The NIST Cybersecurity Framework 2.0: What Is It & How to Comply [+ Checklist]

  • May 16, 2024

Anna Fitzgerald

Senior Content Marketing Manager at Secureframe


Rob Gutierrez

Senior Compliance Manager at Secureframe

In the 2024 Keeper Security Insight Report, 92% of IT and security leaders said they've seen an increase in cyber attacks year-over-year and 95% said that cyber attacks are also more sophisticated than ever.

With the increasing frequency and sophistication of cyber threats, organizations need a structured approach to manage and mitigate these risks effectively. This is where frameworks like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) come into play.

In this blog post, we'll explore what NIST CSF 2.0 is, its key categories, how it relates to NIST 800-53, its maturity levels, and more. 

What is NIST CSF?

The NIST Cybersecurity Framework (CSF) is a set of standards, guidelines, and best practices designed to help organizations manage and reduce cybersecurity risk. 

Developed by NIST, a non-regulatory agency of the United States Department of Commerce, the CSF provides guidance to industry, government agencies, and any other organizations to better understand, assess, prioritize, and communicate their cybersecurity efforts. 

This framework is designed to be flexible and adaptable so organizations of any size, sector, or cybersecurity program maturity can use it and customize it to suit their specific cybersecurity needs and risk profiles.


While NIST CSF has been revised over time to keep pace with emerging cyber threats and technological advancements, NIST CSF 2.0 is the framework’s first major update since its creation in 2014. The key difference between the latest version and the original is that NIST CSF 2.0 explicitly aims to help all organizations manage and reduce risks, rather than just those in critical infrastructure.

NIST CSF 2.0 also contains updates to the CSF’s core guidance, with additional emphasis on governance and supply chains, and a suite of related resources to help all organizations achieve their cybersecurity goals. 

NIST CSF 2.0 Release Date

NIST CSF 2.0 was officially released on February 26, 2024, marking the first major update to this cybersecurity framework in a decade. This latest version reflects feedback from years of discussions and public comments, which were aimed at making the framework more effective and relevant to a wider range of users both in the United States and abroad.

The information below reflects the latest version of NIST CSF. 

NIST CSF categories

NIST CSF 2.0 is organized into six key functions. These functions represent outcomes that can help any organization better understand, assess, prioritize, and communicate its cybersecurity efforts. 

Within each function, there are categories that represent related cybersecurity outcomes. These categories collectively comprise the function, and provide a comprehensive framework for addressing cybersecurity risk across an entire organization. Categories are also further divided into subcategories, which are more specific outcomes of technical and management activities. Together, these make up the CSF Core. 

These functions and categories are not a checklist of actions to perform. That’s because the specific actions taken to achieve an outcome and who is responsible for those actions will vary by organization.

So rather than prescribe how outcomes should be achieved, the CSF links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes. This complementary suite of online resources is expanding, and already includes a series of Quick Start Guides (QSGs), Informative References, and Implementation Examples.

NIST CSF 2.0 functions and categories, along with their definitions, are listed in the table below.

Function Definition Categories Definition
Govern The organization’s cybersecurity risk management strategy, roles and responsibilities, and policy are established, communicated, and monitored. Organizational Context The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organization’s cybersecurity risk management decisions are understood.
Risk Management Strategy The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.
Roles, Responsibilities, and Authorities Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated.
Policy Organizational cybersecurity policy is established, communicated, and enforced.
Oversight Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy.
Cybersecurity Supply Chain Risk Management Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders.
Identity The organization’s cybersecurity risks are understood. Asset Management Assets that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
Risk Assessment The cybersecurity risk to the organization, assets, and individuals is understood by the organization.
Improvement Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions.
Protect The organization uses safeguards to manage its cybersecurity risks. Identity Management, Authentication and Access Control Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access.
Awareness and Training The organization’s personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks.
Data Security Data is managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
Platform Security The hardware, software, and services of physical and virtual platforms are managed consistent with the organization’s risk strategy to protect their confidentiality, integrity, and availability.
Technology Infrastructure Resilience Security architectures are managed with the organization’s risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience.
Detect The organization finds and analyzes possible cybersecurity attacks and compromises. Continuous Monitoring Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events.
Adverse Event Analysis Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents.
Respond The organization takes actions regarding a detected cybersecurity incident. Incident Management Responses to detected cybersecurity incidents are managed.
Incident Analysis Investigations are conducted to ensure effective response and support forensics and recovery activities.
Incident Response Reporting and Communication Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies.
Incident Mitigation Activities are performed to prevent expansion of an event and mitigate its effects.
Recover The organization restores assets and operations affected by a cybersecurity incident. Incident Recovery Plan Execution Assets and operations affected by a cybersecurity incident are restored.
Incident Recovery Communication Restoration activities are coordinated with internal and external parties.

