NIST Cybersecurity Framework 2.0: Key Changes for Small Business

The first major revision since 2014 adds a governance function, expands scope beyond critical infrastructure, and gives SMBs a clearer on-ramp to structured cybersecurity.

June 24, 2024 · Compliance

NIST released the Cybersecurity Framework (CSF) 2.0 in February 2024, marking the first major overhaul of the framework since its original publication in 2014. While CSF 1.1 was designed primarily for critical infrastructure operators, version 2.0 explicitly broadens its scope to organizations of all sizes and sectors — including the small and mid-sized businesses that make up the majority of IT service provider client bases.

For SMBs, the revision lowers the barrier to adoption. For the MSPs serving them, it creates a common language for scoping security services.

The sixth function: Govern

CSF 1.1 organized cybersecurity activities into five functions: Identify, Protect, Detect, Respond, and Recover. Version 2.0 adds a sixth: Govern.

The Govern function addresses cybersecurity risk management strategy, expectations, and policy at the organizational level. It covers:

For small businesses, the Govern function formalizes something most have been doing informally (if at all): deciding how much cybersecurity risk they're willing to accept, and who's responsible for managing it.

The Govern function makes explicit what CSF 1.1 left implicit: cybersecurity isn't just a technical problem. It's a risk management decision that starts with leadership.

Profiles and tiers: practical tools for SMBs

CSF 2.0 refines the concept of "profiles" — descriptions of an organization's current and target cybersecurity posture. A current profile maps existing practices to CSF categories; a target profile describes the desired state. The gap between them defines the work.

For SMBs working with an MSP, profiles create a structured way to scope services. Instead of selling a generic "cybersecurity package," a provider can assess the client's current profile, define a target profile based on the client's risk tolerance and regulatory requirements, and build a service agreement that closes specific gaps.

NIST also provides "community profiles" — pre-built profiles for specific sectors or use cases. These give SMBs a starting point rather than forcing them to map the entire framework from scratch.

Supply chain risk management gets its own category

CSF 2.0 elevates supply chain risk management from a supplementary topic to a full subcategory under Govern. This has direct implications for IT service providers: your clients' CSF compliance now explicitly includes managing the cybersecurity risk you introduce as a supplier.

Practically, this means clients — or their auditors — may start asking MSPs for:

Providers who can produce this documentation on demand have a competitive advantage. Those who can't will face increasing friction in sales cycles, particularly with clients in regulated industries.

Implementation guidance for smaller organizations

Recognizing that CSF 1.1's complexity deterred many SMBs, NIST 2.0 includes new implementation guides specifically designed for smaller organizations with limited cybersecurity resources. These "quick start guides" provide simplified pathways through the framework, focusing on the highest-impact activities first.

For MSPs, these guides are a sales tool. Walking a prospect through the NIST quick-start assessment identifies gaps that map directly to services. The framework provides the justification; the provider delivers the solution.

What MSPs should do now

Immediate actions