← Compliance Frameworks

Compliance Guide · Global · Voluntary

NIST Cybersecurity Framework 2.0

NIST CSF 2.0 is the world's most widely used cybersecurity framework. One language for your cybersecurity posture — six core functions, 22 categories, 106 outcomes, and four maturity tiers. Here is how to implement it without a 200-page binder.

  • Issuing body: US National Institute of Standards and Technology (NIST)
  • Version: CSF 2.0 (February 26, 2024)
  • Coverage: Any organisation, any sector, any country
  • Status: Voluntary · increasingly cited by insurers, regulators, and enterprise buyers
Book a Free Consultation Call See the Maturity Model →
NIST Cybersecurity Framework 2.0 — Govern, Identify, Protect, Detect, Respond, Recover
6 Core functions (Govern is new)
22 Categories · 106 outcomes
4 Implementation tiers
Free Official PDF on nist.gov

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework — usually written as NIST CSF — is a voluntary framework published by the US National Institute of Standards and Technology. It gives every organisation a common language to:

  • Describe its current cybersecurity posture.
  • Describe its target cybersecurity posture.
  • Identify and prioritise the gap between the two.
  • Communicate cyber risk to leadership, customers, regulators, and insurers in a way everyone understands.

CSF was first released in 2014 for US critical infrastructure. CSF 2.0, published on February 26, 2024, is the current version — and the first explicitly designed for any organisation, in any sector, in any country. That is why it has become the default cybersecurity reference framework worldwide.

What's new in NIST Cybersecurity Framework 2.0

CSF 2.0 is the biggest update in a decade. Four changes matter most:

  1. The new GOVERN function. Cybersecurity governance, supply chain, and enterprise risk management are no longer buried inside Identify — they are a peer function alongside Identify, Protect, Detect, Respond, and Recover. This change reflects how CISO and board accountability has matured since 2018.
  2. Universal scope. The 2014 version targeted US critical infrastructure. CSF 2.0 explicitly applies to organisations of all sizes, sectors, and geographies — startups, SMBs, multinationals, non-profits, public sector.
  3. Implementation guidance built in. NIST now publishes Quick Start Guides for small business, enterprise risk management, and supply chain. Community Profiles tailor the framework to specific sectors (healthcare, manufacturing, election infrastructure, etc.).
  4. Modern threat coverage. Strengthened content on third-party / software supply chain risk, secure software development, identity-driven attacks, and emerging AI considerations.

Who needs NIST CSF 2.0?

Technically nobody is forced to adopt CSF — it is voluntary. In practice, you almost certainly should if any of these apply:

  • You are a US business looking for a single framework to organise your cybersecurity programme.
  • You sell into US enterprises who increasingly request CSF alignment in security questionnaires.
  • You are pursuing cyber insurance — most US underwriters now reference CSF in their applications.
  • You operate in regulated sectors (financial services, healthcare, energy, public sector) where regulators benchmark against CSF.
  • You want a plain-English board narrative for your cyber posture and risk decisions.
  • You are starting from scratch and need a roadmap instead of a wall of controls.

If you are also pursuing certifiable standards like ISO 27001 or SOC 2, CSF still earns its place — most teams use it as the strategic narrative layer above their certified ISMS.

The six core functions

CSF 2.0 organises cybersecurity into six functions. Each function holds categories, and each category holds subcategories — these are the actual outcomes you implement and measure.

GV

Govern

Establish, communicate, and monitor the cyber risk strategy, expectations, and policy. Includes context, risk strategy, roles & responsibilities, policy, oversight, and supply chain.

ID

Identify

Understand the assets that enable the business, the people who use them, the suppliers behind them, and the risks they face.

PR

Protect

Use safeguards to limit or contain the impact of a cyber event — identity & access, awareness & training, data security, platform security, technology infrastructure resilience.

DE

Detect

Find and analyse possible cybersecurity attacks and compromises. Continuous monitoring and adverse event analysis.

RS

Respond

Take action on a detected incident — incident management, analysis, response reporting and communication, mitigation.

RC

Recover

Restore assets and operations affected by a cybersecurity incident, and learn from it.

The four implementation tiers

Tiers describe how rigorous and adaptive your cyber risk practices are. They are not maturity levels you must reach — they are a way to express how much rigor your risk profile justifies. A 15-person SaaS startup at Tier 2 may be perfectly appropriate; a global bank at Tier 2 is in trouble.

