Skip to main content
NIST Cybersecurity Framework 2.0

NIST Cybersecurity Framework 2.0

A voluntary framework developed by NIST to help organisations manage and reduce cybersecurity risk. Version 2.0 adds the Govern function and supply chain security. Available on the Ultimate plan.

Try it Yourself Blog Posts

The most widely used
cybersecurity risk framework

The NIST Cybersecurity Framework (CSF) 2.0 was published by the US National Institute of Standards and Technology in February 2024. It provides a voluntary, flexible framework for managing cybersecurity risk across any organisation, sector, or size — from startups to global enterprises.

CSF 2.0 reorganises the framework around six core functions: Govern (new in 2.0), Identify, Protect, Detect, Respond, and Recover. The new Govern function reflects the growing importance of executive accountability for cybersecurity risk.

While voluntary, NIST CSF is widely referenced in US regulations including Executive Order 14028 on Improving the Nation's Cybersecurity, HIPAA, and CISA guidance. It is also used internationally as a complement to ISO 27001.

6
Core functions
22
Categories
106
Subcategories
2024
CSF 2.0 published

The 6 NIST CSF 2.0 functions — the full risk lifecycle

CSF 2.0 covers the entire cybersecurity risk lifecycle — from governance and asset identification through protection, detection, response, and recovery.

GV

Govern

New in 2.0

New in CSF 2.0. Establishes and monitors the organisation's cybersecurity risk management strategy, expectations, and policy.

Organisational contextRisk management strategyRoles & responsibilitiesPolicyOversightSupply chain risk
ID

Identify

Understand the organisation's cybersecurity risk to systems, people, assets, data, and capabilities.

Asset managementRisk assessmentImprovement
PR

Protect

Develop and implement appropriate safeguards to ensure delivery of critical services.

Identity management & access controlAwareness & trainingData securityPlatform securityTechnology infrastructure resilience
DE

Detect

Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

Continuous monitoringAdverse event analysis
RS

Respond

Develop and implement appropriate activities to act regarding a detected cybersecurity incident.

Incident managementIncident analysisIncident response reporting & communicationMitigationImprovements
RC

Recover

Develop and implement appropriate activities to maintain plans for resilience and restore capabilities impaired during a cybersecurity incident.

Incident recovery plan executionIncident recovery communication

Where does your organisation sit
on the NIST maturity scale?

NIST CSF Tiers describe the degree to which an organisation's cybersecurity risk management practices exhibit the characteristics defined in the framework — from ad hoc (Tier 1) to adaptive (Tier 4).

Tier 1

Partial

Ad hoc risk management. No formal processes or policies. Cybersecurity is reactive.

Tier 2

Risk Informed

Risk management practices exist but are not organisation-wide. Awareness of risk exists but formal policy is lacking.

Tier 3

Repeatable

Formal risk management policies are defined and practiced organisation-wide. Procedures are regularly updated.

Tier 4

Adaptive

Risk management is continuously improved based on lessons learned. Organisation shares information with external parties.

NIST CSF 2.0 vs ISO 27001 — which do you need?

Many organisations implement both. Unicis supports simultaneous cross-framework tracking — controls mapped once, coverage credited in both.

CriteriaNIST CSF 2.0ISO 27001
TypeVoluntary framework (US-developed)International certifiable standard
Structure6 Functions, 22 Categories, 106 Subcategories93 Annex A controls across 4 themes
CertificationNo certification — self-assessmentThird-party certification by accredited body
US regulatory alignmentStrong — referenced in EO 14028, HIPAA, etc.Referenced but not mandated
Overlap with NIS2Moderate — maps to most Art. 21 measuresStrong — ~60–70% overlap
Unicis planUltimatePremium

How Unicis supports NIST CSF 2.0

Who should adopt NIST CSF 2.0?

NIST CSF 2.0 is designed for organisations of any size and sector. It is widely used by US federal agencies and contractors, but is increasingly adopted globally — particularly by technology companies, financial institutions, healthcare providers, and any business managing cybersecurity risk.

Technology CompaniesFinancial ServicesHealthcareUS Federal ContractorsCritical InfrastructureSaaS ProvidersManufacturingEnergy & Utilities
Blog Posts Try it Yourself Atlassian Marketplace Official NIST CSF

Multi-Framework Support

11 Compliance Frameworks Supported

From the minimum viable security baseline to enterprise-grade standards — coverage for every compliance requirement.

MVSP v1.0 Community GDPR Community ISO/IEC 27001 Premium EU NIS2 Premium CIS CSC v8.1 Premium C5 Premium OWASP ASVS v5 Premium ISO/IEC 42001 Premium
NIST CSF 2.0 Ultimate Current
SOC 2 Ultimate PCI DSS v4.0.1 Ultimate
Community (Free) Premium Ultimate
View All Frameworks Try it Free

Start implementing NIST CSF 2.0 with Unicis

Track all 6 NIST CSF 2.0 functions with automated GAP analysis and cross-framework mapping to ISO 27001, NIS2, and CIS. Available on the Ultimate plan.

Try it Yourself Learn More