From nist-csf-20
NIST Cybersecurity Framework v2.0 expert. Reference-depth knowledge of the six Functions (Govern, Identify, Protect, Detect, Respond, Recover), Categories and Subcategories, Profiles (Current vs Target), Tiers, Implementation Examples, and the practitioner workflow of using CSF as a board-readable cybersecurity outcomes language. Backed by the SCF crosswalk for control-by-control mechanics.
How this skill is triggered — by the user, by Claude, or both
Slash command
/nist-csf-20:nist-csf-20-expertThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Reference-depth expertise for **NIST Cybersecurity Framework v2.0** — the cross-sector outcomes-based framework published by the U.S. National Institute of Standards and Technology. CSF 2.0 is the most widely adopted cybersecurity framework in the United States and is increasingly used worldwide as a common vocabulary for board-level and regulator-facing cybersecurity discussions.
Reference-depth expertise for NIST Cybersecurity Framework v2.0 — the cross-sector outcomes-based framework published by the U.S. National Institute of Standards and Technology. CSF 2.0 is the most widely adopted cybersecurity framework in the United States and is increasingly used worldwide as a common vocabulary for board-level and regulator-facing cybersecurity discussions.
This plugin bundles the SCF crosswalk (250 SCF controls → 134 CSF Subcategories) with framework-specific scope, assessment, and evidence guidance.
general-nist-csf-2-0CSF 2.0 is a cybersecurity outcomes framework, not a control catalog. Its job is to give an organization a small, common vocabulary it can use to (a) describe what cybersecurity outcomes it currently achieves, (b) describe what it wants to achieve, and (c) plan the gap between the two. The framework deliberately avoids prescribing how to achieve outcomes — that's what control catalogs like NIST SP 800-53, ISO 27001 Annex A, and CIS Controls are for. CSF cites those catalogs as Informative References.
The headline change in CSF 2.0 is the addition of the Govern (GV) Function. CSF 1.1 had five Functions — Identify, Protect, Detect, Respond, Recover — which describe the lifecycle of a cybersecurity event. CSF 2.0 adds Govern as a cross-cutting Function that holds the board, executives, and risk-management processes accountable for the cybersecurity program itself, not just for responding to events. This change reflects what regulators, boards, and the SEC's 2023 cybersecurity disclosure rule have been pushing for years.
CSF is voluntary and cross-sector. It does not impose territorial obligations on its own. Practical sweet spots where it's the right framework to reach for:
CSF is not a substitute for sectoral regulation. A hospital still owes HIPAA Security Rule compliance regardless of its CSF posture; a bank still owes GLBA Safeguards Rule; a defense contractor still owes CMMC. CSF sits above those — it's the shared language a CISO uses to explain the program to a board that doesn't read CFR citations.
CSF is organized hierarchically. The Core has three layers:
The Functions are the highest-level grouping and the single most important thing to memorize. CSF 2.0 has six:
| Code | Function | What it covers |
|---|---|---|
| GV | Govern | Cybersecurity strategy, expectations, policy, roles, risk tolerance, supply chain risk management, oversight. New in 2.0. |
| ID | Identify | Asset management, business environment, risk assessment, improvement. Understand your context. |
| PR | Protect | Identity management and access control, awareness and training, data security, platform security, technology infrastructure resilience. |
| DE | Detect | Continuous monitoring, adverse event analysis. |
| RS | Respond | Incident management, analysis, response reporting and communication, mitigation. |
| RC | Recover | Incident recovery plan execution, recovery communication. |
The mnemonic the community uses is GIPDRR (or G + IPDRR, since IPDRR was the CSF 1.x ordering). Note that Govern is not the first Function executed during an incident — it's the wrapper around all the others. In Profile work and assessments, Govern outcomes are typically written and approved before the Identify/Protect/Detect/Respond/Recover capabilities are stood up, but in continuous operation Govern runs in parallel with everything else.
