The NIST Cybersecurity Framework reached version 2.0, published as NIST CSWP 29. The update is the most significant revision since the framework first appeared, and it matters to physical security practitioners because cameras, access control, and alarm systems now live on networks that fall squarely inside a cyber program.
The new Govern function
The headline change is a sixth function. The original framework had five functions: Identify, Protect, Detect, Respond, and Recover. CSF 2.0 adds Govern, which sits across the others. Govern covers how an organization sets risk strategy, assigns roles and responsibilities, manages policy, and oversees the supply chain. It moves governance from an implied background activity to a named, first class part of the framework. The practical message is that cybersecurity outcomes depend on decisions made at the organizational level, not only on technical controls.
Broader scope
CSF 2.0 also widened its stated audience. The earlier version was framed around critical infrastructure. The new version is written for organizations of all types and sizes, in any sector. NIST signaled this by dropping the critical infrastructure framing from the title and adding implementation resources aimed at smaller organizations. For a security integrator, that means the framework is now a reasonable reference for almost any client, not just utilities and large enterprises.
What it means in Canada
The CSF is a US framework, but it is widely used in Canada as a common language for risk. In Canada the national authority is the Canadian Centre for Cyber Security, the Cyber Centre, which publishes its own guidance and controls catalogue. CSF 2.0 and Cyber Centre material are not in conflict. Practitioners commonly use the CSF functions to structure a conversation and map the work to Cyber Centre baseline controls for the specifics. When advising a Canadian client, lead with the Cyber Centre guidance for authoritative recommendations, and use CSF 2.0 as the organizing structure on top.
Practical steps for integrators and consultants
Treat the gear you install as part of the client’s attack surface. Document who governs the physical security network, which is the Govern function in action. Apply Protect controls to cameras and controllers: change default credentials, segment the device network, patch firmware, and disable unused services. Plan for Detect, Respond, and Recover on those devices the same way you would for IT assets. For Canadian clients, anchor the recommendations to Cyber Centre guidance and present them inside the CSF 2.0 structure so the security program and the IT program speak the same language.