TL;DR

The NIST Cybersecurity Framework (CSF) 2.0 is your roadmap to cybersecurity success. Released in February 2024, it’s evolved from 5 to 6 core functions, adding “Govern” to emphasize leadership’s role. With 22 categories and 106 subcategories (controls), it covers everything from asset management to incident recovery. Think of it as a comprehensive checklist that helps organizations of any size build, maintain, and improve their cybersecurity posture. This guide breaks down every control into plain English, so you’ll understand not just what to do, but why it matters.

Welcome to Your NIST CSF 2.0 Masterclass

Hello, future cybersecurity champion! Today we’re diving deep into the NIST Cybersecurity Framework 2.0 – and I mean really deep. By the end of this guide, you’ll understand all 106 controls that make up this framework, why they exist, and how to implement them in the real world.

Think of me as your cybersecurity professor, and this as your comprehensive textbook. We’ll break down complex concepts into digestible pieces, translate technical jargon into plain English, and give you the confidence to implement this framework at any organization.

What Is NIST CSF 2.0?

The National Institute of Standards and Technology (NIST) Cybersecurity Framework is like a Swiss Army knife for cybersecurity – it’s versatile, reliable, and works for organizations of all sizes. Version 2.0, released in February 2024, represents a major evolution from version 1.1.

Key Changes in Version 2.0:

• Added the “Govern” function (bringing total from 5 to 6 functions)
• Reorganized from 108 to 106 subcategories (more streamlined)
• Enhanced supply chain focus (doubled supply chain subcategories from 5 to 10)
• Added Implementation Examples for practical guidance
• Increased risk focus (1/3 of subcategories now mention “risk”)

The Six Core Functions: Your Cybersecurity Foundation

Think of the CSF as a well-designed house. Each function is like a different system in that house, and they all work together to keep you safe and secure.

1. GOVERN (GV) - The Foundation

“The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.”

This is your foundation – the leadership, strategy, and governance that makes everything else possible. Without good governance, you’re building on quicksand.

2. IDENTIFY (ID) - Know What You Have

“The organization’s current cybersecurity risks are understood.”

You can’t protect what you don’t know you have. This function is about creating comprehensive inventories and understanding your risk landscape.

3. PROTECT (PR) - Build Your Defenses

“Safeguards to manage the organization’s cybersecurity risks are used.”

This is where you implement controls to prevent bad things from happening – your firewalls, access controls, training programs, and more.

4. DETECT (DE) - Stay Alert

“Possible cybersecurity attacks and compromises are found and analyzed.”

Even with great protection, attacks happen. This function ensures you can spot them quickly.

5. RESPOND (RS) - Act Fast

“Actions regarding a detected cybersecurity incident are taken.”

When something bad happens, you need to respond quickly and effectively to minimize damage.

6. RECOVER (RC) - Bounce Back

“Assets and operations affected by a cybersecurity incident are restored.”

After an incident, you need to get back to normal operations while learning from what happened.

We’ve covered the six core functions of the NIST CSF 2.0.

The NIST CSF functions work together in a continuous cycle. While you might implement them in sequence initially, mature organizations execute all functions simultaneously, with lessons learned feeding back into governance and risk management decisions.

Now let’s dive into the 22 categories and 106 subcategories that make up the framework.

Deep Dive: All Categories and Controls

Now let’s explore each function in detail, breaking down every category and key subcategories. I’ll give you the official NIST language, then translate it into plain English.

GOVERN Function GV

Think of this as your cybersecurity boardroom – where strategy meets execution.

• Categories: 6
• Subcategories: 37
• Type: Management Controls
• Responsible Role: Executive Management

GV.OC: Organizational Context (5 subcategories)

Understanding your organization’s unique situation

Subcategories

GV.OC-01 : Organizational mission is understood and informs cybersecurity risk management

• NIST Description: The organizational mission is understood and informs cybersecurity risk management
• Plain English: You can’t protect what matters if you don’t know what your organization is trying to achieve. This control ensures cybersecurity efforts align with business goals.

