NIST CSF 2.1 introduces a Govern function enhancement and updated Supply Chain Risk Management subcategories that directly affect federal agency security programs.
The National Institute of Standards and Technology released Cybersecurity Framework 2.1 on April 22, 2026, introducing significant enhancements to the GOVERN function and expanding Supply Chain Risk Management subcategories that federal agencies must incorporate into their security programs.
The most significant change in CSF 2.1 is the elevation of supply chain risk management from a subcategory to a cross-cutting concern with 18 new implementation examples drawn from federal agency case studies.
The GOVERN function now includes explicit requirements for board-level and senior leadership cybersecurity accountability, a provision that directly affects how agencies structure their CISO reporting relationships. Agencies have 12 months to align their governance structures to the updated framework.
NIST also revised the IDENTIFY function to include AI system risk identification as a standard subcategory, acknowledging that AI-enabled systems now constitute a significant portion of federal IT inventory and require dedicated risk identification processes.
Federal agencies using NIST CSF as their primary risk management framework must update their risk assessments and security plans to reflect CSF 2.1 by April 2027. OMB has indicated it will update the FISMA reporting metrics to align with the new framework.
GovAcademy is updating its Risk Management Framework Deep Dive course (GA-015) and Threat Modeling for Public Systems course (GA-035) to incorporate CSF 2.1 requirements. Updated course versions will be available to all enrolled and certified alumni at no additional cost.
The update also affects GovAcademy's Secure Software Supply Chain course (GA-025), which will be expanded with new modules covering CSF 2.1's enhanced SCRM subcategories.