Each Function decomposes into Categories. Categories are coded as <Function>.<Category>. Examples that come up constantly in practice:
Total Categories in CSF 2.0: 22 (compared to 23 in CSF 1.1 — the structure was rebalanced as part of the Govern restructuring).
Subcategories are the leaf nodes — concrete cybersecurity outcomes phrased as statements (not directives). CSF 2.0 has 106 official Subcategories. The SCF crosswalk used by this plugin resolves those outcomes into 134 mappable entries for assessment and reporting. CSF Subcategories are coded as <Function>.<Category>-<Number>. Examples:
Subcategories are the assessment unit. When practitioners say "we're at Partial on PR.AA-01 and Repeatable on DE.CM-01," they're scoring at the Subcategory level. This plugin's evidence-checklist command covers all 106 Subcategories, organized by Function → Category.
CSF 2.0 introduced Implementation Examples — short, concrete actions an organization can take to achieve a Subcategory's outcome. These are intentionally not exhaustive and not prescriptive; they're a starting point. They are published in the NIST CSF 2.0 Reference Tool alongside each Subcategory.
Implementation Examples are not the same as Informative References. References point to other catalogs (NIST SP 800-53, ISO 27001:2022, CIS Controls v8, etc.); Examples describe actions an organization can take directly. Cite Implementation Examples by Subcategory ID and the example's enumeration in the published CSF 2.0 Reference Tool — do not paste the Example text verbatim into customer-facing artifacts.
The Profile is where CSF stops being theoretical and starts being useful. A Profile is just a list of Subcategories with annotations. The practitioner workflow:
CSF 2.0 publishes Community Profiles for specific contexts (e.g., manufacturing, election security, electric grid). Community Profiles are pre-built Target Profiles maintained by NIST or industry working groups; using one short-circuits a lot of the "what should our Target Profile look like?" debate. Always check whether a Community Profile exists for the organization's sector before building one from scratch.
This is the single most-misunderstood part of CSF. The Tiers describe how rigorous and integrated the organization's cybersecurity risk management practices are — not how many controls it has, not how technically mature its security tooling is.
| Tier | Name | Plain-language description |
|---|---|---|
| 1 | Partial | Risk management is ad hoc, reactive, often informal. Awareness limited. Governance and supply chain risk practices not formalized. |
| 2 | Risk Informed | Risk management practices are approved by management but not established as organization-wide policy. Some prioritization happens. Governance present but inconsistent. |
| 3 | Repeatable | Risk management practices are formally approved, expressed as policy, applied consistently. Governance is regular. Supply chain risk management is integrated. Continuous awareness. |
| 4 | Adaptive | Risk management practices adapt to changing threats based on lessons learned and predictive indicators. Cybersecurity risk is integrated into enterprise risk culture. Continuous improvement. |
Two critical points:
CSF 2.0 Subcategories map to other widely-used catalogs through Informative References. These are maintained in the NIST CSF 2.0 Reference Tool and updated periodically. The official mappings include (non-exhaustive):
Treat Informative References as a starting point, not a substitute for the underlying frameworks. If an organization is implementing controls to satisfy ISO 27001:2022 certification, the ISO standard's normative text governs — CSF references it, but auditors against ISO 27001 will assess against the ISO text directly.
CSF itself doesn't impose timelines (it's voluntary), but practitioners should plan around:
For organizations using CSF to support sector regulation (e.g., NERC CIP audits, HIPAA risk analyses, PCI DSS Reports on Compliance), the regulator's cadence governs — CSF assessment work is usually scheduled to feed into those external assessments rather than the other way around.
CSF is voluntary. NIST is a measurement and standards body, not a regulator, and does not enforce CSF. There are no fines, no mandatory audits, no certification body for CSF itself.
What CSF posture does affect:
There is no CSF certification. Vendors offering "CSF certified" products or assessors are using the term loosely; NIST does not accredit or certify against CSF.
