NIST CSF 2.0: What's New and How to Map to CIS Controls

The NIST Cybersecurity Framework, Updated for the Modern Threat Environment

The NIST Cybersecurity Framework (CSF) was first published in 2014 as a voluntary framework for critical infrastructure. Over the decade that followed, it became the dominant cybersecurity framework in U.S. enterprise environments, referenced extensively by regulators, insurers, customer security questionnaires, and audit programs. CSF 1.1 (2018) refined the original; CSF 2.0 (February 2024) is the first major restructuring.

The 2.0 revision matters because the framework is now formally scoped beyond critical infrastructure to all organizations. The new Govern function elevates governance to first-class status alongside the original five functions. Supply chain risk receives substantially more attention. And the integration points with other NIST guidance (800-53, 800-171, the Privacy Framework) are tighter.

For organizations that operate against CSF as their internal cybersecurity reference, the 2.0 upgrade is a structured re-mapping exercise. For organizations using CSF only as a customer-facing reference, the new function and expanded categories change what stakeholders will look for in security claims.

What Changed from 1.1 to 2.0

The headline changes:

The Govern function joins the five original functions. CSF 1.1 had Identify, Protect, Detect, Respond, Recover. CSF 2.0 adds Govern, creating a six-function framework. Governance is now equal in standing to the other functions, reflecting the reality that without governance, the other functions cannot be operated consistently.

Expanded supply chain risk management. Supply chain elements were present in CSF 1.1 but distributed across functions. CSF 2.0 elevates supply chain into a more cohesive structure, with explicit categories for supplier risk, third-party assessment, and supply chain incident response.

Scope expansion beyond critical infrastructure. CSF 1.1 was framed for critical infrastructure organizations; CSF 2.0 is explicitly intended for use by any organization. The categories and subcategories are written to apply across organization size and sector.

Improved integration with other NIST guidance. CSF 2.0 includes explicit mappings to NIST SP 800-53, the NIST Privacy Framework, and the SP 800-218 secure software development framework. The cross-references make CSF more useful as an organizing index for an organization's broader NIST-aligned program.

Implementation examples and quick-start guides. CSF 2.0 is published alongside implementation examples, profiles for specific contexts (e.g., small business, manufacturing, enterprise risk management), and CSF Tiers that describe how an organization approaches cybersecurity risk management.

The Six Functions of CSF 2.0

Function Code Focus

Govern GV Strategy, policy, roles, supply chain governance

Identify ID Asset management, risk assessment, threat understanding

Protect PR Access control, awareness, data security, platform security

Detect DE Continuous monitoring, anomaly detection, adverse event analysis

Respond RS Incident response, mitigation, reporting

Recover RC Recovery planning, restoration, communications

Each function decomposes into categories, then subcategories. CSF 2.0 has 6 functions, 22 categories, and 106 subcategories. The subcategory is the operational element: each is written as a specific outcome the organization should achieve.

What the Govern Function Adds

The Govern function brings together elements that were implicit in CSF 1.1 or scattered across other functions:

GV.OC Organizational Context: understanding the mission, stakeholders, and risk environment

GV.RM Risk Management Strategy: enterprise risk management strategy, risk tolerance, risk-informed decision making

GV.RR Roles, Responsibilities, and Authorities: who is accountable for cybersecurity decisions

GV.PO Policy: documented policies that govern cybersecurity activities

GV.OV Oversight: monitoring of cybersecurity risk management performance

GV.SC Cybersecurity Supply Chain Risk Management: supply chain risk strategy, supplier oversight, supply chain incident response

For most organizations, the content of these categories already exists in some form. The 2.0 contribution is the elevation: these governance elements are now organized centrally rather than implicit.

How CIS Controls v8 Maps to CSF 2.0

The Center for Internet Security maintains an authoritative mapping between CIS Controls v8 and the NIST Cybersecurity Framework. The mapping is bidirectional: CIS Controls implement specific CSF subcategories, and CSF subcategories are satisfied through specific CIS Controls.

CSF 2.0 Function Primary CIS Controls

Govern (GV) CIS 17 (Incident Response), CIS 18 (Application Software Security)

Identify (ID) CIS 1 (Inventory of Devices), CIS 2 (Inventory of Software), CIS 3 (Data Protection)

Protect (PR) CIS 4 (Secure Configuration), CIS 5 (Account Management), CIS 6 (Access Control), CIS 11 (Data Recovery), CIS 12 (Network Infrastructure)

Detect (DE) CIS 8 (Audit Log Management), CIS 13 (Network Monitoring), CIS 16 (Application Software Security)

Respond (RS) CIS 17 (Incident Response Management)

Recover (RC) CIS 11 (Data Recovery)

The Protect function has the densest CIS Controls coverage because most of the technical controls that CIS Benchmarks evaluate fall under Protect: configuration management, access control, account management, network security, and data security. A continuous CIS benchmark scanning program provides the bulk of Protect function evidence automatically.

