What is NIST?
The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the US Department of Commerce. Founded in 1901, NIST develops standards, guidelines and best practices that help organisations manage risk, improve security and drive innovation. In cybersecurity, NIST is the most trusted standards body in the United States — its publications are followed by governments, enterprises and security professionals worldwide.
Learn more about NIST and the history of the Cybersecurity Framework →
What is NIST CSF 2.0?
The NIST Cybersecurity Framework 2.0, released in February 2024, is a voluntary framework that helps organisations of all sizes manage and reduce cybersecurity risk. It provides a structured, outcome-based approach using six core functions covering the entire lifecycle of cybersecurity risk management. Version 2.0 is the most significant update since the framework launched in 2014 — expanding scope to all organisations regardless of sector and introducing the new Govern function.
| Standard Body | NIST — National Institute of Standards and Technology |
| Current Version | 2.0 (February 2024) |
| Mandatory or Voluntary | Voluntary (Mandatory for some US federal contractors) |
| Geography | USA (adopted globally) |
| Official Resource | nist.gov/cyberframework |
The Six Core Functions
NIST CSF 2.0 organises cybersecurity activities into six core functions. Each function contains categories and subcategories that describe specific outcomes organisations should achieve.
| Function | Code | Purpose |
|---|---|---|
| Govern | GV | Establish and monitor cybersecurity risk management strategy, policy and oversight. New in 2.0. |
| Identify | ID | Understand assets, suppliers, risks and vulnerabilities across the organisation. |
| Protect | PR | Implement safeguards to prevent or reduce cybersecurity incident impact. |
| Detect | DE | Identify cybersecurity incidents through continuous monitoring and anomaly detection. |
| Respond | RS | Take action when a cybersecurity incident is detected — planning, communication and analysis. |
| Recover | RC | Restore capabilities and services impacted by a cybersecurity incident. |
What Changed from Version 1.1 to 2.0?
| Area | Version 1.1 | Version 2.0 |
|---|---|---|
| Core Functions | 5 (Identify, Protect, Detect, Respond, Recover) | 6 (+ Govern) |
| Scope | Critical infrastructure focus | All organisations regardless of size or sector |
| Supply Chain | Basic guidance | Dedicated Supply Chain Risk Management category (GV.SC) |
| Governance | Embedded across functions | Dedicated Govern function at board/executive level |
| Implementation | 4 Tiers | Simplified with implementation examples for SMEs |
NIST CSF 2.0 — All 106 Clauses with SP 800-53 Mappings
The following table lists all 106 subcategory clauses in NIST CSF 2.0, grouped by function, with their mapped NIST SP 800-53 controls.
GOVERN (GV)
| Clause | Description | SP 800-53 Controls |
|---|---|---|
| GV.OC-01 | The organizational mission is understood and informs cybersecurity risk management | PM-07, PM-08, PM-11 |
| GV.OC-02 | Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | PM-08, PM-11, PM-15 |
| GV.OC-03 | Legal, regulatory, and contractual requirements regarding cybersecurity are understood and managed | PM-01, PL-04, SA-04 |
| GV.OC-04 | Critical objectives, capabilities, and services that external stakeholders depend on are understood and communicated | PM-08, PM-11, CP-02 |
| GV.OC-05 | Outcomes, capabilities, and services that the organization depends on are understood and communicated | PM-08, PM-11, SA-09, CP-02 |
| GV.OV-01 | Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction | PM-09, PM-06, CA-07, PM-31 |
| GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | PM-09, PM-28, CA-02, RA-03 |
| GV.OV-03 | Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed | PM-06, CA-07, PM-14, CA-02 |
| GV.PO-01 | A policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced | PL-01, PM-01, PM-09, PL-02 |
| GV.PO-02 | Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission | PL-01, PM-01, PM-04, CA-07 |
