πŸ”
NIST CSF 2.0 β€” Cybersecurity Framework
National Institute of Standards and Technology Β· Version 2.0 (2024) Β· Universal Cybersecurity Standard
Interactive study manual covering the 6 functions, 22 categories, subcategories, tiers, profiles, and 40 flash cards.
6 Functions 22 Categories 106 Subcategories 4 Tiers Profiles 40 Flash Cards
NIST CSF 2.0 is a voluntary cybersecurity framework published by the National Institute of Standards and Technology in February 2024. Originally designed for critical infrastructure, version 2.0 explicitly extends it to organisations of all sizes and sectors globally. It provides a common language and systematic approach for managing cybersecurity risk.
6
Functions
22
Categories
106
Subcategories
4
Tiers
2024
v2.0 Published
πŸ†• What Changed in CSF 2.0 vs 1.1
βž• New: GOVERN function
Added a 6th function β€” Govern β€” that sits at the centre, covering organisational context, risk strategy, and supply chain risk.
🌍 Universal scope
Explicitly designed for all organisations β€” not just US critical infrastructure. International adoption explicitly encouraged.
πŸ”— Supply chain focus
Significantly expanded supply chain risk management (C-SCRM) throughout the framework β€” reflecting post-SolarWinds reality.
πŸ“š Implementation guides
New Implementation Examples and Quick Start Guides make the framework more accessible to small organisations and newcomers.
Core structure: The CSF Core is a set of cybersecurity activities and outcomes organised into 6 Functions β†’ 22 Categories β†’ 106 Subcategories. Functions are the highest level β€” broad cybersecurity outcomes. Categories group related outcomes within a function. Subcategories are specific technical or management outcomes.
⬑ The 6 Functions at a Glance
GV Β· Govern
ID Β· Identify
PR Β· Protect
DE Β· Detect
RS Β· Respond
RC Β· Recover
The 6 functions organise cybersecurity activities at the highest level. They are not sequential steps β€” all functions should be performed continuously. GOVERN (new in 2.0) is the central function that informs and enables all others.
πŸ›
GV
GOVERN β€” NEW in 2.0
The organisational context, strategy, and accountability structures that inform how an organisation manages cybersecurity risk. GOVERN sits at the centre of the framework β€” it informs and is informed by all other functions.
GV.OC
Organisational Context
GV.RM
Risk Management Strategy
GV.RR
Roles, Responsibilities & Authorities
GV.PO
Policy
GV.OV
Oversight
GV.SC
Cybersecurity Supply Chain Risk Management
πŸ”
ID
IDENTIFY
Understand the organisation's cybersecurity risk to systems, people, assets, data, and capabilities.
AM Β· RA Β· IM Β· SC
Asset Management Β· Risk Assessment Β· Improvement Β· Supply Chain
πŸ›‘
PR
PROTECT
Develop and implement safeguards to ensure delivery of critical services.
AA Β· AT Β· DS Β· PS Β· IR
Identity Mgmt Β· Awareness Β· Data Security Β· Platform Security Β· Resilience
πŸ‘
DE
DETECT
Develop and implement activities to identify the occurrence of a cybersecurity event.
CM Β· AE
Continuous Monitoring Β· Adverse Event Analysis
⚑
RS
RESPOND
Develop and implement activities to take action regarding a detected cybersecurity incident.
MA Β· AN Β· MI Β· IR Β· CO
Incident Mgmt Β· Analysis Β· Mitigation Β· Reporting Β· Communications
♻️
RC
RECOVER
Develop and implement activities to maintain plans for resilience and restore impaired capabilities.
RP Β· CO
Recovery Planning Β· Communications
The 22 categories group related cybersecurity outcomes within each function. Each category has a two-letter code prefixed by its function. Filter by function to browse.
GV Β· Govern
GV.OC
Organisational Context
The circumstances β€” mission, stakeholder expectations, dependencies β€” that inform risk management decisions are understood.
