NIST CSF 2.0: Govern Got the Headlines, ID.AM-07 Will Cost You the Audit

The Govern function is real, but it is not where developers feel CSF 2.0

NIST Cybersecurity Framework 2.0 is the first major revision since the original 2014 framework. The headline is the new Govern function, and most coverage stops there. For software teams, the load-bearing changes are quieter. Identify gained an explicit software-inventory subcategory (ID.AM-07). Protect tightened around access control and data protection in ways that map directly to known CWEs. Detect now formally includes developer tooling and CI/CD pipelines under monitoring.

The New Govern Function

CSF 2.0 adds GV (Govern) as the sixth function, alongside Identify, Protect, Detect, Respond, Recover. Govern captures organizational context: risk appetite, roles, policy, supply chain risk management.

At the software level, Govern translates to:

• GV.OC-01: Organizational context is established. Meaning your security requirements are documented before code is written, not retrofitted
• GV.SC-06: Supply chain risk is integrated. Your dependency policy is part of your security program, not an afterthought

Identify: ID.AM-07 Is New and Important

ID.AM-07 is a new subcategory: "Inventories of software, services, and systems that process sensitive information are maintained." This is a formalized requirement for software asset inventory with sensitivity classification.

If you don't know which of your services processes PII, CUI, or PHI, you cannot meet ID.AM-07. And if you can't meet ID.AM-07, you cannot build a credible risk register, which means every downstream control is unsupported.

Protect: PR.DS and the Code Layer

PR.DS-01 (Data-at-rest protection) and PR.DS-02 (Data-in-transit protection) map directly to CWE-311 (Missing Encryption), CWE-319 (Cleartext Transmission), and CWE-312 (Cleartext Storage of Sensitive Information). These are still the most common findings in enterprise application assessments.

PR.AA-05 (Access permissions are managed, incorporating least privilege) maps to CWE-284 and CWE-732. Authorization logic in code is now explicitly within the CSF scope.

Detect: DE.CM in Code Context

DE.CM-09 (Computing hardware and software are monitored) now explicitly includes developer tooling and CI/CD pipelines. Your pipeline is part of the monitored surface.

How Deva Addresses CSF 2.0

Deva's NIST CSF 2.0 preset maps the framework's code-relevant subcategories to specific CWE rules. Every finding shows which CSF function and subcategory it violates. The gap analysis report shows your current CSF coverage percentage by function, letting you prioritize Protect and Detect gaps before an assessment.

The Govern function requirements (supply chain inventory, risk policy) are addressed through Deva's supply chain scanner. 27K CVEs tracked, dependency graph with reachability analysis, and exportable SBOMs. For framework definitions and acronym expansions see the glossary; for the OWASP-mapping view of the same CWE rules see the OWASP Top 10:2025 page.