A practitioner's guide to the NIST Cybersecurity Framework 2.0

01What NIST CSF is

The NIST Cybersecurity Framework (CSF) is a voluntary framework published by the US National Institute of Standards and Technology. It was first issued in 2014 under a presidential executive order targeting US critical-infrastructure operators — energy, water, finance, transport. Version 1.1 followed in 2018 with minor refinements. Version 2.0 was published in February 2024 and is the version you should be building against today.

Despite being a US-origin and explicitly voluntary instrument, CSF has become the de-facto global vocabulary for talking about cyber programmes. Boards, investors, insurers, and procurement teams across geographies use its function names — Govern, Identify, Protect, Detect, Respond, Recover — as a common reference grid. Indian regulators including RBI and SEBI cite it in their own directions.

02What changed in CSF 2.0

The 2024 revision is the largest change since 2014. The headline shifts:

• GOVERN added as a sixth Core Function. Risk strategy, roles, supply-chain, policy, and oversight are now first-class, not buried inside Identify.
• Scope broadened. v1.x was framed for US critical infrastructure. v2.0 is explicitly for organisations of any size, sector, or jurisdiction.
• Implementation Tiers refreshed. Tiers are now clearly a description of risk-management practice, not a maturity score to chase.
• Quick Start Guides added. Sector-specific and use-case-specific overlays — Small Business, Enterprise Risk Management, Community Profile creation, Cybersecurity Supply Chain Risk Management.
• Deeper supply-chain and ERM coverage. Cybersecurity Supply Chain Risk Management (C-SCRM) is now a top-level Govern category with its own subcategories.
• CSF 2.0 Reference Tool (CFR). An online tool to browse the framework and download cross-mappings in machine-readable formats.

03The six Core Functions

The Core is the top layer of the framework: six functions, each describing a cluster of cybersecurity outcomes.

• GOVERN (GV) — new in 2.0. Establish, communicate, and monitor the organisation's cyber risk strategy, expectations, and policy. Outcomes: clear roles, risk appetite, oversight, supply-chain risk management, legal and regulatory alignment.
• IDENTIFY (ID). Understand the organisation's assets, business context, and risks. Outcomes: asset inventory, risk assessment, improvement programme.
• PROTECT (PR). Implement safeguards to deliver the critical services. Outcomes: identity and access, awareness training, data security, platform security, technology infrastructure resilience.
• DETECT (DE). Identify cybersecurity events in a timely manner. Outcomes: continuous monitoring, adverse-event analysis.
• RESPOND (RS). Take action on a detected incident. Outcomes: incident management, analysis, response reporting, mitigation.
• RECOVER (RC). Restore capabilities or services after an incident. Outcomes: incident-recovery plan execution, communications during recovery.

The six functions are presented as a wheel in NIST documentation, with Govern at the centre and the other five arrayed around it — Govern is the spine that the operational five hang off.

04Categories and Subcategories

Each Function contains Categories (outcomes), and each Category contains Subcategories (specific results). 2.0 has 23 Categories and 106 Subcategories. The two-letter codes are how mappings reference them.

Function	Categories	Sample codes
GOVERN (6)	Organizational Context, Risk Management Strategy, Roles & Responsibilities, Policy, Oversight, Cybersecurity Supply Chain Risk Management	GV.OC, GV.RM, GV.RR, GV.PO, GV.OV, GV.SC
IDENTIFY (3)	Asset Management, Risk Assessment, Improvement	ID.AM, ID.RA, ID.IM
PROTECT (5)	Identity Management & Access Control, Awareness & Training, Data Security, Platform Security, Technology Infrastructure Resilience	PR.AA, PR.AT, PR.DS, PR.PS, PR.IR
DETECT (3)	Continuous Monitoring, Adverse Event Analysis, (and integration outcomes)	DE.CM, DE.AE
RESPOND (5)	Incident Management, Analysis, Response Reporting & Communication, Incident Mitigation, (and improvement)	RS.MA, RS.AN, RS.CO, RS.MI
RECOVER (2)	Incident Recovery Plan Execution, Incident Recovery Communication	RC.RP, RC.CO

Subcategories like GV.SC-07 ("the risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized…") are where the framework becomes actionable — each is a specific outcome you can assess yourself against.

05Implementation Tiers

Tiers describe the rigour of an organisation's cyber risk-management practice. They are not a maturity scoreboard.

