A Tour of NIST CSF 2.0

The NIST Cybersecurity Framework (CSF) is a US-government-published framework that's not a certification scheme. There's no auditor, no certificate, no pass/fail. Instead, it's a structured way to talk about a cybersecurity programme — a vocabulary that maps onto whatever certification frameworks you also adopt.

NIST CSF 2.0 was published in February 2024 and added a sixth function, Govern, on top of the original five.

The six functions

CSF organises everything into six top-level functions, each with categories and subcategories:

GV — Govern (added in 2.0)

• Organisational context
• Risk-management strategy
• Roles, responsibilities, and authorities
• Policy
• Oversight
• Cybersecurity supply-chain risk management

This is the "who decides, who's accountable, what's the strategy" layer. It exists because too many organisations have great technical controls and zero governance — and CSF 1.x couldn't say much about that gap.

ID — Identify

• Asset management
• Risk assessment
• Improvement

What do you have, what could go wrong, and how are you getting better.

PR — Protect

• Identity management, authentication, and access control
• Awareness and training
• Data security
• Platform security
• Technology infrastructure resilience

The bulk of "controls" people think of when they think of cybersecurity.

DE — Detect

• Continuous monitoring
• Adverse event analysis

How you find out something has happened.

RS — Respond

• Incident management
• Incident analysis
• Incident response reporting and communication
• Incident mitigation

What happens after detection.

RC — Recover

• Incident recovery plan execution
• Incident recovery communication

Getting back to business.

When CSF is the right choice

CSF works well when:

• You want a framework structure without a certification audit.
• You're talking to non-technical stakeholders (board, exec, regulators) and need a vocabulary that won't get lost in jargon.
• You're operating in the US public sector or supply chain, where CSF is increasingly the lingua franca.
• You need to map between different certification regimes — CSF is the most-mapped framework in existence.

When CSF is not enough on its own

CSF doesn't tell you what good looks like at the control level. It tells you you should do "asset management" — it doesn't tell you what an asset register should contain. For that, pair CSF with a control-rich framework: ISO 27001 Annex A, NIST 800-53, or CIS Controls v8.

The common pattern: CSF for the programme structure, ISO 27001 (or NIST 800-53, or CIS Controls) for the control depth.

Mapping Blankitt controls to CSF

In Blankitt, when you activate NIST CSF 2.0, the framework hierarchy looks like:

NIST CSF 2.0
├── GV — Govern
│   ├── GV.OC — Organisational Context
│   ├── GV.RM — Risk Management Strategy
│   └── …
├── ID — Identify
├── PR — Protect
├── DE — Detect
├── RS — Respond
└── RC — Recover

A control like "Annual phishing-resistance training" maps cleanly to PR.AT-01 — Personnel awareness. A control like "24×7 SOC monitoring" maps to DE.CM-01 — Networks and network services are monitored. The map is many-to-many: one control often satisfies several CSF subcategories at once.

This is exactly the property that makes the next chapter — multi-framework mapping — work.