GV.OC-02: Internal and external stakeholders are understood and considered

• NIST Description: Internal and external stakeholders are understood, and their expectations regarding cybersecurity risk management are determined and considered
• Plain English: Know who cares about your cybersecurity (employees, customers, regulators, partners) and what they expect from you.

GV.OC-03: Legal, regulatory, and contractual requirements are understood and managed

• NIST Description: Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
• Plain English: Understand all the laws, regulations, and contracts that require you to do certain cybersecurity things – then make sure you do them.

GV.OC-04: Critical objectives and capabilities that stakeholders expect are determined

• NIST Description: Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are determined and communicated
• Plain English: Identify and communicate what your organization absolutely must do to meet stakeholder expectations.

GV.OC-05: Outcomes, capabilities, and services that the organization depends on are determined

• NIST Description: Outcomes, capabilities, and services that the organization depends on are determined and communicated
• Plain English: Know and communicate what your organization depends on to function – internal capabilities and external services.

GV.RM: Risk Management Strategy (7 subcategories)

Your approach to handling cybersecurity risk

Subcategories

GV.RM-01: Risk management objectives are established

• NIST Description: Risk management objectives are established and agreed to by organizational stakeholders
• Plain English: Get everyone on the same page about what you’re trying to achieve with risk management.

GV.RM-02: Risk appetite and risk tolerance are established

• NIST Description: Risk appetite and risk tolerance statements are established, communicated, and maintained
• Plain English: Decide how much risk your organization is willing to take and communicate that clearly. Risk appetite is what you want; risk tolerance is what you can handle.

GV.RM-03: Risk management activities are integrated with enterprise risk management

• NIST Description: Risk management activities and outcomes are included in enterprise risk management processes
• Plain English: Don’t manage cybersecurity risk in a vacuum – integrate it with all other business risks.

GV.RM-04: Strategic direction that describes appropriate risk response is established

• NIST Description: Strategic direction that describes appropriate risk response is established and communicated
• Plain English: Create clear guidance about how your organization should respond to different types of risks.

GV.RM-05: Lines of communication across the organization are established

• NIST Description: Lines of communication across the organization are established for cybersecurity risks, including mechanisms for sharing information
• Plain English: Set up clear communication channels so cybersecurity risk information flows properly throughout the organization.

GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established

• NIST Description: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
• Plain English: Have a consistent way to measure, record, and rank cybersecurity risks so you can make good decisions about them.

GV.RM-07: Strategic opportunities to improve the cybersecurity posture are prioritized

• NIST Description: Strategic opportunities (e.g., software security, hardware security, research and development) to improve the cybersecurity posture of the organization are evaluated and prioritized
• Plain English: Actively look for ways to improve your cybersecurity and prioritize the most valuable opportunities.

GV.SC: Cybersecurity Supply Chain Risk Management (10 subcategories)

Managing risks from your vendors and supply chain

This is the largest category in the entire framework, reflecting how important supply chain security has become.

Subcategories

GV.SC-01: Cybersecurity supply chain risk management program is established

• NIST Description: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
• Plain English: Create a formal program to manage the cybersecurity risks that come from your suppliers and partners.

GV.SC-02: Cybersecurity risk management requirements are integrated into supplier agreements

• NIST Description: Cybersecurity risk management requirements are integrated into supplier agreements
• Plain English: Include cybersecurity requirements in all your contracts with suppliers and make them legally binding.

GV.SC-03: Software, hardware, and services are managed within the supply chain

• NIST Description: Software, hardware, and services within the supply chain are identified and managed consistent with the organization’s cybersecurity risk strategy
• Plain English: Keep track of all the software, hardware, and services in your supply chain and manage them according to your cybersecurity risk strategy.

