NIST CSF 2.0 is published by the US National Institute of Standards and Technology and structured around six functions: Govern, Identify, Protect, Detect, Respond, and Recover. The framework has become the lingua franca of cyber-insurance assessments and a popular baseline for enterprise security programmes worldwide.
For MSPs, NIST CSF mapping is the way most clients' cyber-insurance carriers ask about controls. Mapping live evidence to the six functions, with target / current / gap views, is the modern MSP delivery pattern.
What to look for
- Direct NIST CSF 2.0 control mapping. All six functions (Govern, Identify, Protect, Detect, Respond, Recover) with their categories and subcategories. Cross-references to Informative References (NIST SP 800-53, CIS Controls, ISO 27001).
- Continuous endpoint and cloud evidence. Patch state, configuration, MFA, audit logging, response artefacts, and recovery plans collected from actual endpoints and cloud tenants.
- Multi-tenant for MSPs. One console for all client tenants with per-client isolation, billing, and co-branded reports.
- Cyber-insurance reporting. The framework most insurance assessors ask about. Look for one-click client-facing posture reports formatted for insurance assessment.
- Tier and maturity scoring. NIST CSF defines four implementation tiers (Partial, Risk-Informed, Repeatable, Adaptive). Look for current / target / gap visibility.
- Bundled with patching, breach detection, and remediation. The framework is meaningful only if you can act on the gaps. Bundled platforms close findings without bouncing to other tools.
Options to evaluate
Lavawall®MSP platform with NIST CSF 2.0 first-class
Direct NIST CSF 2.0 mapping across all six functions, continuous endpoint and cloud evidence, multi-tenant delivery, cyber-insurance posture reporting, tier / maturity scoring. Bundled with patching, configuration assessment, breach detection, application control, helpdesk, and remote support so gaps can be closed in the same platform.
Best when: MSPs delivering NIST CSF 2.0 readiness across many client tenants, particularly for cyber-insurance assessments.
Microsoft Compliance ManagerMicrosoft-native compliance management
Microsoft's native compliance management with NIST CSF coverage. Strong inside the Microsoft tenant; integration with non-Microsoft tooling adds work.
Best when: Microsoft-centric organisations on E5 / E5 Compliance.
How Lavawall® fits
Lavawall® includes NIST CSF 2.0 as a first-class framework alongside CMMC 2.0, NIST SP 800-171, CIS Controls v8, SOC 2, ISO 27001, HIPAA, PCI DSS, and the Canadian privacy bundle. All six functions map to live evidence Lavawall® already collects.
For cyber-insurance assessments, the platform produces a NIST-CSF-aligned posture report formatted the way most carriers expect. Insurance renewals stop being a fire drill.
Tier and maturity scoring shows current state, target state, and the gap so the MSP can plan remediation across the next quarter, not just the next renewal.
Frequently asked
- What changed between NIST CSF 1.1 and 2.0?
- Version 2.0 (2024) added the Govern function (raising it from five to six functions), expanded scope beyond critical infrastructure to all sectors, and made supply-chain risk management more prominent.
- Is NIST CSF the same as NIST SP 800-171?
- No. NIST CSF is the high-level framework structuring cybersecurity programmes. NIST SP 800-171 is the specific 110-control set that protects Controlled Unclassified Information for US government contractors. Lavawall® maps to both.
- Will my cyber-insurance carrier accept the Lavawall® report?
- Most carriers accept NIST-CSF-aligned posture reports. Lavawall®'s output is structured for that consumption.