Compliance Frameworks

NIST CSF 2.0 Mapping

Align your security program to NIST Cybersecurity Framework 2.0 — six core functions, categories, and subcategories mapped in ComplyWise.

Updated March 20267 min read

On this page

What is NIST CSF?

The NIST Cybersecurity Framework (CSF) is a voluntary framework developed by the National Institute of Standards and Technology to help organizations manage and reduce cybersecurity risk. Version 2.0, released in 2024, added a sixth core function (Govern) and broadened applicability beyond critical infrastructure to all organizations. The framework is organized into Functions, Categories, and Subcategories that describe desired cybersecurity outcomes.

  • Developed by NIST, widely adopted across industries and government
  • Version 2.0 released February 2024 with new Govern function
  • Six core functions: Govern, Identify, Protect, Detect, Respond, Recover
  • Voluntary but referenced by many regulatory requirements (FedRAMP, CMMC, DFARS)

Core Functions in ComplyWise

ComplyWise includes 77 controls mapped to NIST CSF 2.0 subcategories across all six functions. Each control includes the CSF category and subcategory identifier, making it easy to see your coverage and gaps at the function level.

  • GV (Govern) — Organizational context, risk management strategy, supply chain risk management, roles & responsibilities
  • ID (Identify) — Asset management, risk assessment, improvement, business environment
  • PR (Protect) — Identity management, access control, awareness/training, data security, platform security
  • DE (Detect) — Continuous monitoring, adverse event analysis, anomaly detection
  • RS (Respond) — Incident management, analysis, reporting, mitigation, communication
  • RC (Recover) — Recovery planning, communication, improvements

Cross-Framework Alignment

NIST CSF is often used as the organizing framework for multi-compliance programs because it provides a comprehensive cybersecurity taxonomy. ComplyWise's UCF maps NIST CSF subcategories to corresponding controls in SOC 2, ISO 27001, HIPAA, CMMC, PCI DSS, and HITRUST. This means your NIST CSF posture automatically reflects your readiness across other frameworks.

  • PR.AC (Access Control) maps to SOC 2 CC6, ISO A.9, HIPAA §164.312(a)
  • DE.CM (Continuous Monitoring) maps to SOC 2 CC7, ISO A.12.4, HIPAA §164.312(b)
  • RS.MI (Mitigation) maps to SOC 2 CC7.4, ISO A.16, HIPAA §164.308(a)(6)
  • GV.SC (Supply Chain) maps to ISO A.15, SOC 2 CC9.2, NIST 800-171 SR

Using Tiers & Profiles

NIST CSF defines four implementation tiers (Partial, Risk Informed, Repeatable, Adaptive) that describe the rigor of an organization's cybersecurity risk management. Profiles describe the current state and target state of cybersecurity activities. ComplyWise's compliance score can be interpreted as your current profile, while a target score of 100% across all controls represents the Adaptive tier.

  • Tier 1 (Partial) — ad hoc, reactive cybersecurity practices
  • Tier 2 (Risk Informed) — risk awareness exists but not consistent
  • Tier 3 (Repeatable) — formal policies and practices consistently applied
  • Tier 4 (Adaptive) — continuous improvement, lessons learned integrated into practices

Gap Analysis & Roadmap

ComplyWise's NIST CSF gap analysis report shows your coverage by function, highlighting which categories and subcategories have passing controls and which need attention. The report includes a recommended remediation priority based on risk impact and implementation effort, helping you build a practical roadmap to improve your cybersecurity posture.

  • Function-level score breakdown (GV, ID, PR, DE, RS, RC)
  • Subcategory-level pass/fail status with evidence links
  • Priority remediation recommendations
  • Trend tracking over time for management reporting
HIPAA Compliance ChecklistCIS Benchmarks Overview
← Back to Documentation