NIST CSF 2.0 Mapping to Controls — From Govern to Recover

Published May 19, 2026 · By AxVeil Compliance · 15 min read

NIST released CSF 2.0 in February 2024 — the first major revision in seven years and the largest structural change since the framework launched. CSF 1.1 had five functions (Identify, Protect, Detect, Respond, Recover). CSF 2.0 adds a sixth, GOVERN, and the scope formally widens beyond US critical infrastructure to every organisation regardless of sector, size, or country. This guide walks the six functions, lists the high-leverage subcategories, and shows how to map CSF 2.0 to the certifications and regulations your audit committee already cares about.

The six functions, in one table

Function	Plain-English goal	Categories (2.0)
GOVERN (GV)	Set strategy, roles, risk appetite, oversight	OC, RM, RR, PO, OV, SC
IDENTIFY (ID)	Understand assets, dependencies, risks	AM, RA, IM
PROTECT (PR)	Implement safeguards on the things you identified	AA, AT, DS, PS, IR
DETECT (DE)	Discover events when safeguards fail	CM, AE
RESPOND (RS)	Contain and analyse	MA, AN, CO, MI, IM
RECOVER (RC)	Restore and learn	RP, CO, IM

Each category contains numbered subcategories (e.g. GV.SC-03) that describe an outcome. Subcategories are the unit your control library should track. NIST publishes a baseline mapping to informative references (CIS Controls v8, ISO 27001:2022, NIST SP 800-53 Rev 5, COBIT, SP 800-221A) and it is freely downloadable from the NIST Cybersecurity Framework site.

GOVERN — the new sixth function

GOVERN folds in the topics that CSF 1.1 spread across Identify and Protect: organisational context, risk management strategy, roles and responsibilities, policy, oversight, and the supply chain programme. Putting them under one function forces the board-level cadence to actually exist.

High-leverage subcategories

GV.RM-04 — Strategic direction is communicated and refined regularly. (Translation: cyber strategy survives CEO turnover.)
GV.RR-02 — Roles, responsibilities, and authorities related to cybersecurity risk are established and communicated. Pair with a RACI for major incident types.
GV.SC-03 — Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management. Maps to ISO 27001 A.5.19 and A.5.20.
GV.SC-07 — Risks posed by suppliers, products, and services are monitored over the relationship. SBOM ingestion and CVE-correlated alerts on every third-party component live here.
GV.OV-03 — Cybersecurity risk management performance is evaluated and reviewed for adjustments. The board reads numbers, not stories.

IDENTIFY through RECOVER — the operational five

IDENTIFY (ID)

ID.AM-01..08 — Asset Management. Hardware, software, services, data, external systems, suppliers — inventoried and classified.
ID.RA-01..10 — Risk Assessment. Threats, vulnerabilities, business impact, likelihood. Includes the explicit subcategory ID.RA-08 on processes for receiving and acting on vulnerability disclosures.
ID.IM-01..04 — Improvement. Lessons learned from incidents, exercises, and assessments feed back into the programme.

PROTECT (PR)

PR.AA — Identity Management, Authentication, Access Control. MFA, conditional access, least privilege, session management.
PR.AT — Awareness & Training. Role-based training, not just an annual click-through.
PR.DS — Data Security. Encryption at rest and in transit, key lifecycle, data classification, DLP.
PR.PS — Platform Security. Hardened baselines, secure configuration, patch programme.
PR.IR — Technology Infrastructure Resilience. Segmentation, redundancy, capacity planning.

DETECT (DE)

DE.CM — Continuous Monitoring. Endpoints, network, identities, cloud control plane.
DE.AE — Adverse Event Analysis. Triage, correlation, escalation. The bridge to RESPOND.

Pair DETECT with MITRE ATT&CK coveragetracking. CSF tells you to detect; ATT&CK tells you which techniques you can actually detect today.

RESPOND (RS)

RS.MA — Incident Management. Triage, declaration thresholds, war-room procedures.
RS.AN — Incident Analysis. Forensics, scope determination, evidence preservation.
RS.CO — Communications. Internal stakeholders, customers, regulators, law enforcement.
RS.MI — Mitigation. Containment, eradication. Aligns to NIST SP 800-61r3 phases.
RS.IM — Improvement. Post-incident review feeds the programme; track action items to closure.

RECOVER (RC)

RC.RP — Recovery Plan Execution. Restoration order, RTO, RPO, integrity validation.
RC.CO — Recovery Communications. Customer notices, status pages, regulator updates.
RC.IM — Improvement. Update playbooks based on the recovery experience.

Cross-framework mapping

CSF 2.0	ISO 27001:2022 Annex A	SOC 2 (TSC)	PCI DSS v4	DPDP Act 2023
GV.RM	A.5.1, A.5.4	CC1.x, CC3.x	12.3	Sec 8(4), Sec 25
GV.SC	A.5.19, A.5.20	CC9.2	12.8, 12.9	Sec 8(7)
ID.AM	A.5.9, A.8.1	CC6.1	2.4, 9.x	Sec 8(3)
PR.AA	A.5.15, A.8.2, A.8.5	CC6.1, CC6.2	7.x, 8.x	Sec 8(5)(a)
PR.DS	A.8.24, A.5.34	CC6.7	3.x, 4.x	Sec 8(5)(b)
DE.CM	A.8.15, A.8.16	CC7.2	10.x	Sec 8(6)
RS.MA	A.5.24, A.5.26	CC7.3, CC7.4	12.10	Sec 8(6)
RC.RP	A.5.29, A.5.30	A1.2	12.10.1	Sec 8(8)

The full official crosswalks live at NIST's Informative Referencesand update quarterly. Pull the CSV programmatically — do not hand-maintain the mapping in a spreadsheet.

