What is NIST CSF 2.0?
The NIST Cybersecurity Framework (CSF) 2.0 was released in February 2024, replacing version 1.1 from 2018. The framework was originally developed in 2014 for US critical infrastructure operators — but with the 2.0 release, NIST explicitly broadened its audience to all organisations globally, including SaaS companies.
CSF is not a certification framework like ISO 27001, not an attestation like SOC 2, and not a regulation like GDPR. It's a reference taxonomy for organising and communicating cybersecurity outcomes. Think of it as a common language for talking about what your security programme does — useful internally for organising work, and externally for explaining your posture to customers, regulators, or partners.
The key change in v2.0: GOVERN is a 6th function
CSF 1.1 had five functions: Identify, Protect, Detect, Respond, Recover. CSF 2.0 added Govern (GV) as the new first pillar.
This reflects a hard-learned lesson: technical controls without governance fail. You can have the best EDR, the best SIEM, the best pen test — and still get breached because no one owned the risk register, no one defined the strategy, and no one made decisions when controls broke.
The Govern function pulls together: organisational context, risk management strategy, roles and responsibilities, policies, oversight, and supply chain risk management. Many of these were scattered across other functions in 1.1; they're now first-class concerns.
The six functions overview
| Function | What It Covers | Example Outcomes | SOC 2 / ISO 27001 Mapping |
|---|---|---|---|
| GV — Govern | Organisational context, risk strategy, roles, policy, oversight, supply chain | Documented security strategy; CISO accountable to board; risk appetite defined | SOC 2 CC1.x (Control Environment); ISO 27001 Cl. 4–6, A.5 |
| ID — Identify | Asset management, risk assessment, improvement | Asset inventory; data classification; risk register | SOC 2 CC3.x; ISO 27001 A.5.9, A.8.1, A.8.2 |
| PR — Protect | Identity, training, data security, platform security, resilient infrastructure | MFA everywhere; encryption at rest/in transit; security awareness | SOC 2 CC6.x; ISO 27001 A.5.15–20, A.8.5–11, A.8.24–25 |
| DE — Detect | Continuous monitoring, adverse event analysis | SIEM with alerts; log review; anomaly detection | SOC 2 CC7.2; ISO 27001 A.8.15–16 |
| RS — Respond | Incident management, analysis, reporting, mitigation, improvement | IR plan; tabletop exercises; regulator notification process | SOC 2 CC7.3–4; ISO 27001 A.5.24–26 |
| RC — Recover | Recovery planning, communication, improvement | BCP/DRP tested; RTO/RPO defined; post-incident review | SOC 2 A1.x; ISO 27001 A.5.29–30 |
GOVERN (GV) categories
- GV.OC — Organisational Context: Mission, stakeholders, legal/regulatory requirements understood
- GV.RM — Risk Management Strategy: Risk appetite, tolerance, prioritisation defined
- GV.RR — Roles, Responsibilities, Authorities: Cybersecurity roles defined and resourced
- GV.PO — Policy: Policies established, communicated, enforced
- GV.OV — Oversight: Strategy and performance reviewed; outcomes inform improvements
- GV.SC — Cybersecurity Supply Chain Risk Management: SCRM programme covering identification, assessment, monitoring of suppliers
IDENTIFY (ID) categories
- ID.AM — Asset Management: Inventory of hardware, software, data, services
- ID.RA — Risk Assessment: Threats, vulnerabilities, impacts identified and assessed
- ID.IM — Improvement: Lessons learned; programme improved over time
PROTECT (PR) categories
- PR.AA — Identity Management, Authentication, Access Control: JML, MFA, least privilege
- PR.AT — Awareness and Training: Security awareness, role-based training
- PR.DS — Data Security: Encryption at rest/in transit; data lifecycle
- PR.PS — Platform Security: Hardening, patching, malware protection
- PR.IR — Technology Infrastructure Resilience: Resilient network and infrastructure
DETECT (DE) categories
- DE.CM — Continuous Monitoring: Networks, systems, users, environment monitored
- DE.AE — Adverse Event Analysis: Events correlated, analysed, characterised
RESPOND (RS) categories
- RS.MA — Incident Management: Incident response process executed
- RS.AN — Incident Analysis: Scope, impact, root cause determined
- RS.CO — Incident Response Reporting and Communication: Stakeholders, regulators, customers
- RS.MI — Incident Mitigation: Containment and eradication actions
RECOVER (RC) categories
- RC.RP — Incident Recovery Plan Execution: Restore systems and operations
- RC.CO — Incident Recovery Communication: Status updates to stakeholders
NIST CSF 2.0 vs SOC 2 vs ISO 27001
| Dimension | NIST CSF 2.0 | SOC 2 | ISO 27001:2022 |
|---|---|---|---|
| Scope | Cybersecurity outcomes | Trust services (Security mandatory; others optional) | Information security management system (ISMS) |
| Audience | Any organisation | US-centric but global adoption; service organisations | Global, all industries |
| Certification? | No (self-assessment) | Attestation by CPA firm | Certification by accredited body |
| Cost | Free framework, optional consulting | $15k–$50k+ annual audit + readiness | $15k–$60k+ initial certification + surveillance |
| Use case | Internal organisation; cross-framework communication; gap analysis | Customer trust signal (US); enterprise sales requirement | Global trust signal; certification badge; regulator-recognised |
NIST CSF as a gap analysis tool
CSF defines four Implementation Tiers describing how mature your cybersecurity risk management is:
| Tier | Name | SaaS-Specific Example |
|---|---|---|
| Tier 1 | Partial | Reactive only; security handled ad-hoc when something breaks; no formal policies; founder/CTO acts as ad-hoc CISO; no logging or alerting beyond what cloud provider gives by default |
| Tier 2 | Risk Informed | Risk awareness exists; key policies written (IRP, AUP); some logging in place; MFA enabled; but processes are inconsistent and not measured |
| Tier 3 | Repeatable | Formal policies; risk register reviewed quarterly; SIEM with alerts; phishing training quarterly; vendor risk assessments; ready for SOC 2 / ISO 27001 |
| Tier 4 | Adaptive | Continuous improvement loop; threat intelligence integrated; mature SOC or MSSP; supply chain risk programme; predictive vs reactive |
Most SaaS companies starting out sit at Tier 1–2. SOC 2 / ISO 27001 readiness typically maps to Tier 3.