TierNameWhat it looks like
1PartialAd-hoc, reactive practices. Limited awareness of cyber risk. No organisation-wide approach.
2Risk InformedManagement-approved practices, but inconsistent across the organisation. Limited external sharing.
3RepeatableOrganisation-wide policies, regularly updated. Risk-informed decisions consistent with strategy. Active threat sharing.
4AdaptiveContinuous improvement using lessons learned and predictive indicators. Cyber risk fully integrated with enterprise risk.

A practical view: most US SMBs land between Tier 1 and Tier 2 today. Cyber-insurance and enterprise-procurement pressure is moving the floor to Tier 3 fast. We unpack this in our Cybersecurity Maturity Model guide.

Profiles — and the "one framework, one cybersecurity posture" idea

A Profile is your selected set of CSF outcomes — what is in scope for your organisation, today and tomorrow.

  • Current Profile: what you are doing today across all 106 outcomes.
  • Target Profile: what you intend to be doing, given your risk appetite and obligations.
  • Community Profile: a sector-specific starter profile NIST publishes (e.g. healthcare, manufacturing, election infrastructure).

This is where CSF earns its reputation as the "one framework for your cybersecurity posture". Instead of juggling SOC 2, ISO, HIPAA, PCI, and a stack of state laws as separate spreadsheets, you map them all into a single CSF Target Profile. One language. One scorecard. One narrative for the board.

90-day implementation roadmap

NIST CSF 2.0 implementation roadmap — scope, current profile, target profile, close the gap

Days 0–14 Scope

  • List crown-jewel data, systems, and business processes.
  • Identify stakeholders (business, legal, HR, IT, vendors, regulators).
  • List the regulations and contracts that already constrain you (HIPAA, PCI, state privacy, SOC 2, etc.).

Days 15–45 Current profile

  • Score every one of the 106 subcategories: Not in place / Partial / Largely / Fully.
  • Capture the evidence behind each score — log sources, screenshots, policy references.
  • Estimate your current tier per function.

Days 30–60 Target profile + gap analysis

  • Set the target outcome level for each subcategory based on risk and obligations.
  • Pick a target tier per function.
  • Generate the gap list and prioritise by risk reduction per dollar.

Days 45–90 Execute the first sprint

  • Address the top 10–20 gaps. Most are policy, identity, monitoring, backup, or vendor risk.
  • Stand up evidence collection so the next assessment is automated, not manual.
  • Brief the board on the new posture and the rolling roadmap.

After day 90, CSF becomes a continuous programme: re-score quarterly, refresh the target annually, treat new threats as inputs to the gap list.

Where to get the official NIST Cybersecurity Framework PDF

NIST publishes the entire CSF 2.0 specification — including the core (functions, categories, subcategories), informative references, and tier definitions — for free at nist.gov/cyberframework. You can download:

  • The CSF 2.0 PDF (NIST CSWP 29).
  • The Core in JSON and Excel for tooling.
  • Quick Start Guides — Small Business, Enterprise Risk Management, Supply Chain Risk Management, Community Profiles.
  • The official NIST CSF 2.0 Reference Tool, which lets you build and export custom profiles.

NIST does not charge for any of it. If a vendor is selling you "the NIST Cybersecurity Framework PDF" — they are selling you something NIST already gives you for free.

NIST CSF 2.0 vs ISO 27001 vs CMMC

NIST CSF 2.0ISO 27001:2022CMMC 2.0
TypeVoluntary frameworkCertifiable international standardMandatory US DoD certification
OutputSelf/third-party assessment, profile3-year certificateLevel 1/2/3 certification
Best forStrategic posture & board narrativeGlobal enterprise salesUS defence supply chain
Cost (small org)$0–$25K assessment$30K–$80K total$15K–$120K total
Time to implement3–6 months9–12 months3–12 months
Overlap~70% of CSF outcomes map to ISO 27001 controls; CSF maps directly to NIST 800-53 / 800-171 used by CMMC.

How Security Pulse helps with NIST CSF 2.0

RunWay — Build the profile

  • Scope, stakeholder map, regulatory inventory.
  • Current profile scoring across all 106 outcomes.
  • Risk-based target profile and tier selection.
  • Gap analysis and prioritised 90-day roadmap.
  • Board-ready posture report on day 90.

Autopilot — Run the functions

  • Govern: policy library, supply-chain risk, evidence vault, quarterly board reports.
  • Identify: live asset and supplier inventory, risk register.
  • Protect: identity, MFA, endpoint, email, data security.
  • Detect: 24/7 monitoring, anomaly & insider-threat analytics.
  • Respond & Recover: automated triage, containment runbooks, backup verification.

Pair this with our continuous compliance monitoring approach and your CSF profile updates itself — instead of being rebuilt every audit cycle.

