NIST Cybersecurity Framework (CSF) 2.0: Complete Guide for 2026

What Is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (CSF) is a set of guidelines and best practices developed by the National Institute of Standards and Technology to help organizations manage and reduce cybersecurity risk. Originally published in 2014 in response to Executive Order 13636, the framework has become one of the most widely adopted cybersecurity frameworks globally.

In February 2024, NIST released CSF 2.0 — the first major update since the framework's creation. CSF 2.0 introduces a new core function (Govern), broadens the framework's applicability beyond critical infrastructure, and strengthens the focus on supply chain risk management.

Who Uses NIST CSF?

NIST CSF is used by organizations of all sizes and across all sectors:

• Critical infrastructure operators — energy, healthcare, financial services, transportation
• Federal agencies and contractors — increasingly referenced in federal cybersecurity requirements
• Private sector companies — technology firms, manufacturers, and service providers
• International organizations — despite being a US standard, NIST CSF is adopted worldwide
• Small and medium businesses — the framework scales to any organization size

Voluntary vs Mandatory

NIST CSF is voluntary for most private-sector organizations. However, it is becoming effectively mandatory in several contexts:

• Federal contractors may be required to demonstrate alignment with NIST CSF as part of contract requirements
• Regulated industries — financial regulators and healthcare bodies increasingly reference NIST CSF
• Cyber insurance — insurers often use NIST CSF as a baseline for assessing cybersecurity maturity
• Customer requirements — enterprise buyers may require NIST CSF alignment in vendor assessments

Even when not legally mandated, NIST CSF provides a common language for discussing cybersecurity risk that is understood by boards, regulators, auditors, and business partners.

---

The 6 Core Functions of NIST CSF 2.0

NIST CSF 2.0 organizes cybersecurity activities into six core functions. Each function contains categories and subcategories that describe specific outcomes. Together, they provide a complete lifecycle view of cybersecurity risk management.

1. Govern (GV) — New in CSF 2.0

The Govern function establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policies. It provides the overarching context for all other functions.

Key categories:

• Organizational Context (GV.OC) — Understanding the organization's mission, stakeholder expectations, and legal/regulatory requirements
• Risk Management Strategy (GV.RM) — Establishing risk appetite, tolerance, and risk management priorities
• Roles, Responsibilities, and Authorities (GV.RR) — Defining cybersecurity roles, accountability, and governance structures
• Policy (GV.PO) — Establishing, communicating, and enforcing cybersecurity policies
• Oversight (GV.OV) — Reviewing and adjusting risk management activities based on results
• Cybersecurity Supply Chain Risk Management (GV.SC) — Managing risk associated with suppliers and third parties

The Govern function reflects the growing recognition that cybersecurity is a board-level concern, not just an IT issue. Effective governance ensures that cybersecurity strategy aligns with business objectives and risk appetite.

2. Identify (ID)

The Identify function focuses on developing an understanding of your organization's cybersecurity risk posture. You cannot protect what you do not know about.

Key categories:

• Asset Management (ID.AM) — Inventorying physical devices, software, data flows, and external information systems
• Risk Assessment (ID.RA) — Identifying threats, vulnerabilities, likelihood, and impact to determine risk levels
• Improvement (ID.IM) — Identifying improvements based on assessments, exercises, and lessons learned

3. Protect (PR)

The Protect function implements safeguards to ensure delivery of critical services and limit the impact of cybersecurity events.

Key categories:

• Identity Management, Authentication, and Access Control (PR.AA) — Managing credentials, access rights, and authentication mechanisms
• Awareness and Training (PR.AT) — Ensuring personnel are trained and aware of cybersecurity policies and threats
• Data Security (PR.DS) — Protecting data at rest, in transit, and during processing
• Platform Security (PR.PS) — Managing and securing hardware, software, and services
• Technology Infrastructure Resilience (PR.IR) — Ensuring infrastructure components are resilient against cybersecurity events

4. Detect (DE)

The Detect function enables timely discovery of cybersecurity events and anomalies.

Key categories:

• Continuous Monitoring (DE.CM) — Monitoring networks, physical environments, personnel activity, and external service providers for cybersecurity events
• Adverse Event Analysis (DE.AE) — Analyzing detected events to understand attack targets, methods, and potential impact

5. Respond (RS)

The Respond function defines activities to take action when a cybersecurity incident is detected.

Key categories:

• Incident Management (RS.MA) — Managing the response to detected cybersecurity incidents
• Incident Analysis (RS.AN) — Conducting analysis to ensure effective response and support forensics and recovery
• Incident Response Reporting and Communication (RS.CO) — Coordinating response activities with internal and external stakeholders
• Incident Mitigation (RS.MI) — Containing and mitigating the impact of cybersecurity incidents

6. Recover (RC)

The Recover function supports timely restoration of normal operations after a cybersecurity incident.

Key categories:

• Incident Recovery Plan Execution (RC.RP) — Executing the recovery plan during or after an incident
• Incident Recovery Communication (RC.CO) — Coordinating restoration activities with internal and external parties, including public relations

---

Implementation Tiers

NIST CSF defines four Implementation Tiers that describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined by the framework. Tiers are not maturity levels — they help organizations understand their current approach and determine a target state.

