NIST Cybersecurity Framework (CSF 2.0)

---

name: nist-csf description: NIST Cybersecurity Framework (CSF 2.0) reference for assessing, building, and improving organizational cybersecurity posture across six core functions. tags: [compliance, security]

NIST Cybersecurity Framework (CSF 2.0)

Overview

The NIST Cybersecurity Framework 2.0 provides a taxonomy of high-level cybersecurity outcomes that any organization can use to understand, assess, prioritize, and communicate its cybersecurity efforts. Released in February 2024, CSF 2.0 introduces the GOVERN function and expands applicability beyond critical infrastructure to all organization types.

The framework consists of three main components:

• Core -- Six functions with categories and subcategories describing desired outcomes.
• Profiles -- Alignment of the Core with business requirements, risk tolerance, and resources.
• Tiers -- Degree to which cybersecurity risk management is informed by business needs.

When to Use This Skill

• Building a new security program from scratch.
• Performing a cybersecurity maturity assessment.
• Communicating security posture to executives or board members.
• Mapping existing controls to a recognized framework.
• Creating a security roadmap with prioritized improvements.
• Cross-referencing with SOC 2, ISO 27001, or other compliance frameworks.

How It Works

Step 1: Assess Current Profile

Document your organization's current cybersecurity posture by evaluating each function, category, and subcategory. Rate each outcome on a maturity scale (Tier 1-4):

• Tier 1 -- Partial: Ad hoc, reactive practices.
• Tier 2 -- Risk Informed: Awareness exists but not organization-wide.
• Tier 3 -- Repeatable: Formal policies, consistently implemented.
• Tier 4 -- Adaptive: Continuous improvement driven by lessons learned.

Step 2: Define Target Profile

Establish the desired cybersecurity state based on business objectives, regulatory requirements, and risk appetite. Prioritize outcomes that matter most to the organization.

Step 3: Gap Analysis

Compare the current profile against the target profile to identify gaps. Document each gap with its associated risk and effort to remediate.

Step 4: Prioritize Improvements

Rank gaps by risk impact and implementation feasibility. Create a phased roadmap that addresses critical gaps first while building toward the target profile.

Step 5: Implement Controls

Execute the roadmap by deploying technical controls, updating policies, training staff, and establishing monitoring. Track progress against the target profile.

Core Functions and Key Categories

GOVERN (GV) -- New in CSF 2.0

Establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy.

Category	Description
GV.OC	Organizational Context -- mission, stakeholder expectations, legal requirements
GV.RM	Risk Management Strategy -- priorities, constraints, risk tolerance
GV.RR	Roles, Responsibilities, and Authorities
GV.PO	Policy -- established, communicated, enforced
GV.SC	Supply Chain Risk Management
GV.OV	Oversight -- results used to adjust strategy

IDENTIFY (ID)

Understand the organization's assets, risks, and attack surface.

Category	Description
ID.AM	Asset Management -- hardware, software, data, systems inventoried
ID.RA	Risk Assessment -- vulnerabilities, threats, likelihood, impact
ID.IM	Improvement -- lessons learned drive improvements

PROTECT (PR)

Safeguards to manage cybersecurity risks.

Category	Description
PR.AA	Identity Management, Authentication, and Access Control
PR.AT	Awareness and Training
PR.DS	Data Security -- data at rest, in transit, in use
PR.PS	Platform Security -- hardware, software, services managed
PR.IR	Technology Infrastructure Resilience

DETECT (DE)

Find and analyze possible cybersecurity attacks and compromises.

Category	Description
DE.CM	Continuous Monitoring -- networks, systems, assets monitored
DE.AE	Adverse Event Analysis -- anomalies analyzed, events correlated

RESPOND (RS)

Take action regarding a detected cybersecurity incident.

Category	Description
RS.MA	Incident Management -- response executed, triaged
RS.AN	Incident Analysis -- investigation, forensics
RS.CO	Incident Response Reporting and Communication
RS.MI	Incident Mitigation -- containment and eradication

RECOVER (RC)

Restore assets and operations affected by a cybersecurity incident.

Category	Description
RC.RP	Incident Recovery Plan Execution
RC.CO	Incident Recovery Communication

Examples

Example 1: Mapping NIST CSF to a SaaS Startup Security Program

A Series B SaaS startup with 50 engineers needs to formalize its security program for enterprise customers.

Phase 1 -- Foundations (Months 1-3):

• GV.RR: Appoint a security lead, define RACI matrix.
• ID.AM: Deploy asset inventory (cloud resources, endpoints, SaaS tools).
• PR.AA: Enforce MFA across all systems, implement RBAC.
• PR.DS: Enable encryption at rest (AES-256) and in transit (TLS 1.3).