NIST CSF tiers

In addition to the CSF Core, NIST defines tiers to help organizations understand, assess, prioritize, and communicate cybersecurity risks. 

Tiers characterize the rigor of an organization’s cybersecurity risk governance and management practices, and can also provide context for how an organization views cybersecurity risks and the processes it has in place to manage those risks. 

NIST CSF 2.0 has four tiers, each of which reflect an organization’s practices for managing cybersecurity risk:

  • Tier 1: Partial
  • Tier 2: Risk Informed 
  • Tier 3: Repeatable
  • Tier 4: Adaptive

While these tiers represent an increasing degree of rigor and sophistication in cybersecurity risk management practices, they do not necessarily represent maturity levels. Instead, tiers should be used by an organization to set the overall tone for how it will manage its cybersecurity risks. 

Organizations should select the tier that:

  • Meets their organizational goals
  • Is feasible for them to implement
  • Reduces cybersecurity risk to critical assets and resources to levels that are considered acceptable to their organization

When selecting a tier, organizations must also take into account the organization’s current risk management practices, threat environment, legal and regulatory requirements, information sharing practices, business objectives, supply chain cybersecurity requirements, and organizational constraints. 

NIST CSF vs NIST 800-53

While both NIST CSF 2.0 and NIST 800-53 are cybersecurity frameworks developed by NIST and designed for all types of organizations, they serve different purposes. NIST CSF is a high-level framework that provides guidance and best practices for managing cybersecurity risks, whereas NIST 800-53 is a more strict and comprehensive framework that prescribes controls for developing secure and resilient federal information systems. 

Organizations can use NIST 800-53 controls to implement NIST CSF. However, as mentioned above, that is not the only way organizations can implement the CSF. 

Another key difference is that many organizations use NIST CSF on a voluntary basis. This was true of federal agencies and contractors until 2017 when Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, was published. This executive order made the CSF mandatory for federal agencies and contractors. 

While all federal agencies and contractors today must comply with both NIST CSF 2.0 and NIST 800-53, audits are only required for NIST 800-53. NIST 800-53 is also the standard and criteria of which FISMA (Federal Information System Modernization Act) is acted upon. 

The Ultimate Guide to Federal Frameworks

Get an overview of the most common federal frameworks, who they apply to, and what their requirements are.

How to implement NIST CSF 2.0

Below are some action-oriented steps you can take to achieve NIST CSF outcomes. Like the Implementation Examples offered by NIST, this is not an exhaustive list of actions that could be taken by an organization to achieve an outcome. It is also not a baseline of required actions to address cybersecurity risks.

1. Document a risk management strategy

A risk management strategy is a strategy that addresses how an organization intends to identify, assess, respond to, and monitor risk. An effective strategy should consider your organization’s specific cybersecurity objectives, risk environment, and lessons learned from your past and from other organizations. For example, you can review audit findings, cybersecurity incidents, and key risk indicators to measure the effectiveness of the current risk management strategy and make improvements over time. 

2. Document a risk management policy

Establish a policy for managing cybersecurity risks based on your organizational context, cybersecurity strategy, and priorities. An effective policy should:

  • Document risk management roles and responsibilities
  • Be approved by senior management
  • Be approved by employees when hired and on a recurring basis (at least annually or when updated)
  • Be regularly updated to reflect cybersecurity risk management results and changes in legal and regulatory requirements, technology, and the business
  • Address supply chain risks

Please note that your organization may choose to have an individual supply chain risk management policy/plan and in that case, your risk management policy does not need to address supply chain risks. 