| GV.RM-01 | Risk management objectives are established and expressed as statements that articulate the basis for cybersecurity risk management decisions | PM-09, PM-28, RA-01 |
| GV.RM-02 | Risk appetite and risk tolerance statements are established, communicated, and maintained | PM-09, PM-28 |
| GV.RM-03 | Cybersecurity risk management activities and outcomes are included in enterprise risk management processes | PM-09, PM-28, PM-01 |
| GV.RM-04 | Strategic direction that describes appropriate risk response options is established and communicated | PM-09, RA-03, RA-07, CA-05 |
| GV.RM-05 | Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties | PM-15, PM-16, IR-06, IR-07, SR-01 |
| GV.RM-06 | A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated | RA-01, RA-02, RA-03, PM-09 |
| GV.RM-07 | Strategic opportunities (positive risks) are characterized and are included in organizational cybersecurity risk discussions | PM-09 |
| GV.RR-01 | Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving | PM-01, PM-02, PM-13, AT-02 |
| GV.RR-02 | Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced | PM-02, PS-01, PS-02, PS-09, PL-01, PM-13 |
| GV.RR-03 | Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles and responsibilities, and policies | PM-03, PM-13, SA-02 |
| GV.RR-04 | Cybersecurity is included in human resources practices | PS-01 through PS-09, AT-01 through AT-04, PM-13 |
| GV.SC-01 | A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders | SR-01, SR-02, SR-03, PM-30 |
| GV.SC-02 | Cybersecurity roles and responsibilities for suppliers, customers, and partners are established and communicated | SA-04, SA-09, SR-01, SR-03 |
| GV.SC-03 | Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes | SR-01, SR-02, PM-09, PM-30 |
| GV.SC-04 | Suppliers are known and prioritized by criticality | SR-02, SR-03, SR-06, SA-04 |
| GV.SC-05 | Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties | SA-04, SR-01, SR-02, SR-03 |
| GV.SC-06 | Planning and due diligence are conducted to reduce risks before entering into formal supplier or other third-party relationships | SR-03, SR-05, SR-06, SA-04 |
| GV.SC-07 | The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship | SR-02, SR-03, SR-06, RA-03, RA-07 |
| GV.SC-08 | Relevant suppliers and other third parties are included in incident planning, response, and recovery activities | IR-04, IR-08, SR-08, CP-02 |
| GV.SC-09 | Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle | SR-01, SR-02, SR-03, SR-06, PM-30, SA-03 |
| GV.SC-10 | Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement | SR-12, SA-04, SR-01, MP-06 |
IDENTIFY (ID)
| Clause | Description | SP 800-53 Controls |
|---|---|---|
| ID.AM-01 | Inventories of hardware managed by the organization are maintained | CM-08, PM-05 |
| ID.AM-02 | Inventories of software, services, and systems managed by the organization are maintained | CM-08, PM-05, CM-10 |
| ID.AM-03 | Representations of the organization’s authorized network communication and internal and external network data flows are maintained | AC-04, PL-08, CA-03, SC-07, CM-12 |
| ID.AM-04 | Inventories of services provided by suppliers are maintained | SA-09, SR-06, PM-05 |
| ID.AM-05 | Assets are prioritized based on classification, criticality, resources, and impact to the mission | RA-02, PM-11, CP-02, PM-07 |
| ID.AM-07 | Inventories of data and corresponding metadata for designated data types are maintained | RA-02, CM-08, CM-12, CM-13, SI-12 |
| ID.AM-08 | Systems, hardware, software, services, and data are managed throughout their life cycles | SA-03, SA-22, CM-08, SI-12, MP-06 |
| ID.IM-01 | Improvements are identified from evaluations | CA-02, CA-07, PM-06, PM-04 |
| ID.IM-02 | Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties | CA-08, IR-03, PM-14, CP-04 |
| ID.IM-03 | Improvements are identified from execution of operational processes, procedures, and activities | CA-07, PM-06, IR-04, SI-04, AT-06 |
| ID.IM-04 | Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved based on lessons learned and other factors | IR-08, IR-03, CP-02, CP-04 |
| ID.RA-01 | Vulnerabilities in assets are identified, validated, and recorded | RA-05, SI-02, SI-05 |