• Tier 1 — Partial. Risk management is ad-hoc, often reactive. Limited awareness of cyber risk at the organisational level. No formal information-sharing with peers or supply chain.
• Tier 2 — Risk Informed. Management has approved cyber risk practices but they are not enterprise-wide. Some information sharing, but informal.
• Tier 3 — Repeatable. Risk-management practices are formally approved and expressed as policy. The organisation actively shares and consumes cyber threat information. Supply-chain risk is managed.
• Tier 4 — Adaptive. The organisation adapts its practices based on lessons learnt and predictive indicators. Cyber risk is an organisation-wide consideration in all decisions, including budget and procurement. Real-time threat-intel exchange with peers.

06Profiles and gap analysis

Profiles are how you put CSF to work. A Profile is the set of Subcategory outcomes you select as relevant, with a current and target state for each.

• Current Profile. An honest assessment of where you are today against each chosen Subcategory — typically scored on a partial / largely / fully achieved scale, with evidence.
• Target Profile. Where you need to be, driven by business context, risk appetite, regulatory obligations, and stakeholder expectations.
• Gap analysis and roadmap. The delta between Current and Target becomes the prioritised remediation backlog, sequenced by risk and feasibility.
• Community Profiles. Sector-specific reference Profiles published by industry groups — healthcare, manufacturing, election infrastructure, small business. They give you a credible starting point instead of a blank page.

The Current vs Target Profile loop is the single most useful artefact CSF gives you. It survives leadership changes, makes board reporting concrete, and converts vague "we should be more secure" debates into a list of dated work items.

07Mapping to other standards

CSF deliberately doesn't prescribe controls. It points at other catalogues via Informative References. The 2.0 cross-mappings published alongside the Reference Tool cover:

• NIST SP 800-53 Rev. 5. The federal control catalogue — the most granular mapping target; one CSF Subcategory typically maps to multiple 800-53 controls.
• CIS Controls v8. The pragmatic, prioritised control list maintained by the Center for Internet Security.
• ISO/IEC 27001:2022 and 27002:2022. The international ISMS standard and its companion control set.
• COBIT 2019. ISACA's governance and management framework.
• MITRE ATT&CK. Adversary tactics and techniques — useful for Detect and Respond Subcategories.
• NIST Privacy Framework. For organisations integrating cyber and privacy programmes (highly relevant for DPDP-bound Indian entities).

08Why Indian businesses adopt CSF

CSF is not legally required anywhere in India. Adoption is driven by:

• Investor and customer diligence. US, EU, and Singaporean enterprise buyers routinely ask "what's your CSF tier" or "show your CSF Profile" as part of vendor onboarding.
• Evidence layer for ISO 27001 and SOC 2. CSF Subcategories give a clean outcome-based articulation that complements ISO Annex A and SOC 2 Trust Services Criteria.
• Enterprise sales. Larger Indian SaaS firms that sell to regulated US verticals (banking, healthcare, public sector) treat CSF readiness as table stakes in their RFP responses.
• Indian regulator references. RBI's Master Direction on IT Governance (Nov 2023) cites NIST CSF as a reference framework. SEBI's CSCRF (2024) explicitly maps to NIST functions.
• Cyber insurance. Underwriters increasingly use CSF outcomes as a structured way to assess applicants.

09CSF × DPDP

The Digital Personal Data Protection Act 2023 imposes "reasonable security safeguards" on Data Fiduciaries (§8) without prescribing them. CSF 2.0 fits naturally as the articulation:

• GOVERN. The fiduciary's accountability obligations — designated DPO for Significant Data Fiduciaries, board-level oversight, supplier obligations — map cleanly to GV.RR, GV.OV, GV.SC.
• PROTECT. PR.AA (identity and access control), PR.DS (data security), PR.AT (awareness) cover the operational layer of "reasonable security safeguards".
• DETECT and RESPOND. Breach detection and the 72-hour breach notification timeline land squarely in DE.CM, DE.AE, RS.MA, and RS.CO.
• IDENTIFY. ID.AM (asset and data inventory) is the foundation for the data-mapping exercise DPDP implicitly requires.

See our DPDP Act guide for the obligations side of this mapping.

10CSF × RBI / SEBI

Both regulators reference NIST. The most useful practitioner alignment is to SEBI's CSCRF, which restructured around five cyber-resilience functions:

SEBI CSCRF Function	Maps to NIST CSF 2.0
Anticipate	GOVERN + IDENTIFY (risk strategy, asset and risk understanding)
Withstand	PROTECT (controls that absorb attack pressure)
Contain	DETECT + RESPOND (early detection, scoped response)
Recover	RECOVER (recovery plan, communications)
Evolve	GOVERN (lessons learnt, improvement, oversight)

RBI's Master Direction on IT Governance (Nov 2023) and the older Cyber Security Framework circular (2016) don't restructure CSF, but examiners increasingly accept a CSF Current/Target Profile as a credible self-assessment artefact alongside the prescribed evidence. See the RBI Cyber Framework guide and the SEBI CSCRF guide for the regulator-side detail.