Tier 1: Partial

• Cybersecurity risk management is ad hoc and reactive
• Limited awareness of cybersecurity risk at the organizational level
• No formal processes for managing cybersecurity risk
• External participation and information sharing is minimal

Tier 2: Risk Informed

• Risk management practices are approved by management but may not be established as organization-wide policy
• Awareness of cybersecurity risk exists at the organizational level, but a consistent approach is not established
• Some external collaboration, but not formalized

Tier 3: Repeatable

• Risk management practices are formally approved and expressed as policy
• Organization-wide approach to cybersecurity risk management
• Policies, processes, and procedures are defined, implemented, and reviewed regularly
• The organization actively collaborates with external entities and shares information

Tier 4: Adaptive

• Organization adapts its cybersecurity practices based on lessons learned and predictive indicators
• Continuous improvement driven by sophisticated and real-time understanding of cybersecurity activities
• Active management of supply chain risk
• Organization actively contributes to the broader cybersecurity community

Most organizations should aim for Tier 3 (Repeatable) as a practical target, with mature organizations striving toward Tier 4.

---

Framework Profiles

NIST CSF Profiles enable organizations to align their cybersecurity activities with business requirements, risk tolerance, and resources. Profiles are a key mechanism for using the framework practically.

Current Profile

The Current Profile documents your organization's present cybersecurity posture — which CSF outcomes you currently achieve. Building a Current Profile involves:

• Reviewing each CSF category and subcategory
• Assessing whether and to what degree each outcome is achieved
• Documenting evidence supporting each assessment

Target Profile

The Target Profile represents the desired cybersecurity posture — the state your organization wants to reach. The Target Profile is informed by:

• Business objectives and priorities
• Regulatory and contractual requirements
• Industry best practices
• Risk appetite and tolerance

Gap Analysis

Comparing the Current Profile against the Target Profile reveals gaps — areas where the organization's cybersecurity posture falls short of its goals. These gaps drive:

• Prioritized action plans
• Resource allocation decisions
• Investment justification for leadership
• Measurable improvement tracking over time

---

NIST CSF 2.0 — What Changed

CSF 2.0 represents a significant evolution from the original framework. Understanding the changes is essential for organizations that have already adopted CSF 1.1 and need to transition.

New Govern Function

The most visible change is the addition of the Govern function as the sixth core function. In CSF 1.1, governance elements were distributed across the other functions. CSF 2.0 elevates governance to a first-class function, reflecting the increasing importance of:

• Board and executive oversight of cybersecurity
• Cybersecurity risk management strategy
• Policy establishment and enforcement
• Supply chain risk management

Expanded Scope Beyond Critical Infrastructure

CSF 1.0 was explicitly designed for critical infrastructure. CSF 2.0 broadens its applicability to all organizations regardless of size, sector, or cybersecurity maturity. The title itself was updated — it is now simply the "Cybersecurity Framework" rather than the "Framework for Improving Critical Infrastructure Cybersecurity."

Stronger Supply Chain Focus

CSF 2.0 significantly strengthens guidance on cybersecurity supply chain risk management (C-SCRM). The new GV.SC category within the Govern function provides comprehensive guidance on managing third-party and supply chain cybersecurity risk.

Emphasis on Continuous Improvement

CSF 2.0 introduces the Improvement category within the Identify function, making continuous improvement an explicit part of the framework rather than an implicit expectation.

Enhanced Implementation Guidance

NIST has published expanded implementation examples and quickstart guides alongside CSF 2.0, making it more accessible for organizations new to the framework, including small businesses.

---

How to Implement NIST CSF

Implementing NIST CSF follows a structured approach. Whether you are starting fresh or transitioning from CSF 1.1, these steps provide a practical roadmap.

Step 1: Prioritize and Scope

Identify your business objectives and determine which systems, assets, and processes are most critical. Consider:

• Revenue-generating systems and services
• Systems processing sensitive data
• Regulatory and contractual obligations
• Stakeholder expectations

Define the boundaries of your CSF implementation — you do not need to address everything at once.

Step 2: Orient

Identify related systems, assets, regulatory requirements, and the overall threat landscape. Map your existing controls, standards, and frameworks to understand your starting point. If you already comply with ISO 27001, SOC 2, or other frameworks, many CSF outcomes may already be addressed.

Step 3: Create a Current Profile

Assess your organization against each CSF function, category, and subcategory. Document which outcomes are fully achieved, partially achieved, or not addressed. Be honest — the Current Profile is a diagnostic tool, not a scorecard for external audiences.

Step 4: Conduct a Risk Assessment

Evaluate the likelihood and potential impact of cybersecurity events on your critical systems and processes. Use the risk assessment to inform which CSF outcomes are most important to prioritize.

Step 5: Create a Target Profile

Based on business objectives, regulatory requirements, and risk assessment results, define your desired cybersecurity posture. The Target Profile should be ambitious but achievable given your resources and timeline.

