What Is the Govern Function?

NIST CSF 2.0 introduced Govern as a brand-new top-level function — the first major structural addition since the framework launched in 2014. Where the original CSF 1.1 scattered governance-related guidance across other functions, CSF 2.0 consolidates it: Govern is now the organizing layer that everything else runs on.

At its core, Govern answers three questions for your organization: What are we trying to protect and why? Who is responsible for what? And what level of risk are we willing to accept? Without explicit answers documented and approved by leadership, every downstream security decision — what to patch first, which vendor to trust, how to respond to an incident — gets made inconsistently.

For SMBs, Govern is often where the most value gets left on the table. It's common to invest in tools like endpoint detection or email filtering while having no documented risk tolerance, no board-level cybersecurity touchpoint, and vendor contracts that are entirely silent on security obligations. The Govern function closes those gaps structurally.

Govern Function Map: Six Categories

GV.OC
Organizational Context
Defines the mission, stakeholders, legal/regulatory requirements, and dependencies that shape your cybersecurity priorities.
GV.RM
Risk Management Strategy
Establishes risk tolerance, appetite, and the methodology your organization uses to evaluate and prioritize cybersecurity risk.
GV.RR
Roles, Responsibilities & Authorities
Documents who owns cybersecurity decisions, who executes them, and how accountability is maintained across the organization.
GV.PO
Policy
Defines the written cybersecurity policies that govern behavior, reviewed and approved on a documented cycle (at least annually).
GV.OV
Oversight
Establishes how leadership monitors cybersecurity performance, reviews outcomes, and adjusts the program based on results.
GV.SC
Cybersecurity Supply Chain Risk Management
Identifies, assesses, and manages risks introduced by vendors, suppliers, and third-party service providers.

Common Govern Gaps in SMBs

Most small and mid-sized businesses have informal security practices but lack the governance scaffolding that makes those practices consistent and defensible. The four gaps we see most often:

  • No documented risk appetite The organization has never stated what level of cyber risk is acceptable, so teams make inconsistent prioritization decisions — or none at all.
  • Leadership not engaged The CEO and board receive no regular cybersecurity reporting. Risk decisions default to IT rather than being owned by the business.
  • Vendor contracts lack security clauses Third-party agreements are negotiated on price and features with no security obligations, breach notification requirements, or audit rights — a direct GV.SC gap.
  • No annual policy review cycle A policy was written once (often from a template) and has not been reviewed, updated, or formally approved since. Under GV.PO, policies must reflect the current environment.

Where to Start with Govern

For an SMB beginning its NIST CSF 2.0 journey, Govern is the right starting point precisely because it's foundational. Begin with GV.RR — identify one named person responsible for cybersecurity outcomes — then document a brief risk tolerance statement under GV.RM. These two artifacts unlock progress across all other functions.

Rhodigital's NIST Policy Package includes pre-built Govern templates: risk appetite statements, RACI charts for cybersecurity responsibilities, policy review checklists, and vendor security addenda. You can also read our NIST CSF complete guide for a broader framework walkthrough.