CSF Profiles: Current vs Target
A CSF Profile is a snapshot of which outcomes you currently achieve and which you target. The process:
- Scope: Define the organisational scope (whole company, or specific product line)
- Current Profile: For each of the ~106 Subcategories in CSF, mark your current achievement level
- Target Profile: Define what level you need (drives sales / regulatory / risk appetite)
- Gap analysis: The delta is your improvement backlog
- Action plan: Prioritised by risk and effort, with owners and timelines
Free tools: NIST CSF 2.0 Reference Tool lets you build profiles online. The Quick-Start Guides are particularly useful for small businesses.
Practical implementation path for SaaS
If you're an early-stage SaaS with no formal security programme, here's a 6-step path inspired by CSF Tier 2–3:
- Asset inventory (ID.AM): List your hardware, software, data flows, third parties. Spreadsheet is fine.
- Risk register (ID.RA): Top 10 risks. Each with likelihood, impact, owner, mitigation.
- Top 5 controls (PR): MFA everywhere, encryption at rest/in transit, backups tested, patching cadence, vendor reviews for top-3 vendors.
- Incident response (RS): Documented IR plan with on-call rotation and breach notification triggers. Tabletop quarterly.
- Detection (DE): SIEM or centralised logging with at least 8 critical alerts (failed logins, privilege escalation, new admin, outbound anomaly, etc.).
- Review cycle (GV): CISO (or accountable exec) reviews risk + controls + incidents quarterly. Updates programme based on what you learn.
Hit all 6 and you're at Tier 3 Repeatable — which is typically what's needed for SOC 2 Type II readiness.
CSF 2.0 and regulatory alignment
| Regulation | CSF Functions Most Relevant | Alignment Notes |
|---|---|---|
| GDPR Art. 32 (TOMs) | PR, DE, RS | Technical & organisational measures; ability to detect/respond to breaches |
| NIS2 Art. 21 | GV, ID, PR, DE, RS | Required security measures map cleanly to CSF outcomes |
| DORA | All six | DORA's five pillars (identify/protect/detect/respond-recover/test) mirror CSF |
| HIPAA Security Rule | PR, DE, RS | Administrative, physical, technical safeguards align to CSF outcomes |
| FedRAMP | All six | Built on NIST SP 800-53; CSF is the umbrella view |
| EU AI Act Art. 9 | GV, ID | Risk management system for high-risk AI; CSF governance categories support |
When to use CSF vs pursue certification
| Scenario | Recommended Path |
|---|---|
| Pre-revenue / pre-customer | Use CSF to structure programme; defer certifications until needed for sales |
| Selling to US mid-market enterprises | SOC 2 Type II is typically required |
| Selling to EU enterprises / regulated industries | ISO 27001 certification is typically required; SOC 2 may also be needed |
| Selling to financial entities in EU | DORA compliance + ISO 27001 strongly recommended |
| Selling to healthcare in US | HIPAA + SOC 2; consider HITRUST for high-trust deals |
| Selling to US Federal | FedRAMP (cloud) or CMMC (DoD supply chain) |
| Internal organisation; no certification driver yet | CSF self-assessment + remediation plan |
Free NIST resources for SaaS founders
- CSF 2.0 Reference Tool — browse and build profiles online
- NIST Small Business Cybersecurity Corner — quick-start guides for small businesses
- CSF Quick-Start Guides — small business, supply chain, enterprise risk management
- Implementation examples by Subcategory — concrete examples of what "good" looks like
- NIST SP 800-53, 800-161 (supply chain), 800-218 (secure software development) — deeper control catalogues
Related generators
Build the programme: Information Security Policy, Incident Response Plan, BCP/DRP Plan, SOC 2 Gap Assessment, ISO 27001 Gap Assessment, Vulnerability Management Policy, Log Management & Monitoring Policy.
Related reading: SOC 2 Gap Analysis, ISO 27001 vs SOC 2, Penetration Testing Guide.
⚠️ This guide is for informational purposes only and does not constitute legal or security advice. NIST CSF 2.0 is a voluntary framework; specific compliance obligations depend on your regulatory context. Consult a qualified security professional for implementation tailored to your organisation.