GV.SC-04: Due diligence is performed on suppliers and third party partners

• NIST Description: Due diligence is performed on suppliers and third party partners to understand their cybersecurity practices and risk posture
• Plain English: Research and evaluate your suppliers’ cybersecurity practices before and during your relationship with them.

GV.SC-05: Response plans that address cybersecurity risks in supply chains are developed

• NIST Description: Response plans that address cybersecurity risks in supply chains are developed, maintained, and implemented
• Plain English: Have plans ready for when supply chain cybersecurity incidents happen, and practice using those plans.

GV.SC-06: Planning and due diligence are performed before entering supplier relationships

• NIST Description: Planning and due diligence are performed to reduce risks before entering into formal supplier relationships
• Plain English: Do your homework before you start working with new suppliers – understand their security practices before you sign contracts.

GV.SC-07: The risks posed by suppliers and third-party partners are understood

• NIST Description: The risks posed by suppliers and third-party partners are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
• Plain English: Continuously monitor and manage the cybersecurity risks from your suppliers throughout your entire business relationship.

GV.SC-08: Relevant suppliers and third-party partners are included in incident planning and response activities

• NIST Description: Relevant suppliers and third-party partners are included in incident planning and response activities
• Plain English: Include your key suppliers in your incident response planning and make sure they know what to do when incidents happen.

GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs

• NIST Description: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
• Plain English: Make supply chain security part of your overall risk management approach and monitor it throughout the entire lifecycle of products and services.

GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities

• NIST Description: Cybersecurity supply chain risk management plans include provisions for activities that occur during and after an incident
• Plain English: Your supply chain risk management plans should cover what happens during and after cybersecurity incidents involving your suppliers.

GV.RR: Roles, Responsibilities, and Authorities (4 subcategories)

Who does what in cybersecurity

Subcategories

GV.RR-01: Organizational leadership takes responsibility for cybersecurity risk management

• NIST Description: Organizational leadership takes responsibility for cybersecurity risk management and establishes accountability
• Plain English: Leadership must own cybersecurity – it’s not just an IT problem, it’s a business problem that requires executive attention.

GV.RR-02: Roles and responsibilities for cybersecurity risk management are established

• NIST Description: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
• Plain English: Everyone should know what they’re responsible for when it comes to cybersecurity. No confusion, no finger-pointing.

GV.RR-03: Adequate human and financial resources are allocated

• NIST Description: Adequate human and financial resources are allocated for cybersecurity risk management
• Plain English: Make sure you have enough people and budget to actually do cybersecurity properly – don’t shortchange your security program.

GV.RR-04: Cybersecurity is included in human resources practices

• NIST Description: Cybersecurity is included in human resources practices (e.g., in personnel screening for internal threats, personnel termination procedures, personnel transfer procedures)
• Plain English: Build cybersecurity considerations into your hiring, firing, and employee transfer processes to manage insider threats.

GV.PO: Policies, Processes, and Procedures (7 subcategories)

The rules and processes that guide cybersecurity

Subcategories

GV.PO-01: Policy for managing cybersecurity risks is established

• NIST Description: Policy for managing cybersecurity risks is established based on organizational context and is communicated
• Plain English: Create clear policies that tell people how to handle cybersecurity risks, then make sure everyone knows about them.

GV.PO-02: Policy is implemented through processes and procedures

• NIST Description: Policy is implemented through processes and procedures that address purpose, scope, roles, responsibilities, management commitment, and coordination
• Plain English: Turn your policies into specific processes and procedures that people can actually follow in their day-to-day work.

GV.PO-03: Processes are established to address cybersecurity roles and responsibilities

• NIST Description: Processes are established to address cybersecurity roles and responsibilities in third-party risk management
• Plain English: Create specific processes for managing cybersecurity roles and responsibilities when working with third parties.

GV.PO-04: Critical cybersecurity processes are tested

• NIST Description: Critical cybersecurity processes are established with appropriate dependencies and tested on a regular schedule
• Plain English: Identify your most important cybersecurity processes and test them regularly to make sure they work when needed.