3. Perform a business impact analysis

Establish criteria for determining which business functions, processes, systems, and data are essential for your organization's operations and the potential impact of a loss of these operations. As part of this business impact analysis, establish recovery time objectives for delivering these critical capabilities and services in various operating states, including under attack, during recovery,  and normal operations.

4. Maintain an asset inventory

Knowing what assets exist in your organization — including data, hardware, software, systems, facilities, devices, people, and services provided by suppliers — is essential for cybersecurity risk management. Maintaining an inventory of these assets can be done manually in a spreadsheet, although this can be tedious and difficult to keep up-to-date. A compliance automation tool can keep an up-to-date inventory of all your assets for improved visibility and monitoring. 

5. Identify, assess, and document risks.

Risks to assets should be identified, assessed, and documented. One way to do so is by creating a risk register. A risk register is a repository of all risks facing your organization and related information such as a description of the risk, the impact if the risk should occur, the probability of its occurrence, mitigation strategies, risk owners, and a ranking in order to help prioritize mitigation efforts. Like an asset inventory, you can create a risk register manually, but an automation tool can speed up the process and keep it up-to-date for you.

6. Implement access controls.

To help protect your assets, your organization can establish a policy for limiting and granting access to your facilities, environment, networks, instances, and data. You can also introduce need-based access rules and expiration dates to help you keep track of who has access and for how long. By regularly reviewing and monitoring personnel and vendor access, you can ensure that least privilege, least functionality, and separation of duties has been implemented and minimize cybersecurity risks.

7. Provide cybersecurity awareness training

Providing cybersecurity awareness training can help ensure your organization’s employees, partners, and suppliers have the knowledge and skills to perform tasks with cybersecurity risks and any related policies, procedures, and agreements in mind. Effective training should:

  • Cover social engineering and other common attacks and the consequences of violating the cybersecurity policy
  • Include assessment or tests to evaluate users’ understanding of cybersecurity practices
  • Be required annually at least

8. Develop a vulnerability management plan

A vulnerability management plan can help ensure that cybersecurity risk to the organization, assets, and individuals is understood. The plan should clearly define the process, structure, and scope of vulnerability management and the responsibilities and expectations of those responsible for the management of the program as well as everyone else within the organization. This includes criteria for deciding whether to accept, transfer, mitigate, or avoid risk. Effective vulnerability management involves several steps, including vulnerability, DAST, and SAST scanning, penetration testing, risk assessments, employee training and more.

9. Implement continuous monitoring

Continuously monitoring your information system and assets as well as your suppliers can help your organization identify cybersecurity events and verify the effectiveness of the controls you have in place. Creating and assigning tickets when certain types of alerts occur, either manually or automatically, can also help ensure possible cybersecurity attacks are found and analyzed.

A tool like Secureframe can automate the continuous monitoring process and automatically notify owners when a control is failing. 

10. Develop an incident response plan

An incident response plan is a document containing a predetermined set of instructions or procedures to detect, respond to, and limit the consequences of a security incident. Having an incident response plan in place can ensure that response processes and procedures are executed when cybersecurity incidents are detected. This plan should be regularly updated to incorporate lessons learned. 

11. Develop a disaster recovery plan

Having a disaster recovery plan in place, which clearly defines recovery processes and procedures, can help ensure restoration of systems or assets affected by cybersecurity incidents. It may also define communication protocols and notification procedures to ensure communication during and after a disaster to internal and external stakeholders as well as management.

Like the incident response plan, this plan should be regularly updated to incorporate lessons learned. 

NIST CSF compliance checklist

Implementing NIST CSF standards and guidelines can be challenging, but the right tools can simplify and speed up the process. This NIST CSF compliance checklist is not meant to be prescriptive. Instead, use it as a guide when trying to achieve the outcomes of NIST CSF 2.0.

Download it here.

NIST CSF assessment

NIST CSF does not offer certification or require audits. Instead, organizations can conduct readiness assessments internally or hire a consultant to evaluate its practices for managing cybersecurity risk and identify areas for improvement. 