GV Β· Govern
GV.RM
Risk Management Strategy
Risk management objectives, risk appetite, and risk tolerance are established and communicated.
GV Β· Govern
GV.RR
Roles, Responsibilities & Authorities
Cybersecurity roles and responsibilities for the workforce are established, communicated, and enforced.
GV Β· Govern
GV.PO
Policy
Organisational cybersecurity policy is established, communicated, and enforced.
GV Β· Govern
GV.OV
Oversight
Results of organisation-wide cybersecurity risk management are used to inform and improve the cybersecurity program.
GV Β· Govern
GV.SC
Cybersecurity Supply Chain Risk Management
Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organisational stakeholders.
ID Β· Identify
ID.AM
Asset Management
Assets β€” data, hardware, software, systems, facilities, services β€” that enable the organisation to achieve business purposes are identified and managed.
ID Β· Identify
ID.RA
Risk Assessment
Cybersecurity risk to the organisation, assets, and individuals is identified and prioritised, consistent with risk strategy and risk appetite.
ID Β· Identify
ID.IM
Improvement
Improvements to organisational cybersecurity risk management processes, procedures, and activities are identified across all CSF functions.
PR Β· Protect
PR.AA
Identity Management, Authentication & Access Control
Access to physical and logical assets is limited to authorised users, services, and hardware β€” managed consistent with assessed risk.
PR Β· Protect
PR.AT
Awareness and Training
The organisation's personnel are provided with cybersecurity awareness and training so they can perform related cybersecurity tasks.
PR Β· Protect
PR.DS
Data Security
Data are managed consistent with the organisation's risk strategy β€” protecting confidentiality, integrity, and availability.
PR Β· Protect
PR.PS
Platform Security
The hardware, software, and services of physical and virtual platforms are managed consistent with the organisation's risk strategy.
PR Β· Protect
PR.IR
Technology Infrastructure Resilience
Security architectures are managed with the organisation's risk strategy to protect individual assets and technology infrastructure.
DE Β· Detect
DE.CM
Continuous Monitoring
Assets are monitored to find anomalies, indicators of compromise, and other adverse events β€” at a cadence sufficient to meet organisational risk objectives.
DE Β· Detect
DE.AE
Adverse Event Analysis
Anomalies, indicators of compromise, and other adverse events are analysed to characterise the events and detect cybersecurity incidents.
RS Β· Respond
RS.MA
Incident Management
Responses to detected cybersecurity incidents are managed according to the organisation's incident response plan.
RS Β· Respond
RS.AN
Incident Analysis
Investigations are conducted to ensure effective response and support forensics and recovery activities.
RS Β· Respond
RS.CO
Incident Response Reporting and Communication
Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies.
RS Β· Respond
RS.MI
Incident Mitigation
Activities are performed to prevent expansion of an event and mitigate its effects.
RC Β· Recover
RC.RP
Incident Recovery Plan Execution
Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents.
RC Β· Recover
RC.CO
Incident Recovery Communication
Restoration activities are coordinated with internal and external parties β€” notifications are sent after a cybersecurity incident.
CSF Tiers describe the degree to which an organisation's cybersecurity risk management practices exhibit the characteristics defined in the framework. Tiers are not maturity levels β€” they characterise an organisation's practices and help determine if current practices are appropriate given risk objectives, regulatory requirements, and budget.
1
Partial
Tier 1 β€” Partial
Cybersecurity risk management is not formalised. Practices are ad hoc and reactive. Organisational awareness of cybersecurity risk is limited. Cyber risk is not systematically managed.
Ad hoc Reactive Limited awareness No formal process
2
Risk Informed
Tier 2 β€” Risk Informed
Risk management practices are approved by management but may not be established as policy. Cybersecurity activities are prioritised but not organisation-wide. Cyber risk awareness exists at some levels.
Management approved Not fully policy Some awareness Prioritised
3
Repeatable
Tier 3 β€” Repeatable
Cybersecurity practices are formally approved as policy and expressed as policy. Practices are regularly updated based on changes to business requirements, threats, and technology landscape.