GV.PO-05: Processes are in place for disposing or retiring assets

• NIST Description: Processes are in place for disposing or retiring assets (data, hardware, software, systems) and for related cybersecurity roles and responsibilities
• Plain English: Have clear processes for safely getting rid of old data, equipment, and systems without creating security risks.

GV.PO-06: Cybersecurity metrics are used to evaluate performance and effectiveness

• NIST Description: Cybersecurity metrics are used to evaluate performance and effectiveness and to drive improvement of the cybersecurity program
• Plain English: Measure your cybersecurity program’s performance and use those measurements to make it better over time.

GV.PO-07: Lessons learned are integrated into cybersecurity processes

• NIST Description: Lessons learned are integrated into cybersecurity processes across the organization
• Plain English: When you learn something from incidents or assessments, make sure those lessons get built into your ongoing cybersecurity processes.

GV.OV: Oversight (4 subcategories)

Making sure your cybersecurity program is working

Subcategories

GV.OV-01: Cybersecurity risk management program outcomes are reviewed

• NIST Description: Cybersecurity risk management program outcomes are reviewed to inform and adjust strategy and direction
• Plain English: Regularly check if your cybersecurity program is working and adjust your strategy based on what you learn.

GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted

• NIST Description: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
• Plain English: Regularly review and update your cybersecurity strategy to make sure it still covers all your organizational needs and risks.

GV.OV-03: Organizational cybersecurity posture is monitored and communicated

• NIST Description: Organizational cybersecurity posture is monitored and communicated to appropriate organizational stakeholders
• Plain English: Keep track of your overall cybersecurity health and regularly communicate it to the people who need to know.

GV.OV-04: Cybersecurity risk management strategy outcomes inform business decisions

• NIST Description: Cybersecurity risk management strategy outcomes inform business decisions and the development of organizational objectives
• Plain English: Use what you learn from your cybersecurity program to make better business decisions and set organizational goals.

IDENTIFY Function ID

You can’t protect what you don’t know you have

• Categories: 4
• Subcategories: 22
• Type: Assessment Controls
• Responsible Role: Risk Management Team

ID.AM: Asset Management (7 subcategories)

Keeping track of all your stuff

Subcategories

ID.AM-01: Inventories of hardware are maintained

• NIST Description: Inventories of hardware managed by the organization are maintained
• Plain English: Keep a list of all your computers, servers, phones, and other devices. You can’t protect what you don’t know exists.

ID.AM-02: Inventories of software, services, and systems are maintained

• NIST Description: Inventories of software, services, and systems managed by the organization are maintained
• Plain English: Keep a list of all software applications and online services you use. This includes everything from Microsoft Office to cloud services.

ID.AM-03: Network architecture and data flows are represented

• NIST Description: Representations of the organization’s authorized network architecture and data flows are maintained
• Plain English: Draw maps of your network showing how systems connect and how data moves around. This helps you spot unusual activity.

ID.AM-04: External systems are catalogued

• NIST Description: External systems that can impact the organization are catalogued
• Plain English: Keep track of external systems and services that could affect your organization if they fail or are compromised.

ID.AM-05: Resources are prioritized based on classification and business functions

• NIST Description: Resources (e.g., hardware, devices, data, time, personnel, software, functions, applications, services) are prioritized based on their classification, criticality, business functions, and value
• Plain English: Rank your assets by importance to your business so you know what to protect first and invest the most resources in.

ID.AM-06: Roles and responsibilities for asset management are established

• NIST Description: Roles and responsibilities for asset management are established, communicated, and coordinated internally and with external stakeholders
• Plain English: Make sure everyone knows who’s responsible for managing and protecting different types of assets.

ID.AM-07: Inventories of assets are updated

• NIST Description: Inventories of data, personnel, assets, technology, and facilities are updated based on organizational processes
• Plain English: Keep your asset inventories current by regularly updating them as things change in your organization.

