NIST Cybersecurity Framework 2.0 Implementation Guide: From Gap Assessment to Profile

The structural changes in CSF 2.0 have direct operational implications for security programs that built their governance around the original framework.

The new Govern function: CSF 2.0 adds GV (Govern) as the sixth core function, covering: organizational context (GV.OC), risk management strategy (GV.RM), roles and responsibilities (GV.RR), policy (GV.PO), oversight (GV.OV), and cybersecurity supply chain risk management (GV.SC). These subcategories address the governance infrastructure that enables the other five functions to operate consistently. In CSF 1.1, these concepts were embedded under Identify; elevating them to their own function signals that NIST considers governance a prerequisite rather than a component.

Supply chain risk management (SCRM): CSF 2.0 significantly expands SCRM coverage through GV.SC, adding 10 subcategories dedicated to third-party and supply chain cybersecurity. This reflects the post-SolarWinds, post-MOVEit reality that the software supply chain is now a primary attack surface requiring explicit program-level management.

Expanded scope: CSF 1.0 and 1.1 were explicitly written for critical infrastructure. CSF 2.0 removes this framing entirely, making the framework applicable to startups, SMBs, educational institutions, and government agencies equally. NIST published separate Quick Start Guides for small businesses, enterprise risk managers, and specific sectors to support this broader adoption.

Profile and Tier refinements: CSF 2.0 clarifies that Profiles describe an organization's current or target cybersecurity posture for a specific use case, not a universal organizational maturity score. Tiers (1 through 4) describe how cybersecurity risk management practices are integrated into broader organizational risk management, not a ranking of overall security capability. This distinction matters: an organization can be Tier 4 on governance and Tier 1 on technical detection coverage.

What did not change: The five original functions (Identify, Protect, Detect, Respond, Recover) remain structurally intact. If your existing program is aligned to CSF 1.1, your mapping work is largely preserved; the primary addition is the Govern layer on top.

CSF 2.0 contains 106 subcategories across six functions. Understanding the function-level intent helps prioritize which categories to address first.

GV (Govern): Sets the organizational context for cybersecurity risk management. Key subcategories: GV.OC-01 (mission and stakeholder expectations), GV.RM-01 (risk tolerance articulated by leadership), GV.RR-01 (roles and responsibilities defined), GV.PO-01 (policy established and communicated), GV.SC-01 (supply chain risk management program). Govern is the function most organizations have the largest gap on because it requires executive engagement, not just technical implementation.

ID (Identify): Establishes understanding of organizational assets, business context, and risk. Key subcategories: ID.AM (asset management, knowing what you have), ID.RA (risk assessment process), ID.IM (improvement, incorporating lessons learned). The asset management foundation is the prerequisite everything else depends on: you cannot protect, detect, or respond to threats against assets you do not know exist.

PR (Protect): Implements safeguards. Covers identity management (PR.AA), awareness training (PR.AT), data security (PR.DS), platform security (PR.PS), and technology infrastructure resilience (PR.IR). This function maps most directly to the defensive controls in CIS Controls IG1 and IG2.

DE (Detect): Identifies cybersecurity events. Key subcategories: DE.CM (continuous monitoring), DE.AE (adverse event analysis). Detection coverage is the most frequently underinvested function in organizations that build strong preventive controls but have inadequate visibility into what is happening on their network and endpoints.

RS (Respond): Defines actions after a cybersecurity incident is detected. Covers incident management (RS.MA), incident analysis (RS.AN), incident response reporting and communication (RS.CO), mitigation (RS.MI), and improvements (RS.IM). The Respond function requires documented, tested plans rather than ad-hoc improvisation.

RC (Recover): Restores capabilities after an incident. RC.RP (recovery plan execution), RC.CO (communications during recovery). Organizations frequently underinvest here until after a ransomware incident makes the gap painful.

Prioritization guidance: Address Govern first to establish the risk tolerance and accountability framework that defines what target state you are building toward. Then prioritize Identify (asset management) as the prerequisite for everything downstream. Protect and Detect are parallel workstreams; Respond and Recover require documented plans before an incident tests them.

The Tier and Profile concepts are frequently misunderstood, which leads organizations to either over-engineer their CSF implementation or misuse the framework as a maturity scoring tool.

Tiers (1-4) describe risk management integration, not capability level:

• Tier 1 (Partial): Cybersecurity risk management is ad hoc and reactive. Practices are not formalized. Risk awareness exists at an individual level but is not organizational.
• Tier 2 (Risk Informed): Risk management practices exist but are not organization-wide. Organizational risk tolerance is not formally articulated.
• Tier 3 (Repeatable): Risk management practices are formally documented, consistently applied, and regularly reviewed. Risk tolerance is established and communicated.
• Tier 4 (Adaptive): The organization actively adapts its cybersecurity practices based on lessons learned and continuous improvement. Risk management is integrated into business decisions at all levels.

Tiers do not measure technical security capability. An organization can have mature endpoint detection (technical) but operate at Tier 1 (governance) because there is no formal risk management process informing security investment decisions. The Tier is an input to the Profile, not an output of a controls assessment.

Profiles describe current vs. target state for a specific context: A CSF Profile is a selection of CSF outcomes (subcategories) that describes either the current state (Current Profile) or desired future state (Target Profile) of cybersecurity risk management for a specific organizational context. Profiles are not universal; a payment processing system might have a different Target Profile than an HR data store.

