NIST Cybersecurity Framework 2.0

CSF speaks the language of outcomes — what a cybersecurity program is trying to achieve — rather than the controls language of NIST 800-53. CSF 2.0 (released Feb 2024) added the Govern function to the v1 set, making the framework an executive-friendly top-level map of an enterprise program.

The six Functions below are the highest level of the hierarchy. Each links through to its Categories, Subcategories, and the NIST 800-53 controls that implement them.

Detect

2 categories · 11 subcategories

Possible cybersecurity attacks and compromises are found and analyzed

Govern

6 categories · 31 subcategories

The organization's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored

Identify

3 categories · 21 subcategories

The organization's current cybersecurity risks are understood

Protect

5 categories · 22 subcategories

Safeguards to manage the organization's cybersecurity risks are used

Recover

2 categories · 8 subcategories

Assets and operations affected by a cybersecurity incident are restored

Respond

4 categories · 13 subcategories

Actions regarding a detected cybersecurity incident are taken

6 Functions · 22 Categories · 106 Subcategories

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).