Whether you decide to do this internally or hire a consultant, a readiness assessment typically follows these steps:

  • Map existing controls to the NIST CSF 2.0 framework. Identify controls and documentation that already exist that meet the NIST CSF 2.0 framework. If doing this manually, you’ll have to log all NIST CSF Core outcomes (represented by categories and subcategories) that you want to achieve and then map them to your existing controls in a spreadsheet. A compliance automation tool like Secureframe can do this automatically. 
  • Check for gaps. You might discover missing controls, discover you need to redesign processes, implement employee training programs, or document more evidence for your existing controls.
  • Develop a remediation plan. Try to include specific timelines and deliverables for closing any gaps. Identify an individual who will be responsible for tracking progress.

How Secureframe can help simplify NIST CSF 2.0 compliance

Secureframe can streamline the process for complying with NIST CSF, helping organizations save time, reduce costs, and improve their cybersecurity practices.

One of the key features of Secureframe's platform is its ability to automate the mapping of an organization's existing security controls to the NIST CSF 2.0 framework. This mapping process helps organizations understand how their current security measures align with the standards, guidelines, and best practices outlined in NIST CSF 2.0 and identify any gaps or areas for improvement. By automating this mapping process, Secureframe enables organizations to gain a comprehensive view of their cybersecurity posture and prioritize efforts to address any deficiencies effectively, while eliminating guesswork and manual effort. 

Additionally, Secureframe's compliance automation platform provides automated workflows and policy templates tailored specifically to NIST CSF 2.0. These workflows automate most of the process of implementing and maintaining the necessary security measures to comply with NIST CSF 2.0 effectively, including evidence collection, risk management, asset inventory, policy management, and task management. Using these workflows, organizations can ensure consistency, accuracy, and completeness in their compliance efforts, reducing the likelihood of errors or oversights.

Furthermore, Secureframe's platform offers continuous monitoring capabilities, allowing organizations to proactively identify and address cybersecurity risks in real-time. By continuously monitoring their security posture against NIST CSF 2.0, organizations can quickly detect and respond to emerging threats, vulnerabilities, or compliance issues, thereby enhancing their overall cybersecurity resilience and driving their continuous compliance strategy. 

Finally, Secureframe helps organizations keep up with framework updates like NIST CSF 2.0 so they don’t fall out of compliance — without requiring them to scan regulatory websites for changes that may impact their organization. The Secureframe team not only reaches out to notify customers of any changes or updates affecting their compliance posture. Our platform is also built and maintained by compliance and security experts, so any framework updates are reflected in the platform. 

To learn more about how Secureframe can help you comply with the latest version of NIST CSF, schedule a demo.


Is compliance with NIST CSF mandatory?

NIST CSF 2.0 compliance is mandatory for federal contractors and government agencies, and recommended for commercial organizations and others looking to manage cybersecurity risk effectively.

Who uses NIST CSF?

While it is typically pursued by federal contractors and government agencies, NIST CSF provides a flexible framework that any organization can use to manage cybersecurity risks, regardless of their size, sector, or the maturity level of their cybersecurity programs. For example, industry, government, academia, and nonprofit organizations sometimes use NIST CSF as best practice guidelines.

How many controls are there in NIST CSF?

Instead of a predefined set of controls, NIST CSF provides standards, guidelines, and best practices for organizations to manage and improve their cybersecurity posture and the NIST 800-53 and NIST 800-171 frameworks provide security controls for implementing NIST CSF.

What is the difference between NIST CSF and NIST 800-53?

NIST CSF 2.0 and NIST 800-53 are both cybersecurity frameworks developed by NIST, but they serve different purposes. NIST 800-53 is designed to enable the development of secure and resilient federal information systems and compliance is mandatory for federal agencies and contractors as well as any organization that carries federal data. NIST CSF, on the other hand, is designed to enable comprehensive and personalized security weakness identification and is mandatory for federal agencies and contractors and recommended for commercial organizations.

When will NIST CSF 2.0 be released?

NIST CSF 2.0 was released on February 26, 2024.

How often is NIST CSF updated?

NIST CSF 2.0, which was released in 2024, was  the framework’s first major update since its creation in 2014. This update was the outcome of a multi-year process of discussions and public comments aimed at making the framework more effective.

Can NIST CSF 2.0 be customized for specific industries or organizations?

Yes, NIST CSF 2.0 is designed to be flexible and adaptable, allowing organizations to tailor the framework to their unique cybersecurity needs, risk profiles, and regulatory requirements.

Use trust to accelerate growth