Table of Contents
What Is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework (CSF) was developed by the National Institute of Standards and Technology and first published in 2014, following an Executive Order from President Obama who called for a common security standard across industries after a series of critical infrastructure attacks. In the years that followed, the CSF became the most widely adopted cybersecurity framework in the world — not just in the United States, but across Europe, Asia, and Latin America.
The key advantage of NIST CSF over other frameworks is its risk-based, non-prescriptive approach. It does not dictate which specific technologies to deploy or which exact controls to implement. Instead, it provides a structured language and methodological framework that organizations can use to describe their current security posture, define target states, and systematically close the gaps between the two. This flexibility makes the framework applicable to a 50-person SME as well as a global enterprise.
Version 1.0 (2014) and the major update to Version 1.1 (2018) established five core functions: Identify, Protect, Detect, Respond, and Recover. This model proved itself in practice but showed gaps as the cybersecurity landscape matured — particularly in the areas of governance, supply chain security, and support for smaller organizations without dedicated security teams.
After a multi-year public revision process with thousands of comments from industry, government, and academia, NIST published Version 2.0 in February 2024. The new version is more than an update — it is a strategic realignment that explicitly positions cybersecurity as a business strategy and a matter for executive leadership. CSF 2.0 now officially applies to all organization types and sizes, not just critical infrastructure.
What's New in CSF 2.0?
The most significant structural addition in NIST CSF 2.0 is the introduction of the sixth core function, GOVERN (GV). This function addresses a blind spot in previous versions: cybersecurity decisions were often made in isolation within the IT department, without sufficient involvement from senior leadership, the board, or executive teams. GOVERN explicitly positions cybersecurity strategy, roles, responsibilities, and risk tolerance as management-level obligations.
Another central focus of CSF 2.0 is a substantially expanded treatment of supply chain security (Supply Chain Risk Management, SCRM). While CSF 1.1 touched on supply chain risks only peripherally, Version 2.0 includes a dedicated category with concrete subcategories covering third-party risk assessment, contract requirements, Software Bills of Materials (SBOMs), and the monitoring of critical suppliers. Given the high-profile supply chain attacks of recent years — SolarWinds, Log4Shell, XZ Utils — this expansion was both overdue and practically necessary.
CSF 2.0 offers, for the first time, extensive implementation examples and profiles tailored to specific industries, company sizes, and maturity levels. NIST maintains a growing catalog of Community Profiles on its website, including specific guidance for small businesses without a dedicated security team. This makes the framework significantly more accessible to the broader market of mid-sized companies that were previously deterred by its complexity.
Cross-framework integration has been systematically strengthened. CSF 2.0 includes official mappings to ISO/IEC 27001, COBIT 2019, the ISA/IEC 62443 series, and the CIS Controls. For how COBIT relates to the service-management framework ITIL in a governance context, see our COBIT vs. ITIL comparison. For European organizations, the substantial overlaps with the NIS2 Directive and the Digital Operational Resilience Act (DORA) are increasingly being leveraged to consolidate compliance efforts rather than addressing each regulation in isolation.
The most important addition: The new GOVERN function makes cybersecurity a boardroom issue — strategy, risk tolerance, and accountability now belong on the executive agenda.
The 6 Core Functions of CSF 2.0
NIST CSF 2.0 organizes cybersecurity activities into six core functions, each subdivided into categories and subcategories. In total, the framework comprises 22 categories and 106 subcategories. The functions are not meant as a sequential process but as simultaneously active, mutually reinforcing domains of activity.
GOVERN (GV) — Oversight and Strategy
GOVERN is the new sixth function and conceptually central: it spans all five other functions and ensures that cybersecurity activities are strategically directed, organizationally embedded, and continuously monitored. Without a functioning GOVERN capability, the operational measures of the other functions remain fragmented and ultimately ineffective.
The categories under GOVERN include: Organizational Context (GV.OC) — understanding the regulatory and strategic context of the organization; Risk Management Strategy (GV.RM) — defining risk tolerance, risk appetite, and prioritization principles; Cybersecurity Supply Chain Risk Management (GV.SC) — strategy for third-party risks; Roles, Responsibilities, and Authorities (GV.RR) — clear accountability at all levels; Policies, Processes, and Procedures (GV.PO) — documented and communicated policies; and Oversight (GV.OV) — ongoing management review of cybersecurity program effectiveness.
