Can you get "NIST CSF certified"?

No. NIST CSF 2.0 is a voluntary framework, and NIST does not certify organizations against it — there is no official certification or attestation. You self-assess against the framework, set a target profile, and close gaps. If you need a third-party credential, organizations typically pursue ISO 27001 certification (from an accredited certification body) or a SOC 2 report (from a licensed CPA firm), both of which map closely to NIST CSF.

How many functions, categories, and subcategories are in NIST CSF 2.0?

NIST CSF 2.0 has 6 Functions (GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER), 22 Categories, and 106 Subcategories. The Subcategories are the specific, outcome-based statements you assess and work toward. GOVERN is the function added in version 2.0.

What's the difference between NIST CSF 2.0 and CSF 1.1?

The biggest change is the new GOVERN function, which makes cybersecurity governance, strategy, roles, policy, and supply-chain risk management a top-level concern rather than something spread across other functions (CSF 1.1 had 5 functions, 23 categories, and 108 subcategories). CSF 2.0 (February 2024) also broadened its intended audience beyond critical infrastructure to organizations of all sizes and sectors and added implementation resources like Quick-Start Guides and example profiles.

Is NIST CSF 2.0 legally required?

For most private-sector companies it is voluntary, not a law. However, some U.S. federal contracts, sector regulators, and other frameworks reference NIST guidance, and customers, insurers, or boards may ask you to align with it. Adopting NIST CSF 2.0 is a recognized, defensible way to structure and demonstrate a cybersecurity program even when it is not strictly mandatory.

NIST CSF 2.0: The Complete Guide to the Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) 2.0, published by NIST on February 26, 2024, is a voluntary, risk-based framework for managing cybersecurity risk, organized into 6 Functions — Govern, Identify, Protect, Detect, Respond, and Recover — that break down into 22 Categories and 106 Subcategories (the specific outcomes you work toward). It is not a law or a certification: there is no official "NIST CSF certified" status, and adopting it means assessing your current state against a target profile and closing the gaps. Editable policy templates accelerate the documentation that adoption requires, but you still have to operate the controls.

What is NIST CSF 2.0?

NIST CSF 2.0 is the updated version of the NIST Cybersecurity Framework, published by the U.S. National Institute of Standards and Technology on February 26, 2024. It describes cybersecurity outcomes — not specific products or tools — organized as 6 Functions (GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER), 22 Categories, and 106 Subcategories. The headline change from CSF 1.1 is the new GOVERN function, which elevates cybersecurity governance, strategy, roles, policy, and supply-chain risk management to a top-level concern. Organizations describe where they are with a Current Profile, where they want to be with a Target Profile, and how rigorous their practices are using four Implementation Tiers (Tier 1 Partial, Tier 2 Risk Informed, Tier 3 Repeatable, Tier 4 Adaptive).

Who needs it?

NIST CSF 2.0 is designed for organizations of any size and sector, and version 2.0 explicitly broadened its audience beyond critical infrastructure to all businesses, including small and mid-size companies. It is commonly adopted by U.S. SMBs and startups that need a recognized way to structure a security program, by vendors whose customers or contracts ask them to "align to NIST," and by companies whose cyber-insurance applications, board, or auditors want a defensible risk framework. Because the framework is outcome-based and maps cleanly to ISO 27001 and SOC 2, it is also a practical foundation for organizations that expect to pursue formal certification or attestation later. It is voluntary for most private companies and is not itself a law, though some U.S. federal contracts and sector regulators reference NIST guidance.

What does NIST CSF 2.0 readiness cost?

Option	Typical cost	Time to ready
DIY from the free NIST CSF 2.0 framework and Quick-Start Guides	$0 plus significant staff time	2-6 months of internal effort to write policies and build a profile from scratch
ComplianceDocs NIST CSF 2.0 Complete Toolkit (editable Word + Excel templates)	$79 one-time (list price; promo codes may apply)	Documentation drafted in days; customize placeholders, then operate the controls
Cybersecurity consultant / vCISO to build the program	~$1,250-2,750+ for a focused engagement; more for ongoing vCISO support	Several weeks to a few months depending on scope
Compliance automation platform (continuous monitoring + framework mappings)	~$7,000-30,000 per year	Weeks to configure; ongoing subscription

