NIST CSF 2.0 Explained: The Six Functions and Where to Start

The NIST Cybersecurity Framework 2.0 is a voluntary way to organize and self-assess your security program — no certificate involved. Here are its six Functions (with Govern new in 2.0), how Tiers and Profiles work, and a realistic place for a small organization to begin.

What NIST CSF 2.0 is — and what changed in 2024

The NIST Cybersecurity Framework (CSF) is a voluntary structure for organizing, communicating, and improving how an organization manages cybersecurity risk. It was created by the U.S. National Institute of Standards and Technology, and version 2.0 was published on February 26, 2024 in NIST CSWP 29. It is not a regulation and not a control checklist you are forced to implement line by line. It is a common language — a way to describe what good cybersecurity outcomes look like and to talk about your posture with customers, insurers, executives, and partners who may otherwise have no shared vocabulary.

The most consequential change in 2.0 is one of scope. Earlier versions framed the CSF around critical infrastructure; 2.0 is explicitly written for organizations of every size, sector, and maturity — from a two-person startup to a hospital system to a federal agency. That broadening is why the framework now shows up routinely in vendor security questionnaires, cyber-insurance applications, and supply-chain requirements aimed at ordinary small and mid-size businesses. The other headline change is structural: 2.0 adds a sixth Function, Govern, which we cover next.

Under the hood, the framework is organized as a hierarchy. The six Functions sit at the top. Beneath them are 22 Categories (groupings of related outcomes, such as Asset Management or Continuous Monitoring), and beneath those are 106 Subcategories — concrete, outcome-based statements like 'Backups of data are created, protected, maintained, and tested.' Note that the Subcategories are outcomes to achieve, not prescriptive steps, and their identifiers are not numbered straight through (the framework has revised and renumbered them over time). The point is the outcome, not the number.

The six Functions, starting with what's new

CSF 2.0 organizes everything into six Functions. They are not sequential phases so much as concurrent capabilities a healthy program runs all the time.

Govern (new in 2.0) is the Function that establishes and monitors your cybersecurity risk management strategy, expectations, and policy. It covers organizational context, your risk management strategy and risk appetite, roles and responsibilities, policy, leadership oversight, and — importantly for anyone fielding supply-chain questions — cybersecurity supply chain risk management. NIST elevated Govern to its own Function to make clear that cybersecurity is an enterprise risk to be governed by leadership, not just a technical task delegated to IT. It informs and wraps around the other five.

The remaining five carry forward from earlier versions. Identify means understanding your assets, data, suppliers, and the risks to them — you cannot protect what you have not inventoried. Protect covers the safeguards that reduce risk: identity and access management, awareness and training, data security, platform security, and infrastructure resilience. Detect is about finding and analyzing potentially adverse events through continuous monitoring. Respond covers acting on a confirmed incident — managing, analyzing, containing, and communicating about it. Recover covers restoring operations and assets after an incident and communicating throughout the restoration. Read together — Govern, Identify, Protect, Detect, Respond, Recover — they form a complete cycle: govern the program, know your environment, defend it, watch it, react when something happens, and get back to normal.

There is no NIST CSF certificate — you self-assess

This is the single most important thing to understand before you spend any money, and it is where a lot of buyers are misled. There is no such thing as a NIST CSF certification. No accredited body audits you against the CSF and issues a certificate, and no exam makes your organization 'CSF certified' or 'CSF compliant.' Anyone selling one of those outcomes is selling something that does not exist.

The CSF is designed to be self-assessed. You evaluate your own organization against the Functions, Categories, and Subcategories and document where you stand. That distinguishes it from ISO/IEC 27001, where an accredited certification body audits a working management system and issues a certificate, and from SOC 2, where a licensed CPA firm examines your controls and issues an attestation report. With the CSF, the deliverable is your own honest assessment, not a third party's stamp. (The CSF does cross-reference those other standards through what NIST calls Informative References, so the work is reusable — but that is a topic for a separate comparison.)

So when a customer questionnaire, an insurer, or a prime contractor says 'send us your NIST CSF profile,' they are not asking for a certificate. They are asking for your documented self-assessment: where you are today against the framework, where you intend to be, and the policies that back it up. The credibility comes from doing the assessment thoroughly and honestly — and from actually operating the controls you describe — not from a piece of paper someone else issues.

Tiers and Profiles: measuring rigor and direction

CSF 2.0 gives you two tools to make a self-assessment meaningful. The first is Tiers. The framework defines four: Tier 1 Partial, Tier 2 Risk Informed, Tier 3 Repeatable, and Tier 4 Adaptive. Tiers characterize how rigorous and ingrained your cybersecurity risk governance and management practices are — from ad hoc and reactive at Tier 1 to adaptive and continuously improving at Tier 4. A crucial caveat: Tiers are not maturity grades, and Tier 4 is not the goal for everyone. A small business with modest risk may rationally choose to operate at Tier 2 and put its money elsewhere. You pick the Tier that fits your risk, resources, and obligations, then let it inform your targets.

The second tool is Profiles, and this is where the real work lives. A Profile describes your cybersecurity posture in terms of the framework's outcomes. You build two: a Current Profile (what you actually do today, Subcategory by Subcategory) and a Target Profile (what you intend to achieve, given your risk appetite, requirements, and resources). The gap between the two is your roadmap — a prioritized, defensible list of what to improve and in what order.

Tiers and Profiles work together rather than as separate exercises. Your chosen Tier informs how ambitious your Target Profile should be, and the gap analysis between Current and Target Profiles tells you concretely how to move toward it. Done well, this turns 'we should be more secure' into a specific, sequenced plan you can show a customer, an insurer, or your own board — and revisit as your business and its threats change.

