NIST Cybersecurity Framework Implementation Guide

CSF 2.0 is organized around six Functions: Govern, Identify, Protect, Detect, Respond, and Recover. Functions are subdivided into Categories (23 total) and Subcategories (106 total outcome statements). Each Subcategory describes a specific cybersecurity outcome — not a specific control to implement, but the result you should achieve.

The addition of the Govern function is the most significant structural change in CSF 2.0. Govern encompasses: Organizational Context (GV.OC — understanding the organization's mission and stakeholders), Risk Management Strategy (GV.RM — establishing risk appetite and tolerance), Roles and Responsibilities (GV.RR — defining accountability for cybersecurity), Policy (GV.PO — documenting cybersecurity expectations), Oversight (GV.OV — assessing performance), and Cybersecurity Supply Chain Risk Management (GV.SC — managing third-party risks).

The Govern function matters because it addresses the most common reason security programs stall: the absence of explicit organizational accountability, defined risk tolerance, and executive-level oversight. Without Govern, security teams operate without clear mandate, budget authority, or success criteria. Implementing Govern first creates the organizational infrastructure that the other five functions require to function effectively.

A current profile is an honest assessment of which CSF subcategory outcomes your organization currently achieves. It is not what you want to achieve or what your policy says you should be doing — it is what your controls, processes, and practices actually produce today.

Develop the current profile through a combination of documentation review, tool inventory, and practitioner interviews. Documentation review: do you have a current asset inventory, a risk management strategy document, incident response plan, and business continuity plan? Tool inventory: what security tooling is deployed, and is it actively configured and monitored? Practitioner interviews: talk to the SOC analysts, system administrators, and network engineers who operate the controls daily — their operational experience is more accurate than policy documentation about what actually happens.

For each CSF subcategory, rate your current achievement on a four-point scale. The CSF does not prescribe specific maturity ratings, but a practical scale is: Not Performed (the outcome is not achieved), Partially (the outcome is achieved inconsistently or for a subset of in-scope assets), Largely (the outcome is mostly achieved with minor gaps), and Fully (the outcome is consistently achieved across all in-scope assets).

Expect significant gaps in Govern subcategories if your organization has not previously conducted a formal CSF assessment. Most organizations that have invested heavily in technical controls (EDR, SIEM, vulnerability management) but have not formalized their risk management governance will find Identify and Govern are their weakest functions despite strong Protect and Detect scores.

A target profile describes the cybersecurity outcomes your organization prioritizes achieving, given your risk tolerance, business requirements, and sector-specific compliance obligations. It is not 'achieve everything in the framework' — it is a deliberate selection of outcomes calibrated to your specific risk profile.

Input sources for target profile development: your organization's risk appetite statement (how much risk is acceptable), regulatory compliance requirements (HIPAA, PCI DSS, CMMC, DORA, and other applicable frameworks each map to specific CSF subcategories), industry-specific guidance from sector ISACs and regulators, and your most recent risk assessment findings.

Gap analysis is straightforward once current and target profiles are defined: for each subcategory where current state is below target state, you have a gap. Document gaps by function and category to identify which areas require the most remediation effort. Typically, the highest-gap areas are Govern (organizational accountability and risk management) and Detect (continuous monitoring and detection processes) — particularly for organizations that have invested heavily in preventative controls without equivalent investment in detection.

Prioritize gaps based on the risk reduction impact of closing each gap against the cost of doing so. A gap in GV.SC (supply chain risk management) may represent higher risk reduction value than a gap in PR.DS (data security) depending on your threat profile. Risk priority, not framework completeness, should drive your improvement roadmap sequence.

CSF 2.0 implementation tiers describe the rigor and sophistication of an organization's cybersecurity risk management practices. Tier 1 (Partial): practices are ad hoc, limited risk awareness, no formal process. Tier 2 (Risk Informed): risk management practices exist but are not organizational policy, limited information sharing. Tier 3 (Repeatable): risk management practices are formally approved and expressed as policy, consistent implementation. Tier 4 (Adaptive): risk management practices are continuously improved based on lessons learned and threat intelligence.

Tiers are not maturity scores for each CSF function — they describe the overall organizational risk management posture. An organization can have Tier 4 technical controls but Tier 1 governance (common for security programs that grew bottom-up without executive integration). An honest tier self-assessment is a more useful input to improvement planning than a false claim of higher tier status.

For communicating CSF implementation status to leadership and the board, the most effective approach is a heat map showing current versus target profile achievement by CSF function, with the highest-priority gaps highlighted and associated remediation costs and timelines. This visual format allows non-technical stakeholders to understand which areas are most mature, which require investment, and how the proposed roadmap connects to specific risk reduction outcomes.

NIST CSF 2.0 is most valuable as a shared vocabulary for communicating security program status across technical and non-technical stakeholders, and as a gap analysis tool for identifying where your program needs investment. Organizations that treat it as a compliance checklist to complete produce documents. Organizations that use it to drive honest current-state assessment, honest gap analysis, and risk-prioritized improvement planning build security programs that continuously improve.