NIST Cybersecurity Framework 2.0: a practical overview

The NIST Cybersecurity Framework 2.0, released in February 2024, expands the original five functions — Identify, Protect, Detect, Respond, Recover — by adding a sixth, Govern. The Govern function consolidates risk management strategy, roles, policy, oversight, and supply chain governance into one explicit pillar. CSF 2.0 also formally drops the "critical infrastructure" framing of version 1.1 and is positioned for organizations of any size or sector.

Each function decomposes into Categories and Subcategories. There are 22 Categories and 106 Subcategories in total. For example, the Detect function contains DE.CM (Continuous Monitoring) with subcategories such as DE.CM-01 covering monitoring of networks for malicious activity. Each Subcategory maps to Informative References — concrete controls in NIST SP 800-53, ISO 27001, COBIT, or CIS Controls v8 — letting you choose the operational standard underneath.

The framework is descriptive rather than prescriptive: it tells you what outcomes to achieve, not how. Organizations express their current state and target state using Implementation Tiers (Partial, Risk Informed, Repeatable, Adaptive) and Profiles. A Profile is a selected set of Subcategories that match your business priorities and risk tolerance. NIST publishes Community Profiles for sectors like manufacturing, election infrastructure, and small business.

For Azerbaijani organizations, CSF 2.0 is useful as a self-assessment scaffold even if you are pursuing ISO 27001 for certification. The mapping between CSF and ISO 27001:2022 is published by NIST, so you can run one assessment and produce evidence usable for both. Start with a current Profile workshop — interview department heads against the 106 Subcategories — and rate each on a 0 to 4 maturity scale. Within two weeks you have a defensible roadmap and a heat map for the board.