A practical starting path for a small organization

You do not need a consultant or a six-month project to begin. NIST itself publishes a CSF 2.0 Small Business Quick Start Guide and a set of Implementation Examples aimed precisely at organizations with limited security staff, and a sensible first pass can be done in days, not months.

A workable sequence: First, set the scope and the context — decide which part of the business you are assessing and what your most important assets, data, and obligations are. Second, do a quick Govern and Identify pass: confirm who owns cybersecurity, inventory your hardware, software, data, and key suppliers, and note your legal and contractual requirements. Third, build your Current Profile by walking the 106 Subcategories and honestly recording, for each, whether you do it today, partly, or not at all — resist the urge to inflate, because an honest baseline is the entire value. Fourth, set a Target Profile by deciding which gaps actually matter given your risk and your customers' expectations; not every Subcategory deserves equal effort. Fifth, record the gaps in a risk register with owners and dates, and work the highest-priority items first.

A few honest expectations. Your first Current Profile will look uncomfortable — that is normal and is the point; you cannot prioritize what you have not measured. Prioritize ruthlessly: a small org should fix the handful of high-impact gaps (multi-factor authentication, tested backups, basic monitoring, an incident plan) long before chasing a perfect score. And treat it as a cycle. The CSF is built to be revisited as your environment, suppliers, and threats change, so plan to refresh the Profile periodically rather than file it away. Any time or cost figures you encounter are illustrative estimates, not quotes — actual effort varies widely with your size and starting point.

Where editable documentation fits — the profile workbook

The slowest part of a CSF effort is rarely the thinking; it is producing the artifacts. You need the supporting policies the framework's outcomes assume (governance, asset management, access control, data security, monitoring, incident response, recovery) and a structured place to score all 106 Subcategories for your Current and Target Profiles. Writing fifteen policies and building a 106-row assessment workbook from a blank page is exactly the work most small teams stall on.

This is the documentation layer, and it is where an editable toolkit earns its place — honestly, as a starting point you tailor, never as a shortcut to an outcome that does not exist. The ComplianceDocs NIST CSF 2.0 Complete Toolkit (skuId nistcsf; current list price $79, with a launch discount code that may apply at checkout) is built around this: its hero artifact is a Profile & Assessment workbook covering every one of the 106 Subcategories so you can score current and target state, accompanied by a risk register and an audit evidence checklist, plus fifteen editable policies and plans spanning all six Functions. Because there is no CSF certificate, your completed profile is the actual deliverable — and the workbook is what produces it.

Be clear-eyed about the division of labor. A toolkit gives you the editable documents assessors, customers, and insurers expect to see, which removes the longest, most tedious part of getting started. It does not make your organization 'compliant,' 'certified,' or 'assessed' — none of those states exists for the CSF in the way templates could grant. The assessment is yours to perform honestly, and the controls are yours to operate. What good documentation buys you is a credible, consistent starting point you can stand behind, and a head start on the readiness work that any related audit (ISO 27001, SOC 2) would later require. For the current required elements and the official guidance, work from NIST CSWP 29 and the CSF 2.0 resources at nist.gov.

Frequently asked questions

Is NIST CSF 2.0 a certification I can pass?

No. There is no NIST CSF certification and no accredited body that issues a CSF certificate. The framework is designed to be self-assessed: you evaluate your own organization against its Functions and 106 Subcategories and document where you stand. This is different from ISO/IEC 27001, where a certification body issues a certificate, and from SOC 2, where a licensed CPA firm issues an attestation report. When someone asks for your NIST CSF profile, they want your documented self-assessment, not a certificate.

What changed between the old CSF and CSF 2.0?

The two biggest changes in CSF 2.0, published February 26, 2024, are scope and structure. Scope: earlier versions centered on critical infrastructure, while 2.0 is written for organizations of every size and sector, which is why it now appears in ordinary vendor questionnaires and insurance applications. Structure: 2.0 adds a sixth Function, Govern, to emphasize that cybersecurity is an enterprise risk leadership must oversee, not just a technical task. The framework still organizes outcomes into Functions, Categories, and Subcategories.

What are the four NIST CSF Tiers, and should I aim for Tier 4?

The four Tiers are Tier 1 Partial, Tier 2 Risk Informed, Tier 3 Repeatable, and Tier 4 Adaptive. They describe how rigorous and ingrained your cybersecurity risk governance and management practices are. They are not maturity grades, and Tier 4 is not the goal for everyone. A small business with modest risk may reasonably operate at Tier 2 and invest its resources elsewhere. You choose the Tier that fits your risk, obligations, and budget, then let it inform how ambitious your Target Profile should be.

What is a NIST CSF Profile, and why do customers ask for one?

A Profile describes your cybersecurity posture in terms of the framework's outcomes. You typically build a Current Profile (what you actually do today, Subcategory by Subcategory) and a Target Profile (what you intend to achieve given your risk and requirements); the gap between them becomes your prioritized roadmap. Customers, insurers, and prime contractors ask for your profile because, with no CSF certificate to point to, your documented self-assessment is the deliverable that shows where you stand. Its credibility comes from being thorough and honest, and from operating the controls it describes.

Will a NIST CSF toolkit make my organization compliant?

No. No document set can make an organization 'compliant,' 'certified,' or 'assessed' against the CSF — and for the CSF specifically, no certificate even exists to grant. A toolkit provides the documentation layer: editable policies plus a structured workbook to score all 106 Subcategories for your Current and Target Profiles, which removes the slowest part of getting started. You still have to perform the self-assessment honestly and operate the controls. What good documentation buys you is a credible, consistent starting point and a head start on any related audit readiness, such as ISO 27001 or SOC 2.

Related guides: NIST CSF 2.0

Toolkits that help

← All articles