ID.RA: Risk Assessment (10 subcategories)

Understanding what could go wrong

Subcategories

ID.RA-01: Vulnerabilities in assets are identified and recorded

• NIST Description: Vulnerabilities in assets are identified, validated, and recorded
• Plain English: Find the security holes in your systems and keep track of them. You can’t fix what you don’t know is broken.

ID.RA-02: Cyber threat intelligence is received from sharing forums and sources

• NIST Description: Cyber threat intelligence is received from information sharing forums and sources
• Plain English: Stay informed about new threats and attack methods by participating in threat intelligence sharing.

ID.RA-03: Internal and external threats to the organization are identified

• NIST Description: Internal and external threats to the organization are identified and recorded
• Plain English: Identify and document both inside threats (like malicious employees) and outside threats (like hackers) that could target your organization.

ID.RA-04: Potential impacts and likelihoods of threats are identified

• NIST Description: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
• Plain English: Figure out what would happen if threats actually exploit your vulnerabilities and how likely that is to occur.

ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to understand risk

• NIST Description: Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and to inform risk response decisions
• Plain English: Put together all the threat and vulnerability information to understand your actual risk levels and decide what to do about them.

ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated

• NIST Description: Risk responses are chosen, prioritized, planned, tracked, and communicated
• Plain English: Decide how to respond to each risk, prioritize your actions, make plans, track progress, and keep people informed.

ID.RA-07: Changes and exceptions are managed, assessed for risk impact, and communicated

• NIST Description: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
• Plain English: When you make changes or grant exceptions to security policies, assess how they affect risk and document everything.

ID.RA-08: Processes for receiving and analyzing vulnerability reports are established

• NIST Description: Processes for receiving and analyzing reports of vulnerabilities from internal and external sources are established
• Plain English: Set up ways for people inside and outside your organization to report security vulnerabilities they discover.

ID.RA-09: The accuracy of risk assessment processes and information is verified

• NIST Description: The accuracy of measurements, metrics, and methodologies for assessing cybersecurity risks is verified
• Plain English: Regularly check that your risk assessment methods and data are accurate and reliable.

ID.RA-10: Critical suppliers are assessed prior to acquisition

• NIST Description: Critical suppliers are assessed prior to acquisition of their products and services
• Plain English: Evaluate the cybersecurity risks of important suppliers before you start using their products or services.

ID.IM: Improvement (2 subcategories)

Getting better over time

Subcategories

ID.IM-01: Improvements to cybersecurity risk management are identified

• NIST Description: Improvements to organizational cybersecurity risk management are identified from various sources
• Plain English: Actively look for ways to improve your cybersecurity program by learning from incidents, audits, and best practices.

ID.IM-02: Improvement opportunities are prioritized

• NIST Description: Improvement opportunities are prioritized based on cost, effort, and potential impact
• Plain English: Rank your improvement opportunities based on what will give you the biggest security benefit for the effort and cost involved.

ID.SC: Supply Chain Risk Management (3 subcategories)

Understanding risks from your suppliers

Subcategories

ID.SC-01: Suppliers are known and prioritized by criticality

• NIST Description: Suppliers are known and prioritized by criticality
• Plain English: Know who your suppliers are and which ones are most critical to your operations.

ID.SC-02: Supplier cybersecurity practices are assessed

• NIST Description: Supplier cybersecurity practices and performance are assessed and monitored over the course of the relationship
• Plain English: Regularly evaluate how well your suppliers are managing cybersecurity risks throughout your business relationship.

ID.SC-03: Contracts with suppliers include cybersecurity requirements

• NIST Description: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program
• Plain English: Use contracts to ensure suppliers meet your cybersecurity requirements and help achieve your security goals.