Building a useful Profile:

1. Define the scope (which systems, business processes, or risk scenario this Profile addresses)
2. Identify relevant subcategories by reviewing all 106 and selecting those applicable to the scope
3. Document the current implementation level for each selected subcategory (not implemented, partially implemented, fully implemented)
4. Define the Target Profile based on risk tolerance and business requirements
5. Identify gaps between Current and Target Profiles
6. Prioritize gap closure by business risk impact

NIST provides Profile templates and examples in the CSF 2.0 reference tool at csrc.nist.gov.

One of CSF 2.0's primary practical values is its role as a crosswalk between frameworks. Using the NIST Online Informative References (OLIR) tool, every CSF subcategory maps to specific controls in CIS Controls v8, NIST SP 800-53 Rev 5, ISO 27001:2022, COBIT 2019, and others. This mapping lets you avoid duplicate work when multiple compliance frameworks apply to your organization.

CSF to CIS Controls mapping: CIS Controls Implementation Group 1 (IG1) maps primarily to CSF Protect and Identify subcategories. If you have completed an IG1 implementation, you have addressed a significant portion of PR and ID subcategory requirements. Key mappings:

• CIS Control 1 (Asset Inventory) maps to ID.AM subcategories
• CIS Control 2 (Software Asset Management) maps to ID.AM-2 and PR.PS subcategories
• CIS Control 5 (Account Management) maps to PR.AA subcategories
• CIS Control 17 (Incident Response Management) maps to RS and RC subcategories

CSF to NIST 800-53 mapping: 800-53 is more granular than CSF; each CSF subcategory typically maps to multiple 800-53 controls. Organizations subject to FISMA, FedRAMP, or federal contract security requirements already working in 800-53 can use the OLIR crosswalk to identify which 800-53 controls satisfy CSF requirements without a separate CSF assessment effort.

Practical approach for multi-framework environments: Conduct your gap assessment using CSF subcategories as the evaluation unit. Map each gap to the specific CIS Control, 800-53 control, or ISO 27001 clause that closes it. This produces a single prioritized remediation list that satisfies multiple frameworks simultaneously, avoiding the operational overhead of running parallel compliance programs.

NIST's OLIR catalog is searchable at csrc.nist.gov/Projects/olir and includes community-submitted mappings from major framework owners.

A CSF 2.0 gap assessment evaluates your current implementation against each applicable subcategory and produces a prioritized remediation backlog. The process has four phases.

Phase 1: Scope definition Determine what organizational scope the assessment covers. Options: the entire organization (enterprise-wide Profile), a specific business unit, a specific technology system, or a specific risk scenario (e.g., ransomware resilience). Narrower scope produces more actionable results; enterprise-wide assessments often produce generic findings.

Phase 2: Subcategory evaluation For each of the 106 CSF 2.0 subcategories, assess current implementation on a simple three-point scale: Not Implemented, Partially Implemented, or Fully Implemented. Evidence for each rating should be documented. Common evidence sources: policy documents, process documentation, tool configurations, training completion records, and test results (penetration tests, tabletop exercises).

Tools for CSF assessments:

• CISA's Cyber Resilience Review (CRR): Free assessment tool aligned to CSF
• NIST Baldrige Cybersecurity Excellence Builder: Self-assessment questionnaire
• Commercial GRC platforms (ServiceNow GRC, RSA Archer, Archer, Tugboat Logic): Structured CSF assessment templates with evidence collection workflows

Phase 3: Gap analysis and prioritization Compare Current Profile to Target Profile. Prioritize gaps using two factors: risk impact (how much does this gap increase the probability or impact of a significant security incident?) and implementation feasibility (can this gap be closed quickly, or does it require significant investment?). High-risk gaps that are quick to close get priority; high-risk gaps requiring significant investment get resource planning.

Phase 4: Remediation roadmap Translate prioritized gaps into a program roadmap with quarterly milestones. Assign owners for each workstream. Use the CSF subcategory IDs as work item labels in your project tracking system so progress is traceable back to the framework. Report progress to leadership using the Profile format: percentage of target subcategories at Fully Implemented status.

Organizations adopting CSF 2.0 repeat several mistakes that reduce the framework's operational value.

Treating CSF as a compliance checklist rather than a risk management tool: CSF subcategories are outcomes, not prescriptive controls. An organization that checks every box without understanding the risk rationale behind each subcategory has a checklist, not a security program. The Govern function exists precisely to force this risk context; if GV.RM subcategories (risk tolerance, risk strategy) are not addressed first, the rest of the framework lacks direction.

Conflating Tier with maturity: Presenting a Tier 3 rating to the board as meaning the organization has strong security is misleading. Tiers describe governance integration, not control effectiveness. A Tier 3 organization may have excellent risk management processes applied to a mediocre set of technical controls.

Scope too broad for the first Profile: Enterprise-wide CSF assessments produce low-resolution findings because every system and process has different risk profiles. A more useful approach is to conduct a high-resolution Profile for the two or three highest-risk business functions first, then expand coverage.

Skipping the Govern function: Many security teams start with Protect and Detect because those map to tool configurations they understand. Govern subcategories require executive engagement and policy documentation that security teams cannot produce unilaterally. Without GV.RM-01 (risk tolerance articulated by leadership), there is no objective basis for deciding which Target Profile subcategories are required.

Not integrating with supply chain risk management: GV.SC is the most under-implemented function area in most organizations. Third-party risk assessments are often managed by procurement with no security integration, creating a systematic blind spot. CSF 2.0's explicit GV.SC subcategories provide a forcing function for integrating vendor security into the program.