Definition
NIST CSF was originally released in 2014 (version 1.0) and updated in 2018 (1.1) and 2024 (2.0). Version 2.0 added the Govern function, expanded scope from critical infrastructure to all sectors, and elevated supply-chain risk management.
The framework is voluntary in most contexts but referenced by US federal regulators, state privacy laws, cyber-insurance carriers, and enterprise procurement processes worldwide. It is structured to be scalable from small organisations to large enterprises.
NIST CSF is paired with Informative References that map subcategories to specific control catalogs (NIST SP 800-53, CIS Controls, ISO 27001, COBIT, ISA/IEC 62443). The Informative References make NIST CSF a useful umbrella over more specific frameworks.
Core components
- Six functions. Govern (GV), Identify (ID), Protect (PR), Detect (DE), Respond (RS), Recover (RC). Version 2.0 added Govern.
- Categories and subcategories. Functions divide into categories (e.g., Asset Management, Risk Assessment, Identity Management); categories divide into subcategories with specific outcomes.
- Implementation Tiers. Four tiers (Partial, Risk-Informed, Repeatable, Adaptive) describing how cybersecurity risk is managed across an organisation.
- Profile (Current and Target). An organisation's current cybersecurity outcomes vs its target state. The gap drives prioritised improvement.
- Informative References. Mappings to specific control catalogs (NIST SP 800-53, CIS Controls, ISO 27001, COBIT, ISA/IEC 62443).
- Govern function (new in 2.0). Strategy, expectations, and policy that drive the cybersecurity programme — elevated from a sub-element of Identify in 1.1 to a full function in 2.0.
Why it matters
NIST CSF has become the most-cited framework in cyber-insurance assessments. Carriers ask about NIST CSF maturity because the function structure makes posture comparable across applicants in a way framework-specific control inventories don't.
For MSPs, NIST CSF mapping is the way most clients' cyber-insurance carriers will ask about controls. “What is your NIST CSF 2.0 maturity?” shows up on more questionnaires every year.
Beyond insurance, the framework structures security investment decisions: visibility (Identify), control implementation (Protect), monitoring (Detect), incident response (Respond), and recovery (Recover) provide a planning vocabulary even outside formal compliance contexts.
How Lavawall® helps with NIST CSF 2.0 (NIST Cybersecurity Framework version 2.0)
Lavawall® includes NIST CSF 2.0 as a first-class framework. All six functions map to live evidence collected from Windows / macOS / Linux endpoints and M365 / Entra / Azure / Google Workspace tenants.
Cyber-insurance posture reports formatted for the way most carriers expect are produced from the live evidence. Insurance renewals stop being a fire drill.
Tier and maturity scoring shows current state, target state, and the gap so the MSP can plan remediation across the next quarter, not just the next renewal.
Frequently asked
- What changed between NIST CSF 1.1 and 2.0?
- Version 2.0 added the Govern function, expanded scope beyond critical infrastructure to all sectors, and made supply-chain risk management more prominent.
- Is NIST CSF the same as NIST SP 800-171 or 800-53?
- No. CSF is the high-level framework; SP 800-53 is a control catalog for federal systems; SP 800-171 is the 110-control set for protecting Controlled Unclassified Information at federal contractors. CSF references both as Informative References.
- Is NIST CSF mandatory?
- Voluntary in most contexts. US Executive Orders, some state privacy laws, and many enterprise procurement requirements reference it. Cyber-insurance carriers commonly use it as the assessment framework.