A mature GOVERN function is recognizable by regular board-level cybersecurity briefings (not just after incidents), a documented risk tolerance, and cybersecurity objectives integrated into organizational planning and budget cycles.
IDENTIFY (ID) — Understand and Inventory
IDENTIFY forms the foundation for all subsequent security measures. An organization cannot protect what it doesn't know exists. The function covers comprehensive Asset Management (ID.AM) — hardware, software, data, networks, systems, and business processes — as well as risk assessment (ID.RA), threat environment analysis, and vulnerability identification.
Particularly relevant in practice is subcategory ID.AM-7 (Software Bill of Materials), newly added in CSF 2.0. SBOMs enable organizations to quickly assess whether they are affected by newly discovered vulnerabilities in open-source components — a capability that became critically important after Log4Shell (2021) and has only grown more relevant since.
In the assessment context, IDENTIFY is often the largest gap: many organizations lack a complete, up-to-date asset inventory. Shadow IT, cloud resources procured outside the official process, and stale CMDB records are typical problems that surface during assessments.
PROTECT (PR) — Implement Safeguards
PROTECT encompasses the preventive controls that ensure known risks are actively mitigated. Core categories include: Identity Management, Authentication, and Access Control (PR.AA) — the foundation of any zero-trust strategy; Awareness and Training (PR.AT) — educating employees, partners, and privileged users; Data Security (PR.DS) — encryption, data classification, data loss prevention; Platform Security (PR.PS) — hardening of hardware, software, and services; and Technology Infrastructure Resilience (PR.IR) — high availability, redundancy, and capacity management.
Identity Management (PR.AA) is gaining exponential importance with the proliferation of cloud services and remote work. CSF 2.0 emphasizes multi-factor authentication, the principle of least privilege, and continuous authentication as the cornerstones of modern access control.
A common finding in assessments: PROTECT measures are implemented but not consistently applied across all assets. Patching processes have exceptions, MFA rollouts stall at the executive level, and hardening of legacy systems is perpetually deferred.
DETECT (DE) — Identify Anomalies and Events
DETECT focuses on the ability to identify anomalies, attacks, and compromises in a timely manner. The two core categories are: Continuous Monitoring (DE.CM) — ongoing surveillance of networks, systems, identities, application activity, external threats, and supply chain activity; and Adverse Event Analysis (DE.AE) — systematic analysis of detected events, correlation of indicators of compromise (IoCs), and assessment of potential impact.
Mean Time to Detect (MTTD) is one of the most critical metrics in cybersecurity. According to the IBM Cost of a Data Breach Report 2024, the average time to identify a breach still exceeds 194 days. Organizations with mature DETECT capabilities — SIEM, EDR, UEBA — identify attacks within hours or days, a decisive factor in limiting damage scope.
In assessments, DETECT is often rated as adequate simply because a SIEM is in place. The quality of detection rules, the coverage of monitoring, and — most importantly — the actual response capacity for alerts are examined too rarely.
RESPOND (RS) — Take Action on Incidents
RESPOND defines the ability to take structured and effective action when a cybersecurity incident is detected. Categories include: Incident Management (RS.MA) — triage, escalation, and activation of response processes; Incident Analysis (RS.AN) — forensic analysis, root cause identification, and impact assessment; Incident Response Reporting and Communication (RS.CO) — internal and external communication including regulatory notification obligations; and Incident Mitigation (RS.MI) — containment of damage and remediation of root causes.
NIS2 mandatory reporting requirements make a mature RESPOND process a regulatory necessity. NIS2 requires significant entities to notify the competent authority of significant incidents within 24 hours (early warning), followed by a detailed report within 72 hours. Without documented response processes and clear accountabilities, this requirement is simply not fulfillable in practice.
Tabletop exercises and incident response simulations are a strong indicator of RESPOND maturity. An organization that has not conducted incident response training in more than two years typically has significantly worse actual response capability than its incident response plan suggests.
