NIST Cybersecurity Framework: a practical guide to CSF 2.0 for IT teams and MSPs

NIST CSF 2.0 is the cybersecurity framework most clients are increasingly using to structure their security programs and evaluate the security posture of the IT teams and MSPs they work with. It replaced CSF 1.1 in February 2024 with the most significant update since the framework’s original 2014 release, and for any organization that built its security program against CSF 1.1, the changes matter operationally.

The headline change is the new sixth function, Govern. It sits alongside the original five (Identify, Protect, Detect, Respond, Recover) and addresses what CSF 1.1 left under-specified: who is accountable for cybersecurity decisions, how risk management is integrated into the broader business, and how supply chain risk is governed. CSF 2.0 also drops the original “critical infrastructure” framing and is now explicitly designed for organizations of any size and sector, which is a meaningful difference for smaller IT teams and MSP clients that previously had to translate critical infrastructure language to their own context.

This guide covers what CSF 2.0 requires in practice. The six functions and what each one actually means, how implementation tiers and profiles work, how the framework lines up with the other standards you may already be working with, and how MSPs can use CSF 2.0 as a structured way to deliver and evidence security advisory services. For the broader NIST family of guidance, including the SP 800 series and how it relates to CSF, see the companion post on what NIST compliance is and how to start.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a voluntary framework developed by the National Institute of Standards and Technology to help organizations manage cybersecurity risk. It organizes cybersecurity activities into functions, categories, and subcategories that give organizations a structured way to understand, assess, and improve their security posture without prescribing exactly how to get there.

The framework is intentionally technology-agnostic and outcome-focused. It describes what an organization should be able to do, not which tool to do it with. That flexibility is why CSF gets combined so often with more prescriptive standards. NIST SP 800-53 provides a detailed control catalog that CSF subcategories map to. CIS Controls v8.1 provides a prioritized implementation guide. ISO 27001 provides an auditable management system structure. CSF gives you the strategic frame, and the others fill in the implementation detail.

For US federal contractors, NIST alignment is moving from voluntary to mandatory. FISMA requires federal agencies to follow NIST guidance directly. CMMC Level 2 maps to NIST SP 800-171. Organizations pursuing federal contracts, or supplying companies that hold them, benefit from CSF alignment as the strategic foundation that other regulatory requirements then fit into.

What changed in CSF 2.0

Four updates in CSF 2.0 matter most for practitioners.

The first is the new Govern function. CSF 2.0 adds a sixth function focused on organizational context, risk management strategy, supply chain risk, roles and responsibilities, policy, and oversight. The function recognizes that cybersecurity governance, who makes decisions and who is accountable, is as load-bearing as the technical controls themselves. Organizations that have run CSF 1.1 programs without a documented governance layer will find this the most material gap to close.

The second is the explicit expansion of scope. CSF 1.1 was framed for critical infrastructure. CSF 2.0 is explicitly for all organizations. Small businesses, enterprises, government agencies, schools, hospitals, MSPs. The framework documentation now uses examples that reflect this broader audience rather than the energy/transport/water language of the original.

The third is the expanded supply chain risk management content. Supply chain attacks have become a dominant threat vector since CSF 1.1 was published in 2018, and CSF 2.0 substantially expands the guidance on assessing, managing, and contracting around third-party cybersecurity risk. For MSPs, who are themselves part of their clients’ supply chain, this section is required reading.

The fourth is the updated category and subcategory structure. The subcategory count has changed, some categories have been reorganized, and the guidance reflects current practice areas like operational technology security and cloud security more explicitly than CSF 1.1 did. Organizations doing a refresh from a CSF 1.1 program should map their existing controls into the CSF 2.0 structure rather than assuming a one-to-one carryover.

The six functions

The six functions in CSF 2.0 organize cybersecurity activities at the highest level. Each one decomposes into categories and then into subcategories that describe specific outcomes.

Govern (GV). The new function in CSF 2.0. Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy. Covers organizational context, risk management strategy, cybersecurity roles and responsibilities, policy, oversight, and supply chain risk management.

Identify (ID). Understand the organization’s cybersecurity risk to systems, people, assets, data, and capabilities. Asset management, risk assessment, and improvement planning live here.

Protect (PR). Implement the safeguards that keep critical services running. Identity management and access control, awareness and training, data security, platform security, and technology infrastructure resilience.

Detect (DE). Identify the occurrence of a cybersecurity event when it happens. Continuous monitoring and adverse event analysis.

Respond (RS). Take action when a cybersecurity incident is detected. Incident management, incident analysis, response reporting, mitigation, and post-incident improvement.

Recover (RC). Restore capabilities or services impaired by a cybersecurity incident. Incident recovery plan execution and incident recovery communication.

The most common imbalance in real-world CSF programs is over-investment in Protect relative to Detect and Respond. Organizations buy a lot of preventive controls and comparatively little detection and response capability, then get surprised when the inevitable incident takes longer to detect and contain than it should. CSF 2.0 doesn’t prescribe a budget split, but a credible program shows roughly proportional maturity across the six functions, not a strong Protect score next to thin Detect and Respond capability.

Tiers and profiles

CSF 2.0 keeps the implementation tiers and profiles model that existed in CSF 1.1, with refined guidance on how to use both.