Formally approved policy Regularly updated Organisation-wide Risk-informed
4
Adaptive
Tier 4 β€” Adaptive
The organisation adapts cybersecurity practices based on lessons learned and predictive indicators. Continuous improvement is embedded. Actively shares information with partners to improve collective cybersecurity posture.
Continuous improvement Predictive Lessons learned Information sharing
⚑ Important: Higher tiers are not necessarily better for all organisations. The target tier should be determined by the organisation's risk tolerance, business objectives, regulatory requirements, and available resources. A Tier 3 may be entirely appropriate and cost-effective for many organisations.
A CSF Profile is a selection of framework outcomes aligned to the organisation's business needs, risk tolerance, and resources. Profiles are used to describe the current state ("Current Profile") and the desired state ("Target Profile") β€” the gap between them defines the improvement roadmap.
πŸ“Έ
Current Profile
Describes the cybersecurity outcomes the organisation is currently achieving β€” an honest snapshot of where the organisation is today across all 6 functions.
β†’ Identifies which subcategories are met
β†’ Documents current state objectively
β†’ Baseline for gap analysis
β†’ Used for board reporting
🎯
Target Profile
Describes the desired cybersecurity outcomes β€” where the organisation needs to be given its risk appetite, requirements, and objectives.
β†’ Aligned to business objectives
β†’ Reflects regulatory requirements
β†’ Accounts for threat landscape
β†’ Prioritised by risk impact
πŸ—ΊοΈ Using Profiles β€” The 7-Step Process
1 Scope β€” Define the organisational scope for the profile
2 Gather intelligence β€” Identify threats, vulnerabilities, and regulatory requirements
3 Create Current Profile β€” Document what the organisation currently does
4 Conduct risk assessment β€” Identify and prioritise risks
5 Create Target Profile β€” Define desired cybersecurity outcomes
6 Gap analysis β€” Compare Current vs Target Profile, prioritise actions
7 Implement action plan β€” Execute prioritised improvements
NIST CSF and ISO/IEC 27001 are the two most widely referenced cybersecurity frameworks globally. They are complementary β€” many organisations use both simultaneously.
DimensionNIST CSF 2.0ISO/IEC 27001:2022
TypeVoluntary framework β€” guidance-basedInternational standard β€” certifiable
OriginUS NIST β€” now explicitly global scopeISO/IEC β€” international by design
Structure6 Functions β†’ 22 Categories β†’ 106 Subcategories10 Clauses + Annex A (93 controls)
CertificationNo organisational certification β€” individual certs (NIST practitioners)Organisational certification via accredited body
PrescriptivenessOutcome-based β€” what to achieve, not howRequirements-based β€” "shall" language is mandatory
FocusCybersecurity risk management across the full lifecycleInformation security management system (ISMS)
ScopeTechnology, people, processes, and supply chainInformation assets within defined ISMS scope
Tiers/Maturity4 Tiers describe current state (not a maturity model)No built-in maturity model β€” CMMI can supplement
Best forRisk-based cybersecurity programme management, gap analysis, board reportingDemonstrating cybersecurity capability to customers and regulators through certification
RelationshipNIST CSF maps to ISO 27001 controls β€” NIST provides the "what to manage", ISO 27001 provides the certifiable "how"ISO 27001 Annex A controls can be mapped to NIST CSF categories β€” many overlaps
Global adoptionWidely used in US, growing globally β€” often required for US federal contractsDominant internationally β€” ~75,000 certified organisations globally
Recommended approach: Use NIST CSF 2.0 as the strategic risk management framework β€” creating profiles, prioritising improvements, and communicating with executives. Use ISO 27001 as the implementation standard and certification vehicle. They are complementary tools for different audiences and purposes.
40 flash cards covering NIST CSF 2.0 functions, categories, tiers, profiles, and exam-relevant knowledge. Click a card to flip it.
Card 1 of 40
Question
Tap to reveal answer
Answer