Step 6: Determine, Analyze, and Prioritize Gaps

Compare your Current Profile to your Target Profile. Identify gaps and prioritize remediation based on:

• Risk severity
• Business impact
• Regulatory urgency
• Resource availability and cost

Step 7: Implement Action Plan

Execute your remediation plan. For each gap:

• Assign an owner
• Define specific actions and milestones
• Allocate resources
• Set target completion dates
• Define success criteria and evidence requirements

Step 8: Monitor and Improve Continuously

NIST CSF is not a one-time exercise. Establish ongoing processes to:

• Monitor control effectiveness
• Track changes in the threat landscape
• Reassess risks periodically
• Update profiles as business objectives evolve
• Incorporate lessons learned from incidents and exercises

---

NIST CSF vs NIST 800-53

Organizations often confuse NIST CSF with NIST 800-53. While related, they serve different purposes:

Aspect

NIST CSF

NIST 800-53

Purpose	Risk management framework	Security and privacy control catalog
Approach	Outcome-based (what to achieve)	Prescriptive (specific controls to implement)
Audience	All organizations, all sectors	Primarily federal agencies and contractors
Level of detail	High-level functions, categories, subcategories	Detailed control families with specific requirements
Mandatory for	Voluntary (mostly)	Federal information systems (FISMA)
Number of controls	~100 subcategories	1,000+ individual controls
Relationship	References NIST 800-53 as an informative reference	Can be used to implement CSF outcomes

In practice, NIST CSF provides the "what" (outcomes to achieve), while NIST 800-53 provides the "how" (specific controls to implement). Many organizations use CSF to establish their risk management framework and then reference 800-53 for detailed control implementation guidance.

---

How Compliance Enablers Supports NIST CSF

Implementing NIST CSF effectively requires a structured approach to mapping controls, assessing gaps, and maintaining continuous compliance. Compliance Enablers provides the platform capabilities needed to operationalize the framework.

Pre-Built NIST CSF Framework Mapping

Compliance Enablers includes 261+ compliance frameworks, including NIST CSF 2.0, pre-mapped and ready to use. Each CSF function, category, and subcategory is mapped to corresponding controls in your control library, eliminating the manual effort of building mappings from scratch.

Cross-Framework Control Mapping

One of NIST CSF's strengths is its role as a unifying framework. Compliance Enablers leverages this by mapping controls across multiple frameworks simultaneously. A control implemented for NIST CSF may also satisfy ISO 27001, SOC 2, HIPAA, or CMMC requirements — the platform tracks these relationships automatically across all 261+ supported frameworks.

Gap Analysis Engine

The platform's gap analysis engine compares your current control environment against NIST CSF requirements and automatically identifies:

• Functions and categories with insufficient control coverage
• Controls that lack supporting evidence
• Policies and procedures that need creation or updates
• Risk areas that require additional treatment

This maps directly to the NIST CSF profile comparison approach — Current Profile vs Target Profile — making gap identification systematic rather than manual.

250+ Pre-Built Policy Templates

NIST CSF requires documented policies across governance, risk management, access control, incident response, and more. Compliance Enablers provides 250+ policy templates mapped to framework requirements, dramatically reducing the time needed to build your policy library.

Continuous Monitoring

The platform's 27 integrated modules provide continuous visibility into your cybersecurity posture. Automated evidence collection, control health monitoring, and real-time dashboards ensure you can demonstrate ongoing compliance rather than relying on point-in-time assessments.

AI-Powered Questionnaire Fill

When customers or partners request information about your NIST CSF alignment, the AI-powered questionnaire fill capability draws from your existing controls, evidence, and policies to auto-populate responses — saving significant time on security questionnaires and assessments.

Risk Management Integration

NIST CSF places risk assessment at the center of the framework. Compliance Enablers' risk management module integrates directly with the framework mapping, enabling you to:

• Link risks to specific CSF categories and subcategories
• Document risk treatment decisions with supporting evidence
• Track residual risk levels over time
• Generate risk reports aligned to CSF functions

---

Getting Started with NIST CSF 2.0

Whether you are implementing NIST CSF for the first time or transitioning from version 1.1, use this roadmap to begin:

• Understand the framework — Review the CSF 2.0 core document and quickstart guides published by NIST
• Secure leadership support — The Govern function makes executive engagement explicit; ensure leadership understands and sponsors the initiative
• Define your scope — Identify which systems, processes, and business units are in scope
• Build your Current Profile — Assess your present cybersecurity posture against CSF functions and categories
• Conduct a risk assessment — Evaluate threats, vulnerabilities, and potential impacts
• Define your Target Profile — Establish your desired cybersecurity state based on business objectives and risk tolerance
• Identify and prioritize gaps — Compare profiles and create a prioritized action plan
• Implement controls — Address gaps through policies, processes, and technical controls
• Monitor continuously — Establish ongoing monitoring, measurement, and improvement processes
• Review and iterate — Periodically reassess your profile and adjust your program

Start your NIST CSF implementation with Compliance Enablers →