How CIS Benchmarks Map to CSF 2.0 Categories

CIS Benchmarks are the configuration-level instantiation of CIS Controls. Where CIS Controls describe outcomes ("Apply secure configurations to all assets"), CIS Benchmarks specify exact configuration values per platform.

The primary CSF 2.0 categories satisfied through CIS benchmark scanning:

PR.AA Access Control: account management, MFA, session controls — covered by Windows, Linux, cloud, M365 benchmarks

PR.AT Awareness and Training: not directly satisfied (organizational)

PR.DS Data Security: encryption configuration, key management, data-in-transit protection — covered by relevant platform benchmarks

PR.PS Platform Security: configuration hardening, secure baseline enforcement — the central use case for CIS benchmarks

DE.CM Continuous Monitoring: continuous benchmark scanning produces the audit and configuration monitoring evidence the category expects

DE.AE Adverse Event Analysis: anomaly detection from continuous scanning compared to baselines

For an organization operating CIS Benchmarks across endpoints, servers, cloud infrastructure, and identity services, continuous scanning produces evidence covering most of the Protect function categories and the configuration-related elements of the Detect function automatically.

CSF Profiles and Tiers

CSF 2.0 introduces or refines two adoption tools alongside the core framework:

Profiles describe the cybersecurity outcomes an organization or community has determined to be important. A profile tailors the framework to a specific context: a small manufacturer, a healthcare provider, a financial services firm. NIST publishes example profiles, and industry communities (HITRUST, CMMC ecosystem, financial sector ISACs) publish their own profiles tailored to sector needs.

Tiers describe how an organization approaches cybersecurity risk management:

Tier 1 (Partial): ad-hoc risk management, limited awareness, limited information sharing

Tier 2 (Risk Informed): risk-informed but not consistently enterprise-wide

Tier 3 (Repeatable): formally approved policies, defined processes, regular review

Tier 4 (Adaptive): continuous improvement, adaptive responses, predictive insights

Tiers are aspirational; CSF does not require a specific tier. Organizations select a target tier appropriate to their risk environment and capability.

Using CSF as an Organizing Index

The most powerful use of CSF 2.0 in mature enterprise environments is as an organizing index across multiple compliance frameworks and internal programs. A single set of cybersecurity activities, evidenced by continuous scanning and operational records, can be presented to stakeholders through different lenses:

CSF 2.0 view for board reporting and executive dashboards

NIST 800-53 view for federal contracts and FedRAMP authorizations

ISO 27001 view for international customers requiring certification

SOC 2 view for SaaS customer security questionnaires

CIS Controls / Benchmarks view for operational engineering teams

Continuous compliance tooling that maintains all these mappings simultaneously delivers the same evidence to all stakeholders without re-deriving the data for each audience.

Common CSF 2.0 Adoption Mistakes

Organizations adopting CSF 2.0 commonly stumble in the same places:

Treating CSF as a compliance framework. CSF is a voluntary organizing framework, not a compliance regime. Treating it as a checklist produces the documentation overhead of compliance without the supporting structure of an assessor or contractual gate.

Adopting too many subcategories at once. CSF 2.0 has 106 subcategories. Attempting all of them simultaneously, without prioritization, scatters effort. Mature programs prioritize subcategories based on risk and capability.

Skipping the Profile step. A profile tailored to the organization's context is far more useful than the generic framework. Skipping the profile work leaves the organization aiming at every subcategory equally.

Underinvesting in Govern. The new Govern function feels organizational and abstract; technical teams underinvest in it. Without governance, the other functions cannot operate consistently. This shows up in audits as inconsistent practice across teams.

Conflating Tiers with maturity ranking. Tiers describe approach, not maturity. A Tier 2 program executed well outperforms a Tier 4 program executed poorly. The tier is a strategic choice.

How CISGuard Maps to CSF 2.0

CISGuard's continuous CIS benchmark scanning satisfies a substantial portion of the Protect function categories and the configuration-monitoring elements of Detect:

PR.PS Platform Security: full coverage through CIS benchmark scanning across 22 supported benchmarks

PR.AA Access Control: account, authentication, and authorization configuration evaluation

PR.DS Data Security: cryptographic configuration evaluation per platform

DE.CM Continuous Monitoring: every scan is a continuous monitoring data point with drift comparison

DE.AE Adverse Event Analysis: regression vs improvement classification on every scan

CISGuard's framework mapping engine produces CSF 2.0 coverage reports alongside NIST 800-53, ISO 27001, SOC 2, and CIS Controls v8 reports. Evidence captured once feeds multiple frameworks simultaneously.

See multi-framework reporting in CISGuard or request a CSF 2.0 readiness review.