for expanding services
- Prepare supply chain documentation — your clients will need it for their own Govern compliance, and you'll need it to differentiate from competitors who can't provide it
- Use NIST's SMB quick-start guides as a prospecting tool — they identify gaps that translate into service opportunities