RECOVER (RC) — Restore Capabilities
RECOVER describes the ability to restore normal operations after a cybersecurity incident and to improve from the experience. Categories include: Incident Recovery Plan Execution (RC.RP) — execution and continuous improvement of recovery plans; and Incident Recovery Communication (RC.CO) — communication with internal and external stakeholders during the recovery phase.
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are the central metrics of the RECOVER function. They must be defined for critical systems and business processes, tested regularly, and validated against the actual backup and redundancy infrastructure. An RTO of 4 hours is worthless if the last restore test was 18 months ago.
RECOVER closes the loop by explicitly addressing the improvement cycle: after every incident, lessons learned should be systematically documented and fed back into improvements across IDENTIFY, PROTECT, DETECT, and RESPOND.
The 4 Implementation Tiers
The NIST CSF Implementation Tiers describe the degree to which an organization has integrated cybersecurity risk management into its processes and culture. Importantly, the tiers are not compliance levels and are not direct measures of security posture. They describe how systematically and strategically an organization approaches cybersecurity.
The tiers serve two purposes: first, understanding the current state (Current Profile); second, defining realistic improvement targets (Target Profile). Not every organization needs to reach Tier 4 (Adaptive) — for many mid-sized companies, Tier 3 (Repeatable) is an appropriate and achievable goal.
| Tier | Designation | Characteristics |
|---|---|---|
| Tier 1 | Partial | No formal risk management; reactive measures; no organization-wide awareness of cybersecurity risks; no integration into business strategy. |
| Tier 2 | Risk Informed | Risk management practices exist but are not formalized; management-level awareness but inconsistent implementation; informal coordination with suppliers. |
| Tier 3 | Repeatable | Formalized, documented risk management processes; regular review and adjustment; cybersecurity as part of organizational policy; structured supplier management. |
| Tier 4 | Adaptive | Continuous adaptation based on current threat intelligence; proactive threat analysis; cybersecurity fully integrated into business strategy; insights shared with industry partners. |
Conducting a CSF 2.0 Assessment
A NIST CSF 2.0 assessment follows a structured methodology built around the concepts of Current Profile, Target Profile, and gap analysis. The process is iterative — the first assessment establishes the baseline, and each subsequent assessment measures progress.
In practice, plan for four to six weeks for a first comprehensive CSF 2.0 assessment of a mid-sized organization (500–2,000 employees, 3–5 critical IT systems). The greatest time investment is not in gathering the status quo, but in discussing and aligning ratings between IT, management, and business units.
- 1Define the scope: Determine which organizational units, systems, and business processes are included in the assessment. An overly broad scope increases complexity and reduces depth — start with critical systems and expand iteratively.
- 2Create the Current Profile: Assess each of the 106 subcategories against the current implementation level using a scale (e.g., 0 = not present, 1 = partial, 2 = implemented, 3 = measured/optimized). Use interviews, document reviews, and technical tests as evidence sources.
- 3Define the Target Profile: Together with management, define what target state you want to reach for which subcategories and in what timeframe. The Target Profile must be aligned with risk tolerance, budget, and regulatory requirements.
- 4Conduct the gap analysis: Systematically compare Current and Target Profiles. For each gap, identify the potential risk impact (high/medium/low) and the approximate effort required to close it.
- 5Prioritize actions: Use an impact-vs-effort matrix to separate the most important quick wins (high impact, low effort) from strategic long-term investments. Not all gaps need to be closed immediately.
- 6Create the Action Plan: Translate prioritized measures into concrete projects with owners, budgets, milestones, and success metrics. The Action Plan is the primary deliverable for management.
- 7Communicate and report: Present results to both technical and non-technical stakeholders. The executive summary should communicate risks in business language, not technical detail.
- 8Measure progress and reassess: Conduct semi-annual or annual follow-up assessments to measure progress and update the Current Profile. CSF is a continuous improvement cycle, not a one-time project.
NIST CSF 2.0 and Regulatory Compliance
For European organizations, the central question is how NIST CSF 2.0 relates to EU regulations NIS2, GDPR, ISO 27001, and DORA. The good news: CSF 2.0 is complementary to all of these frameworks and can serve as an overarching structure to consolidate compliance activities rather than running them redundantly.