Building Current and Target Profiles

A Profile is the artefact that turns CSF from a wallchart into a programme. The cleanest format is a spreadsheet (or, better, a database) keyed on subcategory, with the following columns:

subcategory_id   | GV.SC-03
function         | GOVERN
category         | Supply Chain Risk Management
outcome          | Cybersecurity supply chain risk management is integrated...
current_maturity | 2 (Risk Informed) — vendors scored at onboarding only
target_maturity  | 4 (Adaptive) — continuous attestation + SBOM correlation
gap_actions      | Deploy vendor TPRM platform Q3; ingest SBOMs Q4
owner            | CISO
evidence_artifacts | TPRM dashboard, vendor risk register, SBOM index
last_reviewed    | 2026-05-15
next_review      | 2026-08-15

Tier 1 (Partial) through Tier 4 (Adaptive) describe maturity of the programme as a whole; individual subcategories can run different tiers. Most mid-market organisations should target Tier 3 (Repeatable) across all subcategories before pushing any single area to Tier 4.

Implementation Tiers — picking the right one

CSF 2.0 keeps the four Implementation Tiers from 1.1 with sharper definitions. A Tier is the organisation's overall maturity in operating the programme - it does not measure whether you have implemented a specific control, only how rigorously you manage cyber risk as a discipline.

Tier 1 — Partial. Risk management is ad-hoc and reactive. Cybersecurity awareness exists but is not formalised. Most early-stage startups sit here.
Tier 2 — Risk Informed. Management has approved a risk management approach, but it is not organisation-wide. Communication with external partners is irregular.
Tier 3 — Repeatable. Risk management is policy-driven, regularly updated, and consistently communicated. Most mid-market organisations should target Tier 3 across all subcategories before chasing Tier 4.
Tier 4 — Adaptive. Continuous improvement, threat-informed defence, real-time feedback into the programme. Reserved for organisations with mature SOC operations and well-funded GOVERN cadence.

The honest answer is that a Tier 3 programme covers the regulatory and customer obligations of almost every organisation outside critical infrastructure. Chasing Tier 4 across the board is usually premature optimisation. Pick one or two GOVERN or DETECT subcategories where Tier 4 unlocks measurable business value (e.g. supply-chain assurance for a SaaS vendor selling into banks) and keep the rest at Tier 3 with documented rationale.

Putting it into your stack

CSF 2.0 implementation usually involves three deliverables that AxVeil scopes alongside compliance engagements: (1) a documented Current Profile baseline derived from interviews and evidence review; (2) a Target Profile signed off by the executive sponsor; and (3) a quarterly remediation tracker that closes the gap subcategory-by-subcategory. Pair the programme with quarterly VAPT to evidence DETECT and RESPOND outcomes, and an annual red team for the IDENTIFY-RA and DETECT-AE categories.

One operational tip we hand every customer on day one: do not own the framework crosswalks in a spreadsheet. The NIST quarterly updates to Informative References, the ISO 27001:2022 revisions, and your own internal control library all drift. Treat the mapping as data - store subcategories, controls, and mappings in a small relational schema (or even a Notion database with relations), generate the crosswalk views dynamically, and pull NIST's authoritative CSV at build time. Manual spreadsheet maintenance is the single biggest source of audit-finding embarrassment for CSF programmes that otherwise look healthy.

For organisations that also need to satisfy Indian regulators, the GOVERN function aligns with the board-level cyber expectations in the SEBI CSCRFand the RBI Cyber Security Framework. The PROTECT and DETECT functions map naturally to the technical controls auditors evaluate during sectoral inspections, and RECOVER ties to the business-continuity obligations that the BFSI sector faces under multiple regulators. Use one underlying control library to evidence all of them; do not run parallel programmes per regulator.

FAQ

What is new in NIST CSF 2.0 compared to 1.1?

The biggest structural change is the new GOVERN function, which now sits alongside the original five. GOVERN consolidates risk management, supply chain, roles & responsibilities, and policy oversight into a single named function. CSF 2.0 also expands beyond critical infrastructure to all organisations, adds explicit guidance for small and mid-size organisations, and introduces Implementation Examples and Quick-Start Guides published as living web resources.

Do we still need ISO 27001 or SOC 2 if we adopt CSF 2.0?

CSF 2.0 is a framework, not a certification. It tells you what to do; ISO 27001 and SOC 2 are how external assessors prove you did it. The pragmatic pattern is to use CSF 2.0 as the internal organising map, then map each subcategory to ISO 27001 Annex A controls and SOC 2 Trust Service Criteria for the audit evidence. Most mature programmes run all three concurrently with one underlying control library.

What is a CSF 2.0 Profile and do we need one?

A Profile is the documented set of Outcomes a specific business unit, system, or organisation is committing to. Current Profile = where you are today. Target Profile = where you want to be in 12-24 months. The delta is your gap analysis. Yes you need one; without it CSF is a wallchart, not a programme.

How does CSF 2.0 map to DPDP Act 2023 in India?

DPDP Act obligations align most strongly with GOVERN (data processor accountability), PROTECT (data security obligations), and RESPOND (72-hour personal data breach notification to the Data Protection Board). CSF 2.0 GV.RM (Risk Management Strategy) and GV.SC (Cybersecurity Supply Chain Risk Management) cover the residual obligations around Data Fiduciaries and Data Processors.

Can we self-attest to CSF 2.0 or do we need an auditor?

Self-attestation is allowed and common for internal programmes. For customer trust artefacts, board reports, or M&A due diligence, an independent assessment against your documented Target Profile carries more weight. NIST does not certify assessors, so look for firms with HITRUST, ISO 27001 lead auditor, or PCI QSA credentials.