Common questions about NIST CSF 2.0

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (CSF) is a voluntary set of guidelines, best practices, and standards published by the US National Institute of Standards and Technology. It helps any organisation — regardless of size, sector, or country — describe its current cybersecurity posture, set a target posture, identify and prioritise improvements, assess progress, and communicate cyber risk to internal and external stakeholders. CSF was first released in 2014; CSF 2.0 was published in February 2024 and is the current version.

What is new in NIST Cybersecurity Framework 2.0?

CSF 2.0 introduced four major changes versus the 2018 version: (1) a new sixth function called Govern (GV) that elevates governance, supply chain, and risk management to a peer of the operational functions; (2) explicit applicability beyond US critical infrastructure to all organisations globally; (3) new implementation guidance via Quick Start Guides, Community Profiles, and online Informative References; and (4) strengthened content on supply chain risk management, secure software development, and AI/identity-driven threats.

What are the six functions of NIST CSF 2.0?

CSF 2.0 organises cybersecurity outcomes into six core functions: GOVERN (establish, communicate, and monitor the cyber risk strategy), IDENTIFY (understand assets, suppliers, and risks), PROTECT (safeguards to limit or contain the impact of incidents), DETECT (find and analyse possible cyberattacks), RESPOND (take action on a detected incident), and RECOVER (restore assets and operations after an incident). These six functions hold 22 categories and 106 subcategories (outcomes).

Where can I download the NIST Cybersecurity Framework PDF?

NIST publishes the official CSF 2.0 PDF for free on its website at nist.gov/cyberframework. The core (functions, categories, subcategories) is available as a PDF, JSON, and Excel file. NIST also publishes Quick Start Guides for small businesses, enterprise risk management, and supply chain risk management — each is a separate downloadable PDF.

Is NIST CSF a certification?

No. NIST CSF is a voluntary framework, not a certifiable standard. There is no official "NIST CSF certified" status. However, many organisations conduct third-party assessments, self-attestations, or maturity reviews against CSF, and an increasing number of US insurers, government contracts, and enterprise procurement teams ask for proof of CSF alignment.

What are the four NIST CSF tiers?

The four implementation tiers describe how rigorous and adaptive your cyber risk practices are. Tier 1 Partial: ad-hoc, reactive, limited awareness. Tier 2 Risk Informed: management-approved practices but inconsistent. Tier 3 Repeatable: organisation-wide policies, regularly updated. Tier 4 Adaptive: continuous improvement using lessons learned and predictive indicators. Tiers are not maturity levels you must reach — they are a way to express how much rigor your risk profile justifies.

How long does it take to implement NIST CSF?

A focused initial implementation typically takes 3–6 months for a small or mid-sized business: 4–6 weeks to scope and build the current profile, 4–6 weeks to define the target profile and gap analysis, then a 60–120 day execution sprint on the highest-priority gaps. Mature organisations treat CSF as a continuous programme that runs forever — the framework is designed for ongoing improvement, not a one-time project.

How is NIST CSF 2.0 different from ISO 27001?

CSF is a voluntary outcome-based framework — it tells you what good looks like across six functions but leaves the implementation to you. ISO 27001 is a certifiable standard with mandatory ISMS clauses (4–10) and 93 Annex A controls; you go through a Stage 1 + Stage 2 audit and receive a certificate. CSF is faster to adopt and cheaper to assess; ISO 27001 is what international enterprise buyers, especially in EU and Asia, expect to see. About 70% of CSF outcomes map cleanly to ISO 27001 controls, so the work is reusable.

How does NIST CSF relate to CMMC, NIST 800-53, and NIST 800-171?

CSF is the strategic framework. NIST SP 800-53 is the catalog of detailed security controls used by US federal systems (1,000+ controls across 20 families). NIST SP 800-171 is a subset of 800-53 that protects Controlled Unclassified Information (CUI) at non-federal organisations. CMMC 2.0 is the audit-and-certification programme that the US Department of Defense uses to verify defence contractors meet 800-171. CSF tells you "what to aim for"; the others tell you "exactly how" and, in CMMC's case, "prove it under audit".

How does Security Pulse help with NIST CSF 2.0?

Security Pulse covers the full CSF 2.0 lifecycle. RunWay handles the assessment side: scope, current profile scoring across all 106 outcomes, target profile setting, gap analysis, and a prioritised 90-day roadmap. Autopilot then runs the operational functions continuously — Identify (asset and supplier inventory), Protect (identity, endpoint, email, data), Detect (24/7 monitoring), Respond (automated triage and containment), and Recover (backup verification and IR runbooks). Govern outcomes are tracked through the evidence vault with quarterly board reports.

One framework. One posture. Zero document graveyard.

Book a Free Consultation Call