Knowledge Center / NIST CSF
NIST · Global

NIST Cybersecurity Framework (CSF 2.0)

A voluntary, outcome-based framework for managing and reducing cybersecurity risk.

The NIST Cybersecurity Framework (CSF) is a voluntary, outcome-based framework for managing and reducing cybersecurity risk. CSF 2.0 (2024) broadened its scope beyond critical infrastructure and added a sixth Function, Govern. It describes desired outcomes in a common language and maps cleanly to ISO 27001, SOC 2, CIS Controls and NIST 800-53.

The CSF Core: six Functions

FunctionPurposeExample categories
Govern (GV)Establish and monitor the cyber risk-management strategy, roles and policyOrganisational context, risk-management strategy, roles & responsibilities, policy, oversight, supply-chain risk
Identify (ID)Understand assets, data, suppliers and risksAsset management, risk assessment, improvement
Protect (PR)Safeguards to limit or contain impactIdentity & access, awareness & training, data security, platform security, resilience
Detect (DE)Find and analyse anomalies and incidentsContinuous monitoring, adverse-event analysis
Respond (RS)Act on a detected incidentIncident management, analysis, reporting, mitigation
Recover (RC)Restore capabilities after an incidentRecovery plan execution, communications

Each Function contains Categories (outcome groups) and Subcategories (specific outcomes), with Implementation Examples and Informative References that map to other standards.

Implementation Tiers

TierNameCharacteristic
1PartialAd hoc, reactive risk management; limited awareness
2Risk InformedRisk practices approved but not organisation-wide
3RepeatableFormal policies, consistent organisation-wide practice
4AdaptiveContinuous improvement using lessons learned and predictive indicators

Tiers describe the rigour of cyber risk governance and management — they are a maturity indicator, not a score to maximise blindly. Choose a target Tier appropriate to your risk.

Profiles: current vs target

  • A Profile is your selection and prioritisation of outcomes based on business needs, risk and obligations.
  • A Current Profile captures the outcomes you achieve today; a Target Profile captures where you need to be.
  • The gap between them drives your prioritised action plan.

Adoption roadmap

  1. Scope and context: define the organisation, mission, obligations and risk appetite (Govern).
  2. Build the Current Profile — assess how well you achieve each outcome today.
  3. Define the Target Profile — the outcomes appropriate to your risk.
  4. Gap analysis between Current and Target, expressed as prioritised actions.
  5. Implement improvements, assigning owners and using Tiers to gauge maturity.
  6. Measure, report to leadership (Govern) and iterate continuously.

What CSF 2.0 changed

  • Added the Govern Function — cybersecurity as an enterprise-risk and leadership responsibility.
  • Broadened applicability beyond critical infrastructure to all organisations.
  • Strengthened supply-chain risk management guidance.
  • Added implementation examples, quick-start guides and organisational profiles.

Readiness checklist

  • A cyber risk-management strategy and roles are defined and governed (Govern).
  • Assets, data and suppliers are inventoried and risk-assessed (Identify).
  • Access control, training, data and platform security controls are in place (Protect).
  • Continuous monitoring and detection are operating (Detect).
  • An incident-response capability exists and is tested (Respond).
  • Recovery plans exist and are exercised (Recover).
  • Current and Target Profiles are documented with a prioritised action plan.

NIST CSF mapped to other frameworks

FrameworkRelationship
ISO 27001Controls map closely; CSF outcomes ↔ Annex A / ISMS
NIST 800-53CSF references 800-53 controls as one implementation set
CIS ControlsCIS safeguards implement many CSF outcomes
COBITCOBIT governs enterprise around CSF implementation
How CyberSigma helps
We build your Current and Target Profiles, run the gap analysis, and deliver a prioritised, risk-based roadmap — mapping CSF outcomes to the ISO 27001 / SOC 2 / RBI work you may already need.

Frequently asked questions

Is NIST CSF mandatory?
The CSF itself is voluntary. However, many US government contracts and sector regulators effectively require it (or NIST SP 800-53/800-171), and customers increasingly ask for it in security questionnaires.
What changed in CSF 2.0?
The headline change is the new Govern Function, plus broader applicability beyond critical infrastructure, clearer supply-chain guidance and implementation resources.
How does NIST CSF relate to ISO 27001?
They are complementary. ISO 27001 certifies a management system; CSF is a flexible outcome model. Controls map closely, so work done for one accelerates the other.

Need help with NIST CSF?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.