| ID.RA-02 | Cyber threat intelligence is received from information sharing forums and sources | PM-16, SI-05, PM-15 |
| ID.RA-03 | Internal and external threats to the organization are identified and recorded | RA-03, PM-16, RA-10 |
| ID.RA-04 | Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded | RA-03, RA-02 |
| ID.RA-05 | Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization | RA-03, RA-07, PM-09, CA-05 |
| ID.RA-06 | Risk responses are chosen, prioritized, planned, tracked, and communicated | RA-07, RA-03, PM-09, CA-05, PM-04 |
| ID.RA-07 | Changes and exceptions are managed, assessed for risk impact, and recorded | CM-03, CM-04, CA-06, RA-07, PM-09 |
| ID.RA-08 | Processes for receiving, analyzing, and responding to vulnerability disclosures are established | RA-05, SI-02, SI-05, PM-15 |
| ID.RA-09 | The authenticity and integrity of hardware and software are assessed prior to acquisition and use | SR-04, SR-05, SR-09, SR-10, SR-11, SA-04 |
| ID.RA-10 | Critical suppliers are assessed prior to acquisition | SR-03, SR-05, SR-06, SA-04 |
PROTECT (PR)
| Clause | Description | SP 800-53 Controls |
|---|---|---|
| PR.AA-01 | Identities and credentials for authorized users, services, and hardware are managed by the organization | IA-02, IA-04, IA-05, IA-08, IA-12 |
| PR.AA-02 | Identities are proofed and bound to credentials based on the context of interactions | IA-12, IA-04, IA-05 |
| PR.AA-03 | Users, services, and hardware are authenticated | IA-02, IA-03, IA-08, IA-09 |
| PR.AA-04 | Identity assertions are protected, conveyed, and verified | IA-02, IA-05, SC-23, IA-08 |
| PR.AA-05 | Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties | AC-02, AC-03, AC-05, AC-06, AC-24 |
| PR.AA-06 | Physical access to assets is managed, monitored, and enforced commensurate with risk | PE-02, PE-03, PE-06, PE-08 |
| PR.AT-01 | Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind | AT-02, AT-03, AT-06, PM-13 |
| PR.AT-02 | Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind | AT-03, AT-06, PM-13, IR-02 |
| PR.DS-01 | The confidentiality, integrity, and availability of data-at-rest is protected | SC-28, MP-04, MP-05, AC-03 |
| PR.DS-02 | The confidentiality, integrity, and availability of data-in-transit is protected | SC-08, SC-12, SC-13, AC-17 |
| PR.DS-10 | The confidentiality, integrity, and availability of data-in-use is protected | SC-04, AC-03, AC-04, SC-39 |
| PR.DS-11 | Backups of data are created, protected, maintained, and tested in accordance with policy | CP-09, CP-06 |
| PR.IR-01 | Networks and environments are protected from unauthorized logical access and usage | SC-07, AC-04, AC-17, SC-32 |
| PR.IR-02 | The organization’s technology assets are protected from environmental threats | PE-09 through PE-15 |
| PR.IR-03 | Mechanisms are implemented to achieve resilience requirements in normal and adverse situations | CP-02, CP-07, CP-08, CP-09, CP-10, SC-05, SC-36 |
| PR.IR-04 | Adequate resource capacity to ensure availability is maintained | AU-04, CP-02, SC-05, PE-11 |
| PR.PS-01 | Configuration management practices are established and applied | CM-01, CM-02, CM-03, CM-06, CM-07, CM-08, CM-09, PL-09 |
| PR.PS-02 | Software is maintained, replaced, and removed commensurate with risk | SI-02, SA-22, CM-07, CM-11 |
| PR.PS-03 | Hardware is maintained, replaced, and removed commensurate with risk | MA-02, MA-06, SA-22, CM-08 |
| PR.PS-04 | Log records are generated and made available for continuous monitoring | AU-02, AU-03, AU-06, AU-12, CA-07 |
| PR.PS-05 | Installation and execution of unauthorized software is prevented | CM-07, CM-11, CM-14 |
| PR.PS-06 | Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle | SA-03, SA-08, SA-10, SA-11, SA-15, SA-17 |
DETECT (DE)
| Clause | Description | SP 800-53 Controls |
|---|---|---|
| DE.AE-02 | Potentially adverse events are analyzed to better understand associated activities | SI-04, AU-06, IR-04 |
| DE.AE-03 | Information is correlated from multiple sources | AU-06, SI-04, PL-09 |
| DE.AE-04 | The estimated impact and scope of adverse events are understood | IR-04, RA-03, AU-06, SI-04 |