Implementation tiers describe the rigor and sophistication of an organization’s cybersecurity risk management practices across four levels. Tier 1 (Partial), Tier 2 (Risk Informed), Tier 3 (Repeatable), and Tier 4 (Adaptive). Tiers are not compliance scores. They characterize how the organization manages risk and how mature its practices are, not whether it has checked a list of boxes. Most SMBs will reasonably target Tier 2 or Tier 3 for the majority of their program rather than aiming at Tier 4 across the board.

Profiles are how an organization tailors CSF to its specific context. A Current Profile describes the cybersecurity outcomes the organization is achieving today. A Target Profile describes the outcomes the organization wants to achieve given its risk appetite, regulatory environment, and business objectives. The gap between the two is the improvement plan. For an MSP delivering security advisory services, building Current and Target Profiles for each client is one of the cleanest ways to evidence the work and structure a multi-year roadmap conversation.

Consider how this plays out in practice. A 120-user professional services client has CSF 2.0 in scope because their largest customer (a federal contractor) requires their vendors to demonstrate alignment. The MSP runs a Current Profile assessment and finds the client at roughly Tier 2 across Identify and Protect, Tier 1 across Detect and Respond, with no documented Govern function at all. The Target Profile, set against the client’s contractual obligations, is Tier 3 across Identify, Protect, Detect, Respond, Recover, and Tier 2 across Govern. The gap becomes a structured 18-month engagement: Govern foundation work in quarter one, Detect/Respond tooling and runbooks across quarters two and three, and continuous improvement across the rest of the program. CSF turns what would have been a vague “improve our security” engagement into a contracted scope with measurable progress milestones.

How CSF 2.0 fits with other frameworks

CSF rarely lives alone. Most organizations using it are also working toward, or already meeting, other framework obligations. Understanding the overlap saves duplicated work.

NIST SP 800-53 is the detailed control catalog that CSF subcategories map back to. Organizations using CSF for strategic framing and SP 800-53 for implementation detail get complementary views of the same security program at different levels of specificity.

NIST SP 800-171 is the subset of SP 800-53 controls that apply to Controlled Unclassified Information held in non-federal systems. CMMC Level 2 is built on SP 800-171, so an organization aligning to CSF and SP 800-171 is also doing most of the work for CMMC certification.

CIS Controls v8.1 maps extensively to CSF functions and categories. An organization implementing CIS Controls Implementation Group 2 will find strong CSF alignment with relatively little additional effort.

ISO 27001 shares CSF’s risk-based and outcomes-focused approach. Many organizations run both, using CSF for strategic framing and ISO 27001 for the auditable management system. Certification doesn’t automatically equal CSF alignment, but the underlying controls are highly compatible.

Implementing NIST CSF 2.0 for MSPs and IT teams

The practical path through CSF 2.0 implementation breaks down into five stages.

Start with the Govern function. This is where CSF 1.1 programs most commonly need to add work, and it’s where CSF 2.0’s expectations are most explicit. Document who is accountable for cybersecurity, what the organization’s risk appetite is, how cybersecurity decisions get escalated, and how supply chain risk is managed. The Govern function is the foundation that the technical functions sit on. Programs that skip it tend to plateau at Tier 2.

Run a Current Profile assessment. Work through the categories and subcategories and document what cybersecurity outcomes are actually being achieved today. This is the most immediately valuable activity any organization can do, and the assessment itself often surfaces governance gaps and detection blind spots that nobody had flagged before. For MSPs, the Current Profile is the deliverable that frames every conversation that follows.

Set a defensible Target Profile. The Target Profile should reflect the organization’s regulatory environment, contractual obligations, and risk appetite, not an aspirational maximum. A Target Profile that aims at Tier 4 across all six functions without the budget to support it produces a permanent gap report rather than an executable roadmap.

Prioritize the highest-risk gaps. For most organizations, the biggest delta sits in Detect, Respond, and Govern rather than Protect. Continuous monitoring capability, documented incident response runbooks, and formal governance accountability deliver disproportionate risk reduction per unit of effort compared to additional preventive controls in an already-mature Protect function.

Use platform tooling to implement the technical subcategories. The Kaseya 365 platform maps directly to CSF implementation across most subcategories. Kaseya VSA 10 and Datto RMM cover asset management and patch management (Identify, Protect). Datto EDR covers endpoint detection and response (Detect, Respond). Datto BCDR covers recovery (Recover). BullPhish ID covers awareness training (Protect). Compliance Manager GRC handles governance, profile tracking, and evidence documentation (Govern). Compliance Manager GRC includes a NIST CSF 2.0 assessment workflow with Current and Target Profile tracking and pulls technical evidence from the other platform components automatically, which is the difference between running a CSF program on a spreadsheet and running it as an operational service.

The organizations that get the most out of CSF 2.0 aren’t the ones with the highest tier scores. They’re the ones that treat the framework as a structured way to have hard conversations. About who owns cybersecurity decisions, about where the program is genuinely weak rather than where it photographs well, about which controls earn their place and which ones got bought without a clear function. CSF 2.0 doesn’t tell you what to do. It tells you what you should be able to answer. The organizations that can answer cleanly are the ones whose clients, auditors, and insurers stop asking follow-up questions.