The NIS2 Directive (EU 2022/2555), which member states are transposing into national law, defines minimum security requirements for essential and important entities. The NIS2 security requirements (Article 21) map almost entirely to CSF 2.0 categories. Organizations that conduct a CSF 2.0 assessment and achieve Tier 3 will cover the majority of NIS2 requirements — complete congruence is not guaranteed, but the overlap is substantial.
The Digital Operational Resilience Act (DORA), applicable to financial entities and their ICT providers in the EU since January 2025, places particular emphasis on ICT risk management, incident reporting, and supply chain resilience — all areas that CSF 2.0 directly addresses through GOVERN, IDENTIFY, RESPOND, and RECOVER.
| Regulation | CSF Function | Coverage |
|---|---|---|
| NIS2 — Risk Management (Art. 21) | GOVERN, IDENTIFY | Very high — GV.RM and ID.RA directly address NIS2 risk management requirements |
| NIS2 — Incident Reporting (Art. 23) | DETECT, RESPOND | High — DE.AE and RS.CO structure detection and reporting processes |
| NIS2 — Supply Chain Security (Art. 21) | GOVERN (GV.SC) | Very high — GV.SC is the dedicated supply chain category in CSF 2.0 |
| DORA — ICT Risk Management | IDENTIFY, PROTECT | High — ID.AM and PR.AA/PR.DS address DORA ICT risk requirements |
| DORA — Operational Resilience | RESPOND, RECOVER | High — RS.MA and RC.RP address DORA business continuity requirements |
| ISO 27001:2022 | All 6 Functions | Very high — official NIST mapping available; CSF 2.0 is broadly compatible with Annex A controls |
| GDPR — Technical Measures (Art. 32) | PROTECT, DETECT | Medium — PR.DS (data security) covers Art. 32; specific data protection requirements need supplementary measures |
Common Weaknesses Found in Assessments
In practice, CSF 2.0 assessments across industries and company sizes reveal a consistent pattern of recurring weaknesses. Knowing these common findings enables you to focus your assessment on these areas and allocate resources efficiently.
- 1Incomplete asset inventory (ID.AM): Most organizations significantly underestimate the number of their IT assets. Shadow IT, cloud resources procured outside the official process, and stale CMDB entries mean that a substantial portion of the IT infrastructure goes unaccounted for in the assessment.
- 2Undocumented risk tolerance (GV.RM): Many organizations lack an explicitly documented cybersecurity risk tolerance. Without this strategic foundation, security investment decisions are made reactively rather than strategically — every security measure is justified ad hoc rather than by reference to defined priorities.
- 3MFA exceptions on privileged accounts (PR.AA): Multi-factor authentication is often deployed but rarely comprehensive. Privileged accounts (administrators, service accounts), legacy systems, and exceptions granted to "important" users are typical weak points.
- 4Untested backup and recovery processes (RC.RP): Backups exist, but restore tests are conducted infrequently or not at all. Organizations discover backup deficiencies when they need them most — an unacceptable risk that is easily remedied with minimal effort.
- 5Inadequate supplier risk assessment (GV.SC): Third-party risk management is rudimentary in many organizations. Security requirements in contracts are non-specific, supplier assessments are not conducted regularly, and critical single-vendor IT dependencies are not documented as risks.
- 6Alert fatigue in security monitoring (DE.AE): SIEM systems generate floods of alerts, the majority of which go unaddressed. Without tuning, prioritization, and sufficient analyst capacity, even a technically capable SIEM is ineffective in practice.
- 7No incident response exercises (RS.MA): Incident response plans exist on paper but are rarely rehearsed. Without tabletop exercises and realistic simulations, responders do not know which steps to take when under pressure.
- 8No security integration in the SDLC (PR.PS): Security requirements in software development are frequently treated as a downstream afterthought. Security by design, static application security testing (SAST), and dependency scanning are often insufficiently or inconsistently implemented.
Quick Start: 5 Steps to Your First CSF 2.0 Assessment
If you haven't conducted a structured cybersecurity assessment yet, or are looking for a methodology for a fast initial screening, this quick-start approach provides a practical foundation. It can be completed in two to four weeks with a small team and delivers enough insight to define prioritized first actions.