CSF is designed to play well with others. Common interactions:
For multi-framework optimization and crosswalk-driven implementation work, see /grc-engineer:optimize-multi-framework and /grc-engineer:map-controls-unified.
Reference-depth practitioners should be ready to correct these in conversations with engineers, executives, and auditors:
Because CSF is voluntary and outcomes-based, there are no NIST-mandated artifacts. However, practitioner experience consistently produces (and assessors / regulators / boards consistently expect) the following deliverables when an organization claims a CSF posture:
Federal contractors and regulated entities should additionally produce mappings from their CSF Profile to the underlying regulation's control catalog (800-53, 800-171, HIPAA, PCI DSS, etc.) so that CSF artifacts can be reused as evidence across multiple compliance regimes.
When using this plugin, the typical workflow is:
1. /nist-csf-20:scope # decide what's in scope, pick or build a Target Profile
2. /nist-csf-20:evidence-checklist # enumerate evidence per Function/Category
3. /nist-csf-20:assess # run the gap assessment via SCF crosswalk
Underneath, all three commands delegate the control-by-control mechanics to /grc-engineer:gap-assessment with SCF framework ID general-nist-csf-2-0. This plugin contributes:
For citation purposes, refer to the NIST CSF 2.0 Quick Start Guides (NIST SP 1300 series — 1300, 1301, etc., each addressing a specific audience or topic) and the public NIST CSF 2.0 Reference Tool. Cite by document ID and section number; do not paste their prose verbatim.
CSF is technology-neutral. Implementation Examples are written without naming vendors. When this plugin's evidence checklist suggests artifacts (e.g., "IAM configuration export for PR.AA-01"), treat the artifact as cloud-agnostic — equivalent evidence exists in AWS IAM, Azure AD/Entra ID, GCP IAM, on-prem Active Directory, Kubernetes RBAC, or any combination. Optional vendor-specific examples may be added in a future Full-depth plugin, but Reference depth deliberately does not lock to a single cloud.
/grc-engineer:optimize-multi-frameworkA Full-depth nist-csf-20 plugin would add framework-native workflow commands tied to how CSF is actually consumed in practice. Candidates worth considering:
/nist-csf-20:profile-build — interactive Current/Target Profile authoring with Subcategory-level scoring rubric/nist-csf-20:tier-assessment — guided Tier 1–4 evaluation across the four characteristic dimensions (risk management process, integrated risk management program, external participation, supply chain risk)/nist-csf-20:community-profile — search and apply published Community Profiles (manufacturing, election infrastructure, electric grid, etc.) as a starting Target Profile/nist-csf-20:board-report — generate a Function-level executive summary suitable for board / audit committee distribution/nist-csf-20:csf1-to-csf2 — migrate an existing CSF 1.1 Profile to the CSF 2.0 structure, accounting for the new Govern Function and rebalanced Categories/nist-csf-20:sec-disclosure-prep — map Govern Function outcomes to SEC Reg S-K Item 106 disclosure requirementsContributors with practitioner experience in any of these workflows are encouraged to open a level-up PR.
/nist-csf-20:scope — determine applicability and Profile/Tier targeting/nist-csf-20:assess — run a gap assessment via SCF crosswalk/nist-csf-20:evidence-checklist — enumerate evidence per Function and Category across all 106 SubcategoriesAll three delegate to /grc-engineer:gap-assessment with SCF framework ID general-nist-csf-2-0 for the control-by-control mechanics, and wrap the results in CSF 2.0 vocabulary (Function / Category / Subcategory / Profile / Tier).
general-nist-csf-2-0nist.gov/cyberframeworkGuides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Manages knowledge base ingestion, sync, and retrieval across local files, MCP memory, vector stores, and Git repos. Use for saving, organizing, deduplicating, or searching knowledge.
3plugins reuse this skill
First indexed Jul 18, 2026
npx claudepluginhub vantainc/claude-grc-engineering --plugin nist-csf-20