PROTECT Function PR

Building your defenses

• Categories: 5
• Subcategories: 23
• Type: Technical Controls
• Responsible Role: IT Security Team

PR.AA: Identity Management, Authentication and Access Control (6 subcategories)

Making sure the right people have the right access

PR.AA-01: Identities and credentials for authorized individuals, services, and hardware are managed by the organization

• NIST Requirement: Identities and credentials for authorized individuals, services, and hardware are managed by the organization
• Plain English: Keep track of who should have access to what, and manage their usernames, passwords, and other credentials properly.

PR.AA-02: Identities are proofed and bound to credentials based on organizational requirements

• NIST Requirement: Identities are proofed and bound to credentials based on organizational requirements
• Plain English: Verify people are who they say they are before giving them access credentials.

PR.AA-03: Users, services, and hardware are authenticated

• NIST Requirement: Users, services, and hardware are authenticated
• Plain English: Require proof of identity (like passwords or certificates) before allowing access to systems.

PR.AT: Awareness and Training (2 subcategories)

Making sure people know what they need to know

PR.AT-01: Personnel are provided with cybersecurity awareness education

• NIST Requirement: Personnel are provided with cybersecurity awareness education
• Plain English: Train your people on cybersecurity basics so they can recognize and avoid common threats like phishing emails.

PR.AT-02: Individuals in specialized roles are provided with role-based cybersecurity education

• NIST Requirement: Individuals in specialized roles are provided with role-based cybersecurity education
• Plain English: Give extra training to people in roles that require special cybersecurity knowledge (like IT staff or executives).

PR.DS: Data Security (8 subcategories)

Protecting your information

PR.DS-01: The confidentiality, integrity, and availability of data-at-rest is protected

• NIST Requirement: The confidentiality, integrity, and availability of data-at-rest is protected
• Plain English: Protect data when it’s stored (not moving) using encryption and other security controls.

PR.DS-02: The confidentiality, integrity, and availability of data-in-transit is protected

• NIST Requirement: The confidentiality, integrity, and availability of data-in-transit is protected
• Plain English: Protect data when it’s moving between systems using encryption and secure communication channels.

PR.PS: Platform Security (6 subcategories)

Securing your technology platforms

PR.PS-01: Configuration management practices are established and applied

• NIST Requirement: Configuration management practices are established and applied
• Plain English: Have standard, secure configurations for your systems and make sure they stay that way.

PR.IR: Technology Infrastructure Resilience (1 subcategory)

Making sure your infrastructure can handle problems

PR.IR-01: Networks and environments are protected from unauthorized logical access

• NIST Requirement: Networks and environments are protected from unauthorized logical access
• Plain English: Use firewalls, network segmentation, and other controls to prevent unauthorized access to your networks.

DETECT Function DE

Finding the bad stuff before it finds you

• Categories: 3
• Subcategories: 13
• Type: Monitoring Controls
• Responsible Role: SOC Team

DE.CM: Continuous Monitoring (8 subcategories)

Always watching for problems

DE.CM-01: Networks and network services are monitored

• NIST Requirement: Networks and network services are monitored
• Plain English: Keep an eye on your network traffic to spot unusual activity that might indicate an attack.

DE.CM-02: The physical environment is monitored

• NIST Requirement: The physical environment is monitored
• Plain English: Use cameras, sensors, and other tools to monitor who enters your facilities and what they do.

DE.CM-03: Personnel activity and technology usage are monitored

• NIST Requirement: Personnel activity and technology usage are monitored
• Plain English: Monitor what people do with your systems to detect insider threats and policy violations.

DE.AE: Anomalies and Events (2 subcategories)

Recognizing when something’s wrong

DE.AE-01: Anomalous activity is detected in accordance with the established baseline

• NIST Requirement: Anomalous activity is detected in accordance with the established baseline
• Plain English: Know what normal looks like so you can spot when things are abnormal.

DE.AE-02: Potentially adverse events are analyzed to better understand associated activities

• NIST Requirement: Potentially adverse events are analyzed to better understand associated activities
• Plain English: When something looks suspicious, investigate it to determine if it’s actually a threat.