11Common adoption mistakes

• Treating CSF as a checklist. CSF is outcome-based. "We do PR.AA-01" is meaningless without evidence; you score yourself on whether the outcome is achieved, not whether the control exists on paper.
• Skipping GOVERN. Operational teams gravitate to Protect and Detect. Without GV.RM, GV.RR, GV.SC the programme is rudderless and supply-chain risk falls through.
• Tier 4 as the goal. Tiers are risk-informed choices, not a ladder to climb. Pick the Tier that matches your sector and risk appetite and defend it.
• Target Profile before Current Profile. Aspirations without an honest baseline produce roadmaps that miss the real gaps. Always baseline first.
• One Profile for the whole organisation. A multi-business-line group should have several Profiles — consumer fintech vs B2B SaaS vs corporate IT have different risk pictures.
• Mapping CSF to controls once, then never refreshing. Subcategories evolve (2.0 added 12, removed 2, reworded many). Re-baseline annually.
• Confusing CSF with NIST SP 800-53. 800-53 is a US federal control catalogue. CSF is the framework that points at it. They are not interchangeable.

1212-week NIST CSF 2.0 adoption roadmap

For a mid-size Indian organisation adopting CSF for the first time:

• Weeks 1-2 — Scope and context. Pick the business lines and systems in scope. Document organisational context (mission, stakeholders, regulatory obligations, risk appetite). GV.OC outcomes.
• Weeks 3-4 — Subcategory selection. Decide which of the 106 Subcategories apply. Use a Community Profile (your sector's, or a small business overlay) as a starting point. Document rationale for exclusions.
• Weeks 5-7 — Current Profile baseline. Workshop each in-scope Subcategory with the owning team. Score (not achieved / partially / largely / fully). Capture evidence references. Be honest — a sanitised baseline is a useless baseline.
• Week 8 — Target Profile. For each Subcategory, set the target state and the Tier you are anchoring to. Make the trade-offs explicit.
• Week 9 — Gap analysis and prioritisation. Score gaps by risk reduction × effort. Sequence into quarterly work packages.
• Week 10 — Roadmap and board paper. Document the roadmap with owners, dates, budget. Present to ExCom / Board.
• Weeks 11-12 — Operationalise. Stand up the cadence: quarterly Subcategory review, annual full re-baseline, half-yearly Profile refresh against threat-landscape changes.

13Useful NIST resources

• Cybersecurity Framework Reference Tool (CFR). Online browser for the framework with downloadable cross-mappings — nist.gov/cyberframework.
• Quick Start Guides. Small Business QSG, Enterprise Risk Management QSG, Community Profile creation QSG, C-SCRM QSG. All free PDF downloads from the NIST CSF site.
• Implementation Examples. Subcategory-level worked examples published by NIST — useful when an outcome statement feels abstract.
• Informative References. The cross-mapping appendix to 800-53, CIS Controls, ISO 27001, COBIT, MITRE ATT&CK.
• Community Profiles registry. NIST maintains an index of sector-specific Profiles contributed by industry groups.
• NIST Privacy Framework. Companion framework for privacy outcomes, structured the same way — relevant for DPDP-bound entities.

14How RingSafe helps

We treat CSF 2.0 as a working tool, not a deliverable. A typical engagement:

• Readiness review. Two-week diagnostic against the framework. Output: a heat-mapped initial view across all six Functions with the top 10 gaps flagged.
• Current Profile baseline. Structured workshops with each function owner, evidence collection, Subcategory-level scoring. Output: a defensible Current Profile with traceable evidence references.
• Target Profile workshop. Board-level session to set risk appetite, Tier targets, and Subcategory-level targets. Output: signed-off Target Profile.
• Prioritised remediation plan. Gap-to-roadmap conversion sequenced by risk reduction and feasibility, with owners and dates.
• Ongoing cadence support. Quarterly review, annual re-baseline, board paper drafting, Profile updates in response to regulatory or threat-landscape shifts.

If you are mapping CSF alongside RBI, SEBI CSCRF, ISO 27001, or DPDP, that cross-mapping is the part of the work we do most often — see our India compliance overview for how the frameworks fit together.