What is the NIST Cybersecurity Framework (CSF 2.0)?

Key takeaways

• CSF 2.0 organizes cybersecurity risk management around six functions: Govern, Identify, Protect, Detect, Respond, Recover.
• The framework is voluntary but increasingly expected by customers, insurers, prime contractors, and regulators. Adopting it is usually less effort than continuing to manage security without it.
• For mid-market manufacturers, CSF is the right starting framework because it organizes thinking without prescribing specific controls. Specific controls come from CIS Controls, NIST SP 800-53, or compliance-specific frameworks.
• The 2.0 revision (published 2024) adds Govern as a sixth function, expands supply chain risk management, and broadens the audience beyond critical infrastructure.
• ARG maps every engagement finding to a CSF function and outcome, so the program output reads cleanly into the framework executives are using to think about risk.

What are the six functions of NIST CSF 2.0?

CSF 2.0 is organized around six functions, each containing categories and subcategories that describe outcomes a security program should achieve.

Govern (GV). New in 2.0. The function that establishes the organization's cybersecurity strategy, expectations, policy, and risk management governance. Covers cybersecurity supply chain risk management, roles and responsibilities, oversight, and policies. The placement of Govern as a peer (and informally as the foundation for) the other functions reflects that cybersecurity is now a board-level concern, not a technical one.

Identify (ID). Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Asset management, business environment, governance (in 1.1; now part of GV), risk assessment, risk management strategy, supply chain risk management.

Protect (PR). Develop and implement appropriate safeguards. Identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.

Detect (DE). Develop and implement activities to identify the occurrence of a cybersecurity event. Anomalies and events, security continuous monitoring, detection processes.

Respond (RS). Develop and implement activities to act on a detected cybersecurity event. Response planning, communications, analysis, mitigation, improvements.

Recover (RC). Develop and implement activities to maintain plans for resilience and to restore capabilities or services impaired by a cybersecurity event. Recovery planning, improvements, communications.

The six functions together produce a complete view of a cybersecurity program. A program with strong Protect and weak Detect is a different shape than one with strong Detect and weak Respond; CSF makes the shapes visible.

What changed between CSF 1.1 and CSF 2.0

The 2.0 revision, published in February 2024, brought four material changes.

1. Govern added as a sixth function. CSF 1.1 had five functions (Identify, Protect, Detect, Respond, Recover). 2.0 elevates governance to a peer function rather than treating it as a subcategory of Identify. The change reflects the recognition that governance is foundational, not a technical detail.
2. Expanded supply chain coverage. The supply chain risk management category, previously a subcategory under Identify, expanded into a more detailed treatment with explicit subcategories. See What is third-party risk for manufacturers? and What is a supply chain attack?.
3. Broadened audience. Original CSF targeted critical infrastructure. 2.0 explicitly broadens scope to any organization, with sector-specific quick-start guides (small business, enterprise risk management, supply chain, secure software development).
4. Implementation tools. NIST published implementation examples, organizational profiles, community profiles (sector-specific reference profiles), and tiers (1 to 4) describing how cybersecurity risk management is integrated into broader risk management.

The 2.0 revision is broadly compatible with 1.1; organizations on 1.1 can migrate without restructuring their program, picking up Govern as the explicit container for activity that was already happening implicitly.

Why CSF is the right starting framework for mid-market manufacturers

For a mid-market manufacturer building a security program from a compliance-driven baseline, CSF offers four practical advantages.

1. Organizes thinking without prescribing controls. CSF tells the program what outcomes to achieve, not which products to buy or which controls to implement. The specifics come from other references (NIST SP 800-53, CIS Controls, ISO 27001). The program retains room to choose appropriate controls for the environment.
2. Maps cleanly to other frameworks. CSF references map to NIST SP 800-53, ISO 27001, CIS Controls, CMMC, and others. A program organized to CSF can produce evidence for multiple compliance regimes without duplicating effort.
3. Executive-readable. The six functions are intelligible to non-specialist executives. Reporting against the framework produces communication that an owner or CTO without a security background can use.
4. Recognized by insurance and customers. Cyber insurance underwriters reference CSF; prime contractors flow CSF expectations down their supply chains; large customers include CSF questions in vendor reviews. Alignment is operationally useful, not just internally clarifying.

A mid-market manufacturer that adopts CSF as the organizing framework, then maps specific controls from CIS Controls Implementation Group 1 or 2, has a defensible security program that serves the buyer, the customer, the insurer, and the regulator with a single source of truth.

Examples of CSF function gaps found in real audits

Patterns ARG sees during engagements at mid-market manufacturers, organized by CSF function:

Govern. Cybersecurity strategy exists in the IT lead's head but is not documented. Roles and responsibilities for security decisions are unclear. The board or executive team does not see security metrics on a regular cadence. Supply chain risk management is informal or absent.

Identify. Asset inventory is incomplete. The IT inventory does not include OT assets. Personnel inventory does not include vendors with access. Risk assessment is annual at best, often older than that. The risk register does not exist or is stale.

Protect. Identity management uses push MFA where phishing-resistant MFA would be available. Access reviews happen rarely; privilege creep accumulates. Security awareness training is annual classroom-style. Data classification is informal; CUI handling is inconsistent.

Detect. EDR is deployed but not tuned; alerts go unread. SIEM logging is present but no one watches it. OT environment has no detection coverage. Anomaly detection on identity is not configured. See What is dwell time?.

Respond. Incident response plan exists as a document; nobody has practiced it. Contact lists are stale. Decision authority for high-impact actions (production stoppage, wire-fraud response, ransomware payment) is not pre-authorized.