DE.DP: Detection Processes and Procedures (3 subcategories)

Having good processes for detection

DE.DP-01: Detection activities comply with all applicable requirements

• NIST Requirement: Detection activities comply with all applicable requirements
• Plain English: Make sure your monitoring and detection activities follow all relevant laws and regulations.

RESPOND Function RS

When bad things happen, respond quickly and effectively

• Categories: 2
• Subcategories: 9
• Type: Incident Controls
• Responsible Role: Incident Response Team

RS.MA: Incident Management (5 subcategories)

Managing the response when incidents occur

RS.MA-01: The incident response plan is executed in coordination with relevant third parties

• NIST Requirement: The incident response plan is executed in coordination with relevant third parties
• Plain English: When an incident happens, follow your response plan and coordinate with law enforcement, vendors, and other relevant parties.

RS.MA-02: Incident reports are triaged and validated

• NIST Requirement: Incident reports are triaged and validated
• Plain English: When someone reports a potential incident, quickly evaluate it to determine how serious it is and whether it’s real.

RS.AN: Incident Analysis (4 subcategories)

Understanding what happened and why

RS.AN-01: Incidents are investigated to understand attack targets and methods

• NIST Requirement: Incidents are investigated to understand attack targets and methods
• Plain English: When an incident happens, investigate it thoroughly to understand what the attacker was trying to do and how they did it.

RECOVER Function RC

Getting back to normal after an incident

• Categories: 2
• Subcategories: 12
• Type: Recovery Controls
• Responsible Role: Business Continuity Team

RC.RP: Recovery Planning (6 subcategories)

Planning for recovery before you need it

RC.RP-01: The recovery portion of the incident response plan is executed

• NIST Requirement: The recovery portion of the incident response plan is executed
• Plain English: Follow your recovery plan to get systems and operations back to normal after an incident.

RC.IM: Recovery Implementation (6 subcategories)

Actually doing the recovery work

RC.IM-01: Recovery activities are performed in coordination with third parties

• NIST Requirement: Recovery activities are performed in coordination with third parties
• Plain English: Work with vendors, partners, and other third parties to recover from incidents effectively.

Putting It All Together: Implementation Guidance

Start Small, Think Big

Implementing all 106 subcategories at once would be overwhelming. Instead:

1. Begin with Govern - Get leadership buy-in and establish governance
2. Focus on Identify - You can’t protect what you don’t know you have
3. Build Protect - Implement basic protections
4. Add Detect - Start monitoring for threats
5. Plan Respond & Recover - Prepare for when things go wrong

Understanding CSF Implementation Tiers

The CSF defines four implementation tiers that characterize the rigor of an organization’s cybersecurity risk governance and management practices. These aren’t maturity levels you must progress through - they’re different approaches to managing cybersecurity risk:

Tier 1: Partial

• Governance: Ad hoc cybersecurity risk strategy management
• Management: Limited organizational awareness; irregular, case-by-case implementation
• Best for: Small organizations just starting their cybersecurity journey

Tier 2: Risk Informed

• Governance: Management-approved practices, but not organization-wide policy
• Management: Organizational awareness exists but no consistent approach
• Best for: Organizations beginning to formalize cybersecurity processes

Tier 3: Repeatable

• Governance: Formally approved risk management practices expressed as policy
• Management: Organization-wide approach with routine information sharing
• Best for: Organizations with established cybersecurity programs

Tier 4: Adaptive

• Governance: Risk-informed approach integrated into organizational culture
• Management: Real-time adaptation based on continuous improvement
• Best for: Mature organizations in high-risk environments

Key Point: Higher tiers aren’t automatically better. Choose the tier that matches your organization’s risk profile, resources, and business needs.

Understanding CSF Organizational Profiles

CSF Organizational Profiles are your organization’s cybersecurity roadmap. They describe your current and/or target cybersecurity posture in terms of the CSF Core’s outcomes.

Profile Types

Current Profile: Shows what outcomes you’re currently achieving and how well you’re achieving them. Think of this as your “cybersecurity snapshot.”