| DE.AE-06 | Information on adverse events is provided to authorized staff and tools | SI-04, IR-06, AU-06 |
| DE.AE-07 | Cyber threat intelligence and other contextual information are integrated into the analysis | PM-16, RA-03, SI-05, RA-10 |
| DE.AE-08 | Incidents are declared when adverse events meet the defined incident criteria | IR-04, IR-05, IR-06 |
| DE.CM-01 | Networks and network services are monitored to find potentially adverse events | SI-04, SC-07, AU-06, CA-07 |
| DE.CM-02 | The physical environment is monitored to find potentially adverse events | PE-06, PE-03, PE-20 |
| DE.CM-03 | Personnel activity and technology usage are monitored to find potentially adverse events | AU-06, AU-12, SI-04, AC-02 |
| DE.CM-06 | External service provider activities and services are monitored to find potentially adverse events | SA-09, SR-06, CA-07, SI-04 |
| DE.CM-09 | Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events | SI-04, SI-07, AU-06, CM-03 |
RESPOND (RS)
| Clause | Description | SP 800-53 Controls |
|---|---|---|
| RS.AN-03 | Analysis is performed to determine what has taken place during an incident and root cause | IR-04, AU-06, SI-04 |
| RS.AN-06 | Actions performed during an investigation are recorded, and the records’ integrity and provenance are preserved | IR-04, AU-09, AU-11 |
| RS.AN-07 | Incident data and metadata are collected, and their integrity and provenance are preserved | IR-04, AU-03, AU-09, AU-11 |
| RS.AN-08 | An incident’s magnitude is estimated and validated | IR-04, IR-05, RA-03 |
| RS.CO-02 | Internal and external stakeholders are notified of incidents | IR-06, IR-07 |
| RS.CO-03 | Information is shared with designated internal and external stakeholders | IR-06, PM-15, PM-16 |
| RS.MA-01 | The incident response plan is executed in coordination with relevant third parties once an incident is declared | IR-04, IR-06, IR-07, IR-08 |
| RS.MA-02 | Incident reports are triaged and validated | IR-04, IR-05 |
| RS.MA-03 | Incidents are categorized and prioritized | IR-04, IR-05 |
| RS.MA-04 | Incidents are escalated or elevated as needed | IR-04, IR-06, IR-07 |
| RS.MA-05 | The criteria for initiating incident recovery are applied | IR-04, CP-10 |
| RS.MI-01 | Incidents are contained | IR-04, SC-07 |
| RS.MI-02 | Incidents are eradicated | IR-04, SI-03 |
RECOVER (RC)
| Clause | Description | SP 800-53 Controls |
|---|---|---|
| RC.CO-03 | Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders | IR-06, IR-07, CP-02 |
| RC.CO-04 | Public updates on incident recovery are shared using approved methods and messaging | IR-06, IR-07 |
| RC.RP-01 | The recovery portion of the incident response plan is executed once initiated from the incident response process | CP-10, IR-04, CP-02 |
| RC.RP-02 | Recovery actions are selected, scoped, and prioritized, considering the business impact of the incident | CP-10, CP-02, IR-04 |
| RC.RP-03 | The integrity of backups and other restoration assets is verified before using them for restoration | CP-09, SI-07 |
| RC.RP-04 | Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms | CP-10, IR-04, PM-11 |
| RC.RP-05 | The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed | CP-10, SI-07, CA-07 |
| RC.RP-06 | The end of incident recovery is declared based on criteria, and incident-related documentation is completed | IR-04, IR-03 |
Securitora Assessment
NIST CSF 2.0 is the best starting point for any organisation building or maturing a cybersecurity programme. Its flexibility, clear structure and global recognition make it the most practical framework for establishing a common language around cyber risk. The addition of the Govern function in version 2.0 is a significant improvement — it forces the right conversations at board level and ensures cybersecurity is treated as a business risk rather than an IT problem.
| Recommended for | All organisations regardless of size or sector |
| Difficulty to implement | Medium — flexible but requires honest self-assessment |
| Best used with | NIST SP 800-53 · ISO 27001 · COBIT 2019 |
| Official resource | nist.gov/cyberframework → |