---
id: framework:nist-csf-20
type: framework
title: NIST Cybersecurity Framework 2.0
status: active
confidence: 0.9
sources:
  - 2026-05-09-cybersec-library-overview.md
  - 2026-05-09-cybersec-mapping-nist-csf.md
  - 2026-05-09-cybersec-mapping-nist-csf-alignment.md
created: 2026-05-09
updated: 2026-05-09
updated_log:
  - 2026-05-09: created
tiers: semantic
half_life_days: 180
tags: [framework, nist-csf, governance, posture]
---

# NIST Cybersecurity Framework 2.0

## Summary

[NIST CSF 2.0](https://www.nist.gov/cyberframework) (published February 2024) organizes cybersecurity activities into **6 core functions** that span the full lifecycle of managing cybersecurity risk: **Govern, Identify, Protect, Detect, Respond, Recover**. CSF 2.0 added the *Govern* function to the original five and expanded scope from critical infrastructure to all organizations. It answers the organizational-posture question — "where in our cybersecurity program does this skill apply?" The [[concept:cybersec-skill-library]] aligns each skill to one or more of CSF's 22 categories and 106 subcategories, using the `nist_csf` frontmatter field for direct compliance mapping.

## Claims

- NIST CSF 2.0 was published February 2024; it added the new **Govern (GV)** function and expanded scope from critical infrastructure to all organizations. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.9}`
- The 6 core functions are Govern (GV), Identify (ID), Protect (PR), Detect (DE), Respond (RS), Recover (RC). The framework has 22 categories total; the library's mappings reference 106 subcategories. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.9}`
- Library skill distribution by function (approximate): Govern ~54, Identify ~115, Protect ~160, Detect ~102, Respond ~111, Recover ~29. Protect and Detect are the deepest-covered functions; Recover is the shallowest. `[src: raw/2026-05-09-cybersec-mapping-nist-csf.md] {conf: 0.85}`
- Each CSF category maps to specific library subdomains. Examples: GV.SC (Supply Chain) → devsecops + container-security; PR.AA (Identity, Auth, Access Control) → identity-access-management + zero-trust-architecture (46 skills); DE.CM (Continuous Monitoring) → soc-operations + threat-hunting + network-security (101 skills); RS.AN (Incident Analysis) → digital-forensics + malware-analysis + threat-intelligence (111 skills). `[src: raw/2026-05-09-cybersec-mapping-nist-csf.md] {conf: 0.85}`
- Each library subdomain has a documented primary CSF function and category list with rationale (e.g. cryptography → Protect (PR), PR.DS, "Data confidentiality and integrity at rest and in transit"). 24 subdomains are individually aligned. `[src: raw/2026-05-09-cybersec-mapping-nist-csf-alignment.md] {conf: 0.9}`
- Identified library coverage gaps: GV.OC (Organizational Context, only 5 skills), GV.PO (Policy, low), PR.AT (Awareness/Training beyond phishing, moderate), and RC.RP/RC.CO (recovery and recovery-communication). `[src: raw/2026-05-09-cybersec-mapping-nist-csf-alignment.md] {conf: 0.8}`
- AI agents can query skills by CSF function via subdomain filters (e.g. Detect = subdomain IN (threat-hunting, soc-operations, malware-analysis)) — making CSF the most natural compliance-driven discovery axis. `[src: raw/2026-05-09-cybersec-mapping-nist-csf.md] {conf: 0.7}`

## Relationships

- complements → [[framework:mitre-attack]] `{conf: 0.8}`
- complements → [[framework:nist-ai-rmf]] `{conf: 0.7}`
- maps-to → [[concept:cybersec-skill-library]] `{conf: 0.9}`

## Open questions

- [ ] CSF 2.0 reference subcategories (full 106) aren't enumerated in our raw sources — only categories are listed in the alignment doc.

## Changelog

- 2026-05-09 — created