Phase 2 -- Detection (Months 4-6):

• DE.CM: Deploy SIEM with log aggregation from cloud, application, and identity providers.
• DE.AE: Create detection rules for brute force, privilege escalation, data exfiltration.
• RS.MA: Document incident response playbooks for top-5 scenarios.

Phase 3 -- Maturity (Months 7-12):

• GV.PO: Publish formal security policies (acceptable use, data classification, IR).
• GV.SC: Assess third-party vendors, require SOC 2 reports.
• RC.RP: Conduct tabletop exercises, validate backup/restore procedures.
• ID.IM: Establish quarterly security reviews, update risk register.

Example 2: Gap Assessment Template in YAML Format

nist_csf_assessment:
  organization: "Acme Corp"
  assessment_date: "2026-02-24"
  assessor: "Security Team"
  framework_version: "2.0"

  functions:
    - function: GOVERN
      current_tier: 2
      target_tier: 3
      categories:
        - id: GV.OC
          current_maturity: "partial"
          target_maturity: "repeatable"
          gap: "No formal documentation of legal and regulatory obligations"
          remediation: "Create compliance register, map to controls"
          priority: high
          effort: medium
        - id: GV.RM
          current_maturity: "risk_informed"
          target_maturity: "repeatable"
          gap: "Risk appetite not formally defined by leadership"
          remediation: "Conduct risk appetite workshop with executive team"
          priority: high
          effort: low

    - function: IDENTIFY
      current_tier: 2
      target_tier: 3
      categories:
        - id: ID.AM
          current_maturity: "risk_informed"
          target_maturity: "repeatable"
          gap: "Shadow IT not tracked, no CMDB"
          remediation: "Deploy asset discovery tool, establish CMDB"
          priority: critical
          effort: high

    - function: PROTECT
      current_tier: 3
      target_tier: 3
      categories:
        - id: PR.AA
          current_maturity: "repeatable"
          target_maturity: "repeatable"
          gap: "None -- MFA and RBAC in place"
          remediation: "Maintain current controls"
          priority: low
          effort: none

  summary:
    total_gaps: 12
    critical_gaps: 3
    high_gaps: 5
    medium_gaps: 4
    estimated_remediation_months: 9

Best Practices

Do This

• Start with the GOVERN function to establish executive buy-in and accountability.
• Tailor profiles to your organization's size, sector, and risk appetite.
• Use the Informative References in CSF 2.0 to map to specific technical standards.
• Reassess at least annually or after significant organizational changes.
• Integrate CSF assessments into existing risk management processes.
• Track tier progression over time to demonstrate improvement to stakeholders.

Don't Do This

• Do not treat the framework as a compliance checklist; it is outcome-oriented.
• Do not try to achieve Tier 4 across all functions simultaneously.
• Do not skip the GOVERN function; it provides the foundation for everything else.
• Do not assess in isolation; involve business stakeholders in profile creation.
• Do not confuse CSF tiers with maturity model levels; they measure risk integration.

Security Checklist

GOVERN:

• Organizational context documented (mission, legal, stakeholder expectations)
• Risk management strategy defined and approved by leadership
• Roles, responsibilities, and authorities assigned for cybersecurity
• Cybersecurity policies published and communicated
• Supply chain risk management program established

IDENTIFY:

• Hardware, software, and data asset inventory maintained
• Risk assessment performed with identified threats and vulnerabilities
• Improvement process captures and applies lessons learned

PROTECT:

• Identity and access management controls enforced (MFA, RBAC, least privilege)
• Security awareness training conducted for all personnel
• Data protection controls applied (encryption, classification, DLP)
• Platform security maintained (patching, hardening, configuration management)
• Infrastructure resilience measures implemented (redundancy, failover)

DETECT:

• Continuous monitoring deployed for networks, systems, and applications
• Anomaly detection and event correlation operational
• Alert thresholds tuned to reduce false positives

RESPOND:

• Incident response plan documented and tested
• Incident analysis and forensic capabilities available
• Communication plan covers internal and external stakeholders
• Containment and eradication procedures defined

RECOVER:

• Recovery plan tested via tabletop and live exercises
• Recovery communication protocols established
• Post-incident review process feeds back into GOVERN and IDENTIFY

Related Skills

• @soc2-controls -- Map CSF outcomes to SOC 2 Trust Services Criteria.
• @iso27001-annexa -- Cross-reference CSF subcategories with ISO 27001 Annex A controls.
• @compliance-crosswalk -- Build unified control mappings across multiple frameworks.

Additional Resources

• NIST CSF 2.0 Official Publication
• NIST SP 800-53 Rev 5 -- Detailed security controls referenced by CSF.
• CSF 2.0 Quick Start Guides -- Tailored guides by organization type.
• NIST CSF Reference Tool -- Interactive browsing of CSF Core.