Safeguard
Compliance

What is the NIST Cybersecurity Framework

A breakdown of the NIST Cybersecurity Framework's six functions, its 2024 update, and why GV.SC makes it central to software supply chain security.

James
Principal Security Architect
7 min read

The NIST Cybersecurity Framework (CSF) is a voluntary set of standards, guidelines, and best practices published by the National Institute of Standards and Technology to help organizations manage cybersecurity risk. First released in February 2014 under Executive Order 13636, and updated to version 1.1 in April 2018 and version 2.0 on February 26, 2024, the framework is organized around six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. It's used by an estimated 50% of U.S. organizations according to NIST's own adoption surveys, and it underpins compliance mandates in finance, healthcare, energy, and federal contracting. For software supply chain security teams specifically, CSF 2.0 introduced explicit supply chain risk management (GV.SC) subcategories, making vendor and dependency risk a first-class governance requirement rather than an afterthought.

What Is the NIST Cybersecurity Framework, Exactly?

The NIST CSF is a risk-based framework, not a checklist of technical controls, that gives organizations a common vocabulary for describing their current and target cybersecurity posture. It was originally built for U.S. critical infrastructure operators — power grids, water systems, financial exchanges — following Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," signed by President Obama in February 2013. NIST published the first version a year later, in February 2014, and it has since been adopted well beyond critical infrastructure: healthcare systems mapping to HIPAA, SaaS vendors responding to enterprise security questionnaires, and startups using it as a maturity roadmap before their first SOC 2 audit. Unlike ISO 27001, the CSF is free, publicly available at nvlpubs.nist.gov, and doesn't require a paid certification body — organizations self-assess or hire a third party to benchmark them against it.

What Changed Between CSF 1.1 and CSF 2.0?

The biggest change in CSF 2.0 is the addition of a sixth function, Govern, which elevates cybersecurity risk management to a board-level and enterprise-risk-management concern rather than a purely technical one. Released February 26, 2024 — the first full revision in six years — CSF 2.0 also broadened its scope beyond critical infrastructure to "organizations of any size, sector, or type," and added a formal Organizational Profile mechanism so companies can document current-state versus target-state maturity side by side. Most relevant to software vendors and their customers: the new Govern function includes GV.SC (Supply Chain Risk Management), a category with 10 subcategories covering supplier assessment, contractual cybersecurity requirements, and integration of supply chain risk into enterprise risk management. NIST also shipped CSF 2.0 with searchable "Informative References" that map each subcategory to specific controls in SP 800-53, ISO 27001:2022, and the CIS Controls v8.

What Are the Six Functions of the NIST CSF?

The six functions are Govern, Identify, Protect, Detect, Respond, and Recover, each broken into categories and subcategories that total 106 outcome statements in version 2.0. Identify (ID) covers asset inventory and risk assessment — for a software company, this means knowing every repository, container image, and third-party dependency in production. Protect (PR) covers access control, data security, and platform hardening. Detect (DE) covers continuous monitoring and anomaly detection, typically satisfied with SIEM, EDR, and vulnerability scanning tooling. Respond (RS) and Recover (RC) cover incident handling and resilience, including the 72-hour breach notification timelines many organizations now face under SEC cybersecurity disclosure rules effective December 2023. Govern (GV), the newest function, ties all five together with policy, roles, and — critically for supply chain security — the GV.SC subcategories that require organizations to know and manage risk from suppliers and open-source components.

Is the NIST Cybersecurity Framework Mandatory?

The CSF itself is voluntary for private-sector organizations, but it becomes mandatory by reference inside binding regulations and contracts. Federal agencies have been required to use the CSF since Executive Order 13800 in May 2017, and defense contractors handling controlled unclassified information must comply with NIST SP 800-171 and the CSF-aligned Cybersecurity Maturity Model Certification (CMMC), with CMMC 2.0 rulemaking finalized in October 2024. Several states, including New York for its financial services entities under 23 NYCRR 500, explicitly reference the CSF in their cybersecurity regulations. Cyber insurance underwriters also increasingly ask applicants to self-score against CSF functions before issuing or renewing policies. In practice, a company that can show a completed CSF Organizational Profile shortens due-diligence cycles with enterprise customers, regulators, and insurers alike — even when no specific law forces adoption.

How Does the NIST CSF Connect to Software Supply Chain Security?

The CSF connects to software supply chain security primarily through the Govern function's GV.SC category and its cross-references to NIST SP 800-161 Rev. 1, the Cybersecurity Supply Chain Risk Management Practices guide NIST finalized in May 2022. GV.SC.07 specifically requires organizations to monitor suppliers, products, and services for cybersecurity risk throughout the relationship — in practice, this means tracking known-vulnerable dependencies (like the Log4Shell vulnerability, CVE-2021-44228, which affected an estimated 35,000 Java packages), maintaining a software bill of materials (SBOM), and verifying that build pipelines haven't been tampered with, the failure mode behind the 2020 SolarWinds Orion compromise that affected roughly 18,000 customers. NIST's companion Secure Software Development Framework (SSDF, SP 800-218, published February 2022) operationalizes these CSF supply chain expectations into concrete engineering practices, and Executive Order 14028 (May 2021) requires federal software vendors to attest to SSDF compliance — making CSF-aligned supply chain governance a de facto procurement requirement for anyone selling software to the U.S. government.

What's the Difference Between the CSF and the NIST SSDF?

The CSF is a broad, organization-wide risk management framework, while the SSDF (SP 800-218) is a narrow, engineering-focused set of practices for building software securely. The CSF asks "does this organization govern cybersecurity risk well," covering HR security, physical access, and incident response alongside technical controls, across 106 subcategories in version 2.0. The SSDF asks "was this specific software built securely," with four practice groups — Prepare the Organization, Protect the Software, Produce Well-Secured Software, and Respond to Vulnerabilities — totaling around 42 practices focused on things like verifying third-party components, running static and dynamic analysis, and maintaining provenance records. A company typically maps its SSDF implementation up into the CSF's GV.SC and PR.PS (Platform Security) categories to show auditors that secure development practices trace back to board-level governance. Many federal RFPs now require both: an SSDF attestation for the software itself and a CSF-based questionnaire for the vendor's overall security program.

How Safeguard Helps

Safeguard maps directly onto the CSF's Identify and Govern functions by generating and ingesting SBOMs across your entire codebase, giving you the continuous component inventory that GV.SC.07 and SP 800-161 both require. Griffin AI, Safeguard's reasoning engine, performs reachability analysis to distinguish vulnerable dependencies that are actually exploitable in your running application from the noise of transitive packages that never execute — turning a flat CVE list into a risk-prioritized backlog that maps cleanly to a CSF Organizational Profile's target-state goals. When Griffin AI confirms a reachable, high-severity finding, Safeguard opens an auto-fix pull request with the minimal version bump or patch needed, closing the loop from detection to remediation without manual triage. For teams preparing CSF-based vendor questionnaires, CMMC assessments, or SSDF attestations, that combination of SBOM evidence, reachability-scored risk, and auto-remediated fixes turns what used to be a quarterly spreadsheet exercise into a continuously current compliance artifact.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.