Mainframe Blog

What Does NIST Cybersecurity Framework v2.0 Mean for the Mainframe?

3 minute read
David Lea

On February 26, 2024, the U.S. National Institute of Standards and Technology (NIST) finalized the first major update to its Cybersecurity Framework since its inception in 2014. With the original framework being used internationally and translated into 13 languages, version 2.0 is expected to have a big impact. Those already familiar with the original know it is comprised of five key areas: Identify, Protect, Detect, Respond, and Recover. Version 2.0 now has a sixth function that is applicable to all of the original five pillars: Govern. Throughout this blog, I will refer to Cybersecurity Framework 2.0 as “CSF 2.0.”

NIST v2.0

Figure 1. NIST v2.0

What is the purpose of the Govern function?

Govern will establish and then continue to monitor an organization’s cyber risk management strategy, expectations, and policy.

It is broken down into the following categories:

  • Organizational context
  • Risk management strategy
  • Cybersecurity supply chain risk management
  • Roles, responsibilities, and authorities
  • Policies, processes, and procedures
  • Oversight

Is the Govern addition the only change?

The short answer is “no.” While the five functions stay largely the same, there are other new changes, as follows:

  • Implementation examples: CSF 2.0 now includes examples of how to implement the controls. While it is quite prescriptive, it is not granular. An example here might be the implementation of multi-factor authentication (MFA), but not which MFA factors should be used; that would still be at the discretion of the internal team.
  • Clarity: While the original framework was digestible, it still used technical language. CSF 2.0 simplifies things, which will hopefully help all stakeholders better understand the controls.
  • Govern function: Yes, the Govern function is new, however, a lot of it has come from re-shaping previous controls in the original framework.
  • Updated Respond and Recover functions: Respond and Recover have gone through a big overhaul, with notable changes around communication and testing.
  • Profiles: Profiles and community profiles did exist in CSF1.1, however they now have been re-vamped for CSF 2.0. The community can now provide examples of how CSF 2.0 can be applied to certain use cases such as financial, car manufacturing, etc. NIST also provides templates for organizational profiles, allowing side-by-side comparison for gap analysis.

What do mainframe security teams need to do?

Some good news: If you implemented CSF 1.1, all that hard work will not have been in vain and will map into CSF 2.0. There will be gaps that require some changes to be made, so the first thing to do is a gap analysis. NIST provides a host of resources and help in this area. This gives you an opportunity to bring all stakeholders together and, with the new simplified language, should make the process more streamlined than before. Bolstering the Respond and Recover functions could be possible pain points, however all of this leads to a tighter security posture.


Six years after the introduction of CSF 1.1, we have received a major update from NIST. SCF 2.0 does look quite different from v1.1, but a lot of the work has already been done if you have CSF 1.1 in place. A gap analysis is going to be the first step for any organization. If investment in Respond and Recover is needed, this will not only help you prepare for other regulations, such as the EU’s Digital Operational Resilience Act (DORA), but also improve your organization’s overall security posture. As far as I can see, everybody wins!

The DORA survival guide for mainframe operational resilience

New DORA regulations shine a spotlight on operational resilience. Learn how to fortify your mainframe systems.

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing

Business, Faster than Humanly Possible

BMC works with 86% of the Forbes Global 50 and customers and partners around the world to create their future. With our history of innovation, industry-leading automation, operations, and service management solutions, combined with unmatched flexibility, we help organizations free up time and space to become an Autonomous Digital Enterprise that conquers the opportunities ahead.
Learn more about BMC ›

About the author

David Lea

David Lea is the Senior Product Owner for BMC AMI Security. Having spent seven years in mainframe security consulting he transitioned into his current role and is focused on converting technical knowledge into product enhancements. An advocate for Agile, David is passionate about all things mainframe security and works closely with customers driving modernization into the BMC AMI security portfolio.