Target Profile: Shows the desired outcomes you’ve selected and prioritized for your cybersecurity risk management objectives. This is your “cybersecurity destination.”

Community Profile: A baseline created for specific sectors, technologies, or threat types. You can use these as starting points for your own Target Profile.

5-Step Profile Process

1. Scope the Profile: Define what you’re profiling (entire organization? specific systems? particular threats?)
2. Gather Information: Collect policies, risk priorities, requirements, and current practices
3. Create the Profile: Document your current and target states using CSF outcomes
4. Analyze Gaps: Compare current vs. target and create a prioritized action plan
5. Implement and Update: Execute your plan and keep your profile current

Profile Uses Beyond Self-Assessment

• External Communication: Share your cybersecurity posture with partners and customers
• Supplier Requirements: Set cybersecurity expectations for vendors and third parties
• Risk Management Integration: Connect cybersecurity to broader enterprise risk management

Key NIST CSF 2.0 Principles

It’s Outcomes-Focused, Not Prescriptive

NIST CSF describes what you should achieve, not how to achieve it. This gives you flexibility to choose the tools, controls, and processes that work best for your organization.

Risk-Based Approach

Everything in the CSF should be driven by your organization’s risk appetite, risk tolerance, and business objectives. Not every organization needs every control at the highest level.

Integration with Enterprise Risk Management

Cybersecurity risk should be managed alongside other business risks (financial, operational, reputational). The CSF supports this integrated approach.

Continuous Improvement

The CSF is designed for ongoing use, not one-time implementation. Regular assessment and adjustment are built into the framework’s philosophy.

Stakeholder Communication

The framework provides a common language for discussing cybersecurity across all organizational levels - from practitioners to executives to board members.

CSF Integration with Other Standards

The CSF is designed to work with other frameworks, not replace them:

NIST Risk Management Framework (RMF): Use CSF for strategic planning and RMF for detailed control implementation ISO 27001: CSF provides the “what,” ISO 27001 provides detailed “how” SOC 2: Map CSF outcomes to SOC 2 trust principles for compliance alignment Industry Standards: Sector-specific requirements (PCI DSS, HIPAA, etc.) can be mapped to CSF outcomes

Pro Tip: The CSF’s online Informative References show exactly how it maps to hundreds of other standards and frameworks.

Your Next Steps

Getting Started (Weeks 1-4)

1. Download the official NIST CSF 2.0 from nist.gov/cyberframework
2. Review Community Profiles for your industry or use case
3. Assess your current tier - honestly evaluate your current risk management approach
4. Identify your target tier based on your risk profile and resources

Building Your Program (Months 2-6)

5. Create your Current Profile - document where you are today across the six functions
6. Define your Target Profile - set realistic goals based on business needs
7. Develop an implementation roadmap - prioritize gaps and create timelines
8. Start with GOVERN - establish leadership support and governance processes

Ongoing Management (Continuous)

9. Implement systematically - work through functions based on your priorities
10. Measure and communicate progress - use CSF language to report to stakeholders
11. Review and update regularly - the CSF is a living framework, not a one-time project
12. Consider professional help - cybersecurity consultants can accelerate your implementation

Final Thoughts

The NIST Cybersecurity Framework 2.0 isn’t just a compliance checkbox – it’s a comprehensive approach to building and maintaining a strong cybersecurity program. With its emphasis on governance, risk management, and supply chain security, it addresses the modern threat landscape while remaining flexible enough for any organization.

Remember, cybersecurity is a journey, not a destination. Use this framework as your roadmap, but don’t forget to adapt it to your unique situation. Start where you are, use what you have, and do what you can. Your future self (and your organization) will thank you.

Good luck, and stay secure! 🔐

Want to dive deeper into specific aspects of NIST CSF 2.0? Check out our other cybersecurity resources, or reach out if you have questions about implementing the framework in your organization.