ControlMap

How to Comply with NIST Cybersecurity Framework 2.0

The NIST Cybersecurity Framework (CSF) 2.0 provides a comprehensive set of guidelines for managing cybersecurity risk. Organized into six core functions — Govern, Identify, Protect, Detect, Respond, and Recover — it helps organizations of all sizes build and improve their cybersecurity posture.

100%
Coverage
49
Controls Required
0
Not Applicable

Why NIST CSF 2.0 Compliance Matters

The NIST Cybersecurity Framework 2.0 is widely adopted across industries as a voluntary risk management guide. While not a regulatory mandate for most private organizations, it is increasingly referenced in contracts, insurance questionnaires, and board-level reporting. Aligning with NIST CSF demonstrates a mature, risk-based approach to cybersecurity.

Compliance Checklist by Domain

The 49 controls below are mapped to NIST CSF 2.0 requirements. Work through each domain to build your compliance program.

Govern (6 controls)

ControlNIST CSF 2.0 ReferencesAlso In
Governance Policy GV.OC-01 GV.PO-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Risk Management GV.RM-01 GV.RM-02 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Supply Chain Risk GV.SC-01 GV.SC-03 ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR
Roles & Responsibilities GV.RR-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Compliance GV.OC-02 ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Vendor Risk Mgmt GV.SC-01 GV.SC-03 GV.SC-06 ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR

Identify (6 controls)

ControlNIST CSF 2.0 ReferencesAlso In
Asset Management ID.AM-01 ID.AM-02 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Risk Assessment ID.RA-01 ID.RA-02 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Business Environment ID.BE-01 ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR
Data Classification ID.AM-05 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Vulnerability Mgmt ID.RA-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Threat Intelligence DE.AE-07 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53

Protect (21 controls)

ControlNIST CSF 2.0 ReferencesAlso In
Awareness & Training PR.AT-01 PR.AT-02 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Access Control PR.AA-01 PR.AA-03 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Multi-Factor Auth PR.AA-03 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Encryption PR.DS-01 PR.DS-02 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Data Protection PR.DS-01 PR.DS-02 PR.DS-10 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Backup & Recovery PR.DS-11 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Privileged Access PR.AA-05 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Firewall / Net Seg PR.IR-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Endpoint Protection PR.IR-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Patch Management PR.PS-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Secure Config PR.PS-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Secure Development PR.PS-06 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Email Security PR.IR-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Web Security PR.IR-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Zero Trust PR.AA-01 PR.AA-03 PR.IR-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Mobile Security PR.PS-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Cloud Security PR.PS-01 PR.DS-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
DNS Security PR.IR-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53
WAF PR.IR-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
DLP PR.DS-10 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
API Security PR.IR-01 PR.AA-03 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR

Detect (6 controls)

ControlNIST CSF 2.0 ReferencesAlso In
Cont. Monitoring DE.CM-01 DE.CM-03 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Logging & Audit DE.AE-02 DE.AE-03 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Intrusion Detection DE.CM-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Anomaly Detection DE.AE-01 DE.AE-04 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
SIEM / SOC DE.AE-02 DE.AE-06 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Insider Threat DE.CM-03 DE.AE-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR

Respond (5 controls)

ControlNIST CSF 2.0 ReferencesAlso In
Incident Response RS.MA-01 RS.MA-02 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Forensics RS.AN-03 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Communication RS.CO-02 RS.CO-03 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Mitigation RS.MI-01 RS.MI-02 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Reporting RS.CO-02 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR

Recover (5 controls)

ControlNIST CSF 2.0 ReferencesAlso In
Recovery Planning RC.RP-01 RC.RP-02 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Business Continuity RC.RP-03 RC.RP-04 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Lessons Learned RC.RP-06 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Comms & Restore RC.CO-03 RC.CO-04 ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Disaster Recovery RC.RP-01 ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR

How NIST CSF 2.0 Compares

See how NIST CSF 2.0 coverage overlaps with other frameworks:

49
ISO 27001
shared controls
44
CIS v8
shared controls
49
SOC 2
shared controls
49
PCI DSS
shared controls
46
CMMC
shared controls
49
800-53
shared controls
46
HIPAA
shared controls
47
GDPR
shared controls
View NIST CSF 2.0 Framework Page Explore in Dashboard