Recover. Backups exist; restoration has never been tested. Recovery time objectives are not documented. Communication plans for customers, regulators, and insurers do not exist.

The pattern across these findings: most mid-market manufacturers have a stronger Protect function than the other five. CSF helps reveal the imbalance because it forces the program to be measured against all six.

How to build a CSF profile and target maturity

A CSF profile documents two states: current (where the program is) and target (where the program needs to be). The gap between them is the program backlog.

Current profile. For each subcategory in CSF (roughly 100 subcategories across the six functions), document the organization's current state. Three levels of fidelity work:

• Maturity (1-4 tier). Coarse-grained: partial, risk-informed, repeatable, adaptive.
• Outcome present / partial / absent. Three-state coverage of each subcategory.
• Detailed evidence. Specific controls implemented, evidence captured, gaps documented.

A first profile usually starts at the present/partial/absent level and deepens over time.

Target profile. What the organization needs to achieve, by when, given its risk profile, customer expectations, regulatory environment, and insurance posture. The target is not "maximum maturity everywhere"; it is "appropriate maturity in the areas that matter, given resource constraints".

Gap analysis. Current versus target across all subcategories. The output is a prioritized list of improvements with rough cost and timeline. The gap analysis is the program plan, not the policy document.

Cadence. Profile updated annually or after any material change. Many mid-market manufacturers run a six-month check-in mid-year to track progress without a full re-profile.

The profile is the foundation for everything downstream: risk register entries, insurance renewal evidence, customer questionnaire responses, audit packages for CMMC or ISO 27001 assessors.

Best practices for using CSF to prioritize spend

1. Prioritize by risk reduction per dollar. A finding's CSF location is informative; its risk reduction per remediation cost is decision-relevant. Govern and Identify findings often produce outsized risk reduction at low cost (policy, inventory, training); Protect and Detect findings often require investment.
2. Sequence Govern and Identify first. Without governance and asset inventory, the rest of the program is uncalibrated. Investment in Protect, Detect, Respond, and Recover without the foundation produces less return.
3. Use the framework to communicate, not as a checklist. Reporting at the function level produces conversations executives can engage in. Reporting at the subcategory level produces audit packages. Use the right resolution for the audience.
4. Map findings to a single CSF location. Cross-mapping (a single finding to multiple subcategories) is sometimes necessary, but consistent single-location mapping produces cleaner reporting and easier prioritization.
5. Pair CSF with a specific control catalog. CIS Controls v8 (Implementation Group 1 or 2 for mid-market), NIST SP 800-53 (where 800-171 applies), or ISO 27001 Annex A. Pick one and use it as the source of specific control implementation.
6. Build for the next renewal cycle. Insurance renewal, customer questionnaires, and prime-contract reviews all produce demand for CSF-mapped evidence. Building the evidence as a byproduct of program operation is cheaper than building it ad-hoc each cycle.
7. Update annually, not in panic. A CSF profile updated annually with quarterly check-ins outperforms one rewritten under deadline pressure. The cadence is part of the discipline.

NIST CSF 2.0 FAQs

Is NIST CSF mandatory?

Generally no. CSF is voluntary. Some federal agencies, contractors, and regulated industries reference CSF in their requirements, which makes alignment effectively mandatory in those contexts. For most mid-market manufacturers, CSF is voluntary but increasingly expected by customers, insurers, and prime contractors.

How long does a CSF assessment take?

A current-state profile for a mid-market manufacturer typically takes two to four weeks: one to two weeks of document review and interviews, one week on-site if a physical component is included, and one week of analysis and reporting. Target-profile and gap analysis can run in parallel or follow.

Does CSF satisfy CMMC requirements?

Not directly. CSF and CMMC are different frameworks with different scope and different deliverables. They are complementary: a CSF profile organizes the security program; CMMC sets specific control requirements for handling controlled unclassified information in defense contracts. Many controls overlap; mapping between the two saves duplicate effort.

What is the difference between CSF and NIST 800-53?

CSF is a high-level framework with six functions and 23 categories; NIST SP 800-53 is a detailed control catalog with hundreds of specific controls. CSF tells you what outcomes to achieve; 800-53 provides the specific controls you might implement. CSF references 800-53 (and other catalogs) as informative references.

How ARG maps audit findings to CSF functions and outcomes

Every ARG engagement produces findings mapped to NIST CSF 2.0. The mapping happens during the engagement, not after, so the report is structured around the framework executives and underwriters will read.

The audit is conducted by David Ashby, with digital-side findings from James Wall on the technical components. The mapping covers all six functions:

• Govern. Cybersecurity strategy documentation, executive sponsorship, supply chain risk management, oversight cadence.
• Identify. Asset inventory (IT, OT, identity), vendor inventory, risk register state, business-context documentation.
• Protect. Identity controls (phishing-resistant MFA, least privilege), data protection, physical safeguards, awareness program effectiveness, continuous adversarial simulation findings.
• Detect. Detection coverage by MITRE ATT&CK technique, OT-aware monitoring state, identity-anomaly detection, alert routing accuracy.
• Respond. Incident response plan maturity, tabletop exercise outcomes, communications readiness, decision authority documentation.
• Recover. Backup state, restoration testing, recovery time objectives, post-incident improvement processes.

Each finding carries: location in CSF, current state, recommended target state, evidence captured, estimated remediation effort, and (where applicable) mapping to other frameworks the client is subject to (CMMC, NIST SP 800-171, ISO 27001, insurance underwriting requirements).

The output reads cleanly into the framework the client is using to talk to their board, their insurance broker, and their primary customers. ARG does not invent a new framework; ARG produces evidence inside the framework that already governs the conversation.

Apply as a founding client or see how the engagement works for the full delivery cycle.