NIST Cybersecurity Framework 2.0
What it is
A voluntary framework published by the U.S. National Institute of Standards and Technology that organizes cybersecurity outcomes into six high-level Functions. It is the most common 'common language' framework used across industries.
Who uses it
Used by organizations of any size or sector — federal contractors, healthcare, finance, SaaS, manufacturing — usually as the umbrella program structure that other frameworks (ISO 27001, SOC 2, HIPAA) plug into.
Why it matters
Gives GRC teams a stable vocabulary to describe a program to executives, auditors, and engineers. Maps cleanly to most other frameworks, which is why crosswalks usually start here.
Structure
Oversight, strategy, roles, policy, risk appetite, supply chain — the function added in 2.0 that elevates governance to a top-level concern.
Asset management, business environment, risk assessment — understand what you have and what could go wrong.
Access control, awareness training, data security, baseline configurations — the safeguards that reduce likelihood.
Continuous monitoring, anomaly detection, event analysis — knowing when something is happening.
Incident response planning, communications, analysis, mitigation — what you do during an event.
Recovery planning, improvements, communications — restoring services and learning from the event.
Terminology
Beginner explanation
Think of CSF as the table of contents for a cybersecurity program. It does not tell you exactly how to do anything — it tells you the outcomes you should be able to demonstrate, grouped into six themes.
Practical examples
- A SaaS startup maps its onboarding/offboarding process to PR.AA (Access Control) and uses it to prove access governance to a SOC 2 auditor.
- A hospital uses CSF Profiles to compare its current state to a target state required by its cyber-insurance carrier.
Advanced notes
CSF 2.0 introduced Govern (GV) and Community Profiles, and is designed to be paired with the NIST CSF Reference Tool and informative references like NIST SP 800-53.
Practice this in a lab
Northbeam Analytics is preparing for its first SOC 2 Type II and needs a risk register before fieldwork starts.
Given 5 short incident summaries, decompose each into asset, threat, and vulnerability.
Map your organization's MFA control to NIST CSF 2.0, ISO 27001 Annex A, SOC 2 TSC, and NIST SP 800-53.
Eight raw findings. Decide severity (Low/Med/High/Critical) and rationale.