NIST CSF 2.0, as the operating layer.
The voluntary cybersecurity framework that most insurers, board committees, and vendor questionnaires now speak. We use it as the operating layer across every client program.
What CSF 2.0 actually is.
The NIST Cybersecurity Framework is voluntary, sector-agnostic, and now in its 2.0 revision (published 2024). It organizes cybersecurity outcomes into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. The 2.0 release added Govern as a new top-level function, recognizing that governance is the precondition for the rest.
CSF is not a control catalog. It points outward to source frameworks (CIS Controls, NIST 800-53, ISO 27001) and inward through Categories, Subcategories, and Informative References. Implementation Tiers (1 to 4) describe how rigorous and adaptive a program is. Profiles let an organization define its current and target state.
Govern (GV)
New in 2.0. Strategy, policy, roles, supply chain, risk management.
Identify (ID)
Asset management, business environment, governance, risk assessment.
Protect (PR)
Access control, awareness, data security, maintenance, protective technology.
Detect (DE)
Anomalies and events, continuous monitoring, detection processes.
Respond (RS)
Response planning, communications, analysis, mitigation, improvements.
Recover (RC)
Recovery planning, improvements, communications.
When teams use CSF.
CSF is voluntary, but almost every mid-market security program ends up using it because it answers questions that come from outside the IT function:
- Board and audit committee reporting: the six functions map cleanly to executive-level summaries.
- Cyber insurance renewal questionnaires: increasingly worded in CSF terms.
- Vendor risk questionnaires: enterprise buyers ask for CSF profile alignment.
- M&A diligence: CSF maturity is the common language for security due diligence.
- Regulator expectations: sector regulators (NY DFS, HHS, etc.) point at CSF as a baseline.
What we implement.
We don't certify a CSF profile, we use it. The work is mapping, scoring, reporting, and improving across the six functions.
Current profile assessment
Map controls and outcomes against every Subcategory. Score on a maturity scale your board recognizes.
Target profile definition
Where you need to be in 12 months. Tied to actual business drivers, not abstract maturity.
Gap closure roadmap
Specific projects with owners, dates, and budget. Quarterly tracking.
Quarterly reporting
One-page CSF dashboard. Same shape every quarter so progress is visible.
Subcategory operations
We own the technical operations that satisfy specific Subcategories. Logs, MFA, backups, IR plans, vendor tracking.
Cross-mapping
When you also need SOC 2, HIPAA, or NIST 800-171, we maintain one control set with multiple mappings rather than redundant programs.
Who owns what.
On us
- Profile mapping, scoring, and quarterly updates
- Technical Subcategory operations (most Protect, Detect, Respond, Recover work)
- Insurance and vendor questionnaire responses
- Cross-mapping to other frameworks you're subject to
- Maturity progression planning and reporting
- Incident response operations
On you
- Govern function ownership at the executive level
- Risk appetite and target profile decisions
- Budget approval for gap closure projects
- Policy approval (we draft, you adopt)
- Workforce awareness program execution
- Board and committee participation
Common pitfalls we see.
Aiming for Tier 4 on everything.
Tier 4 (Adaptive) is appropriate for some functions, expensive overkill for others. A pragmatic target profile mixes Tier 2 and Tier 3 across functions based on actual risk.
Treating Govern as IT's job.
The new Govern function explicitly belongs to executives and the board. If IT alone tries to own it, the rest of the framework hollows out. We help structure the cross-functional ownership.
Using CSF as a sole framework when sector regs apply.
CSF doesn't replace HIPAA, PCI DSS, or CMMC. It complements them. We map CSF to the regulatory frameworks once and keep one set of controls.
Scoring drift between quarters.
Without a consistent scoring rubric, comparisons across quarters become meaningless. We hold scoring discipline so the dashboard means something.
Related frameworks.
Frameworks that CSF maps cleanly to.
Let's talk for 30 minutes.
No slides.
Bring your last cyber insurance questionnaire, your board's last risk report, or your current security KPIs. We'll come back with a written CSF profile, a target, and the path between.
- 30-min discovery, no slide deck
- Free written assessment, yours to keep
- A clear proposal, no pressure
Or call us directly: 904-639-0003
Schedule a call →