- 1Identify and engage stakeholders: Include IT leadership, CISO (if available), data protection officer, representatives from critical business units, and ideally the executive team. Cybersecurity is not purely an IT topic — without management commitment, the assessment produces a report that sits in a drawer.
- 2Define a focused scope: Start with your 5–10 most critical IT systems and business processes (those whose failure would cause the greatest harm). A comprehensive assessment comes later — a focused quick assessment completed in 2 weeks is more valuable than a comprehensive one that never gets finished.
- 3Run a self-assessment using the CSF 2.0 Quick Start Guide: Use the official NIST CSF 2.0 Quick Start Guide or one of the available shortform assessment tools. Rate each core function on three levels: Not present (0), Partially implemented (1), Fully implemented (2). This first pass typically takes half a day.
- 4Identify the top 3 gaps per function: Analyze the results and identify the three most critical gaps in each of the six functions. Rate each gap by risk impact (what damage can this gap enable?) and effort to remediate.
- 5Define immediate actions and a 90-day plan: Identify immediately actionable quick wins (typically: MFA on all privileged accounts, initiate asset inventory, perform backup restore test, update incident response contact list) and a 90-day plan for the most important medium-term measures. Present both to executive leadership with risk descriptions in business language.
Key Takeaways
- NIST CSF 2.0 (February 2024) is the international standard for structured cybersecurity assessments and now explicitly applies to all organization types and sizes — no longer just critical infrastructure.
- The new GOVERN function is the central addition: it anchors cybersecurity as a strategic management responsibility with clear roles, documented risk tolerance, and board-level involvement.
- The 4 Implementation Tiers describe the maturity of risk management, not the security posture. Tier 3 (Repeatable) is a realistic and appropriate target for most mid-market organizations.
- A CSF 2.0 assessment in 5 steps — scope, current profile, target profile, gap analysis, action plan — delivers a clear roadmap. Typical timeline for a mid-sized company: 4–6 weeks.
- NIST CSF 2.0 has strong overlaps with NIS2, DORA, and ISO 27001. Organizations can use CSF as an overarching structure to consolidate compliance efforts rather than addressing each regulation separately.
Related Assessment Templates
Continue Reading
Germany's NIS2 Act: The Board-Level Action Plan
Read articleCyber Resilience Act: The 24-Hour Reporting Duty From September 2026 — an SDLC Roadmap
Read articleNIS2 Compliance for IT Teams — Practical Governance Guide 2026
Read articleDORA vs. NIS2 — Which EU Resilience Rule Applies to You?
Read articleFrequently Asked Questions
Costs vary significantly by scope and organization size. A self-assessment using internal resources (time + NIST documentation) is free. An external consultant for a comprehensive assessment of a mid-sized organization (500–2,000 employees) typically costs between €15,000 and €50,000, depending on the depth of technical testing, number of sites, and IT landscape complexity. For an initial quick check (2–3 consultant days), budget €5,000–€10,000.
A focused quick assessment covering your most critical systems can be completed in 2–3 weeks. A comprehensive, in-depth assessment including technical tests (penetration testing, vulnerability scanning), interviews with all relevant stakeholders, and thorough document review typically takes 6–12 weeks for a mid-sized organization. Add time for report creation and presentation to stakeholders.
No — NIST CSF is not a certification framework. There is no official NIST certification for using the CSF. Organizations seeking an externally verifiable certification should consider ISO/IEC 27001, which is issued by accredited certification bodies. NIST CSF and ISO 27001 are well-aligned — a CSF assessment can serve as preparation for an ISO 27001 certification effort.
A mature CSF 2.0 assessment at Tier 3 covers the majority of NIS2 Article 21 requirements. However, specific NIS2 obligations (e.g., concrete notification timelines to the competent national authority, specific training obligations for management bodies) go beyond what CSF covers. The recommended approach is a combined strategy: CSF 2.0 as the methodological foundation, supplemented by a dedicated NIS2 gap assessment for the EU-specific requirements.
No. CSF 2.0 is explicitly not intended as a complete checklist where every subcategory must be fulfilled. Instead, you should define a prioritized Target Profile based on your risk assessment, industry context, and available resources. For smaller organizations or initial assessments, NIST explicitly recommends starting with a reduced scope and expanding iteratively.