Six functions. Twenty-two categories. Over a hundred subcategories. CyberHeed maps your organisation across the entire NIST Cybersecurity Framework 2.0 - from current profile to target state.
The NIST Cybersecurity Framework (CSF), developed by the U.S. National Institute of Standards and Technology, provides a common language for understanding, managing, and communicating cybersecurity risk. Originally created for U.S. critical infrastructure, it has been adopted by organisations worldwide as the de facto framework for structuring cybersecurity programmes. NIST CSF 2.0, released in February 2024, expanded the framework with a new Govern function and improved guidance for all organisation sizes.
Executive Order 13636 directed federal agencies to use the framework. Critical infrastructure sectors - energy, healthcare, financial services, transportation - are expected to adopt it. Many U.S. state and local governments mandate it for their agencies and contractors.
Organisations worldwide adopt NIST CSF as their cybersecurity programme structure. It provides a vendor-neutral, technology-agnostic way to communicate security posture to boards, regulators, customers, and partners regardless of jurisdiction.
Financial services regulators, healthcare oversight bodies, and energy sector regulators frequently reference NIST CSF. In the U.S., the Federal Financial Institutions Examination Council (FFIEC) and HIPAA guidance both align with NIST CSF categories.
NIST CSF is voluntary and flexible. Organisations at any maturity level can use it to assess their current state, define a target state, and prioritise improvements. It does not prescribe specific controls - it provides the structure within which controls are organised.
NIST CSF consists of three main components that work together:
Six concurrent, continuous functions — Govern, Identify, Protect, Detect, Respond, Recover — broken into 22 categories and 106 subcategories. This is the taxonomy of cybersecurity activities. Each subcategory references informative standards (ISO 27001, COBIT, CIS Controls, etc.). GOVERN is the new function added in CSF 2.0; it was not present in CSF 1.1.
A profile aligns the framework core with your organisation's requirements, risk tolerance, and resources. You create a "Current Profile" (where you are) and a "Target Profile" (where you need to be). The gap between them drives your roadmap.
Four tiers describe the degree to which an organisation's cybersecurity risk management practices exhibit the characteristics of the framework - from Partial (Tier 1) to Adaptive (Tier 4). Tiers are not maturity levels - they describe risk management sophistication.
The six functions are not sequential steps - they are concurrent, continuous activities. NIST CSF 2.0 added the GOVERN function (new in the 2024 revision) to reflect the central role of governance in cybersecurity risk management. Together all six functions provide a strategic view of cybersecurity risk management across the full lifecycle.
Establish and monitor the organisation's cybersecurity risk management strategy, expectations, and policy. GOVERN is the new function added in CSF 2.0 and sits at the centre of the framework - it provides outcomes that inform and prioritise all other five functions. Categories include Organisational Context, Risk Management Strategy, Roles and Responsibilities, Policy, Oversight, and Cybersecurity Supply Chain Risk Management.
Develop an understanding of your organisation's environment to manage cybersecurity risk to systems, people, assets, data, and capabilities. You cannot protect what you do not know you have.
Categories:
- Asset Management (ID.AM) - Inventories of hardware, software, data, systems, services, and personnel
- Risk Assessment (ID.RA) - Threat and vulnerability identification, risk analysis and prioritisation
- Improvement (ID.IM) - Improvements to organisational cybersecurity risk management identified from evaluations, assessments, and lessons learned
Implement appropriate safeguards to manage the organisation's cybersecurity risks. Once assets and risks are identified and prioritised, PROTECT supports the ability to secure those assets and limit or contain the impact of a potential cybersecurity event.
Categories:
- Identity Management, Authentication, and Access Control (PR.AA) - Authentication, authorisation, and access permissions
- Awareness and Training (PR.AT) - Security awareness for all roles
- Data Security (PR.DS) - Data at rest, in transit, integrity, and disposal
- Platform Security (PR.PS) - Hardware, software, and services management including configuration and vulnerability management
- Technology Infrastructure Resilience (PR.IR) - Security architectures managing the organisation's cybersecurity resilience
Find and analyse possible cybersecurity attacks and compromises in a timely manner. Detection enables rapid response - the faster you detect, the less damage occurs.
Categories:
- Continuous Monitoring (DE.CM) - Assets, networks, computing platforms, services, and personnel are monitored to find anomalies, indicators of compromise, and other potentially adverse events
- Adverse Event Analysis (DE.AE) - Anomalies, indicators of compromise, and other potentially adverse events are analysed to characterise the events and detect cybersecurity incidents
Take action regarding a detected cybersecurity incident. Contain impact, communicate effectively, and conduct post-incident analysis.
Categories:
- Incident Management (RS.MA) - Incidents are managed from detection through analysis, containment, eradication, and recovery
- Incident Analysis (RS.AN) - Investigations are conducted to understand the nature of an incident, scope, and root cause
- Incident Response Reporting and Communication (RS.CO) - Response activities are coordinated with internal and external stakeholders
- Incident Mitigation (RS.MI) - Activities are performed to prevent expansion of an event and mitigate its effects
Restore assets and operations that were impaired due to a cybersecurity incident. Return to normal operations while capturing lessons learned.
Categories:
- Incident Recovery Plan Execution (RC.RP) - Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents
- Incident Recovery Communication (RC.CO) - Restoration activities are coordinated with internal and external parties
Implementation tiers describe how an organisation views cybersecurity risk and the processes in place to manage it. They are not maturity levels - an organisation at Tier 1 may be appropriate for its risk tolerance. The tiers help communicate sophistication of risk management to stakeholders.
Risk management is ad hoc, reactive. Limited awareness of cybersecurity risk at the organisational level. No formalised processes for risk management collaboration.
Risk management practices exist but may not be established as policy. Some awareness of cybersecurity risk at the organisational level. Informal collaboration on risk.
Risk management practices are formally approved and expressed as policy. Organisation-wide approach to managing cybersecurity risk. Regularly updated based on changes.
Risk management practices adapt based on lessons learned and predictive indicators. Real-time continuous improvement. Organisation actively shares information with partners.
CyberHeed maps your organisation across all six functions, builds your Current Profile, helps define your Target Profile, and tracks remediation of every gap.
SmartPrep guides your team through structured conversations covering each function and its categories. AI captures your current capabilities across Govern, Identify, Protect, Detect, Respond, and Recover. Your Current Profile emerges from what your team actually does - not what you hope they do.
Define your Target Profile based on business requirements, risk tolerance, and regulatory obligations. The gap between current and target becomes your prioritised roadmap.
Upload evidence for each subcategory. AI validates whether your documentation and controls genuinely demonstrate the capability described in your Target Profile. Policies, procedures, technical configurations, training records, and incident reports - all mapped to NIST CSF subcategories automatically.
AutoMatch reads your existing documentation and maps it to the framework. Documents already created for ISO 27001, Essential Eight, or other frameworks are cross-referenced automatically.
NIST CSF is inherently continuous. CyberHeed tracks your profile across all functions over time. As you implement controls, your profile evolves. When new threats emerge or business requirements change, your Target Profile is updated and new gaps are surfaced.
Board reports, regulatory submissions, and customer security questionnaires are generated from your live profile - always current, always evidenced.
Six functions. Current state to target state. AI-guided assessment with continuous monitoring.
Book a Demo