Typical timeline

1. Scope and govern — Define the business context and risk appetite, assign cybersecurity roles, and stand up governance under the GOVERN function — the foundation for every other decision.
2. Build a Current Profile — Assess your existing practices against the 106 subcategories to document where you stand today across all six functions.
3. Set a Target Profile and choose Tiers — Decide the outcomes and rigor (Implementation Tiers 1-4) appropriate to your size, sector, and risk, and prioritize the gaps between current and target.
4. Document policies and procedures — Write the governance, asset management, access control, data security, monitoring, incident response, and recovery documents that evidence each targeted outcome.
5. Implement and operate controls — Put the documented practices into day-to-day operation, train staff, and capture evidence such as logs, reviews, and risk-register updates.
6. Measure and improve — Re-assess the profile periodically, report to leadership, and continuously improve — CSF adoption is an ongoing cycle, not a one-time project.

How editable templates speed this up

Most of the work in adopting NIST CSF 2.0 is writing the policies, procedures, and plans that demonstrate each outcome — governance, risk management, supply-chain risk, asset and access management, data security, continuous monitoring, incident response, and recovery. ComplianceDocs' NIST CSF 2.0 Complete Toolkit provides 15 editable Word policies and plans covering all six functions, plus a Profile & Assessment workbook that lists every one of the 106 subcategories, a risk register, and an audit evidence checklist. You replace the bracketed placeholders with your organization's details to produce a coherent, framework-aligned document set in days instead of months. The templates accelerate documentation and give you a structured assessment workbook; they do not by themselves make you "compliant" or convey any certification — you still have to operate the controls and maintain evidence over time.

Recommended NIST CSF 2.0 toolkits

NIST CSF 2.0

NIST CSF 2.0 Complete Toolkit

15 editable policies and plans covering all six CSF 2.0 functions, plus a Profile & Assessment workbook with every one of the 106 subcategories, a risk register, and an audit evidence checklist.

$7930% off with codeView toolkit

ISO 27001:2022 + SOC 2

ISO 27001 + SOC 2 Dual Toolkit

47 documents covering both frameworks plus a control crosswalk, risk register, Statement of Applicability and TSC mapping — run one security program, pass two audits.

$14930% off with codeView toolkit

SOC 2 + AI Governance

Startup Trust Pack — SOC 2 + AI Governance

25 editable documents bundling the SOC 2 Core policy set with the full AI Governance pack — answer enterprise security questionnaires AND the new AI-policy questions in one purchase.

$8930% off with codeView toolkit

Compare NIST CSF 2.0 with other frameworks

NIST CSF 2.0 vs ISO/IEC 27001

Frequently asked questions

Can you get "NIST CSF certified"?: No. NIST CSF 2.0 is a voluntary framework, and NIST does not certify organizations against it — there is no official certification or attestation. You self-assess against the framework, set a target profile, and close gaps. If you need a third-party credential, organizations typically pursue ISO 27001 certification (from an accredited certification body) or a SOC 2 report (from a licensed CPA firm), both of which map closely to NIST CSF.
How many functions, categories, and subcategories are in NIST CSF 2.0?: NIST CSF 2.0 has 6 Functions (GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER), 22 Categories, and 106 Subcategories. The Subcategories are the specific, outcome-based statements you assess and work toward. GOVERN is the function added in version 2.0.
What's the difference between NIST CSF 2.0 and CSF 1.1?: The biggest change is the new GOVERN function, which makes cybersecurity governance, strategy, roles, policy, and supply-chain risk management a top-level concern rather than something spread across other functions (CSF 1.1 had 5 functions, 23 categories, and 108 subcategories). CSF 2.0 (February 2024) also broadened its intended audience beyond critical infrastructure to organizations of all sizes and sectors and added implementation resources like Quick-Start Guides and example profiles.
Is NIST CSF 2.0 legally required?: For most private-sector companies it is voluntary, not a law. However, some U.S. federal contracts, sector regulators, and other frameworks reference NIST guidance, and customers, insurers, or boards may ask you to align with it. Adopting NIST CSF 2.0 is a recognized, defensible way to structure and demonstrate a cybersecurity program even when it is not strictly mandatory.