Cybereen / Standards / NIST CSF 2.0
US-FED · NIST · CSF 2.0 (2024)

NIST CSF 2.0 — Govern is the new front door.

Six functions, twenty-two categories, your maturity tier per outcome. CSF 2.0 finally treats governance as cybersecurity — Cybereen runs your organisational profile, target profile, and the gap between them.

Start your CSF profile → See the six functions
At a glance → Owner · NIST (US Dept of Commerce) Version · CSF 2.0 (Feb 2024) Structure · 6 functions · 22 categories · ~106 subcategories Tiers · 1 Partial · 2 Risk-informed · 3 Repeatable · 4 Adaptive Cybereen status · Live coverage
WHAT IT IS

An outcomes framework — not a control list.

The NIST Cybersecurity Framework is a voluntary, outcome-based framework first published in 2014 and updated to 2.0 in February 2024. Where ISO and SOC 2 prescribe controls, CSF describes outcomes — you bring the controls that get you there.

The 2.0 revision did three things that matter. It added a sixth function — Govern — pulling supply chain, roles, strategy and oversight to the front. It made the framework explicitly universal (no longer just for critical infrastructure). And it leaned into Organisational Profiles — a current-state and target-state snapshot you can show your board in one document.

You assess against four Implementation Tiers — Partial, Risk-Informed, Repeatable, Adaptive. The tiers are not maturity scores; they describe how risk-aware and consistent your practices are. Most regulated mid-market orgs target Tier 3 (Repeatable); critical infrastructure pushes for Tier 4.

The honest version: CSF's flexibility is its strength and its trap. Without a tool, "outcomes-based" becomes "no one knows the score". Cybereen pins each subcategory to specific evidence in your stack — outcomes stay outcomes, but they're measurable.
IMPLEMENTATION TIERS

Four tiers. Pick where your risk appetite lands.

Tiers describe the rigour of your cyber risk management — not how many controls you have. Higher tier means more risk-informed decisions and tighter feedback loops.

TIER 1

Partial.

Risk practices ad-hoc, awareness limited, supply chain not assessed. Common starting point for small orgs without dedicated cyber leadership.

  • Reactive, case-by-case
  • No formal risk strategy
  • Suits very small / new orgs
TIER 2

Risk-Informed.

Risk is considered, but not consistently. Cyber is on leadership's radar but not yet embedded in business decisions.

  • Cyber strategy drafted
  • Some categories covered well
  • Inconsistent across teams
TIER 3

Repeatable.

Cyber risk management is formal, organisation-wide, and updated as the environment changes. The level most regulated mid-market AU orgs should target.

  • Consistent, documented
  • Supply chain assessed
  • Board-visible reporting
TIER 4

Adaptive.

Cyber risk practices continuously improve from lessons learned and predictive indicators. Required for critical infrastructure and high-target orgs.

  • Predictive threat modelling
  • Real-time risk integration
  • SOC 24/7 expected
THE SIX FUNCTIONS

Six functions. Govern wraps the other five.

The CSF Core is a hierarchy: 6 Functions → 22 Categories → ~106 Subcategories. Govern is the new function in 2.0 and the one auditors and boards open first.

GV
Govern New in 2.0

Strategy, roles, policy, oversight, supply chain. The "who-decides" layer.

6 categories
ID
Identify

Asset inventory, risk assessment, business environment, supplier risk.

3 categories
PR
Protect

Access control, awareness, data security, secure development, platform security.

5 categories
DE
Detect

Continuous monitoring, adverse-event analysis, detection process maintenance.

2 categories
RS
Respond

Incident management, analysis, communication, mitigation, recovery prep.

5 categories
RC
Recover

Incident recovery plan execution, communication, lessons learned.

2 categories
Policy — template + signature workflow Evidence — collected per subcategory, dated, tier-rated Cross-walked to ISO 27001, SOC 2, and Essential Eight
Organisational Profile · current

Where you are today.

Snapshot of your tier per Category, with the evidence underpinning each. The "you're here" diagram for the board pack.

Organisational Profile · target

Where you're going.

Risk-informed target state, by Subcategory. Cybereen tracks the gap — turning a CSF "outcome" into a backlog item with an owner and a date.

INSIDE CYBEREEN

Profile in. Profile out. Living document.

The Organisational Profile isn't a one-time PDF — it's how you talk about cyber to your board, your insurer, and your largest customer. Cybereen keeps it current automatically.

  • Current & Target Profile — side-by-side, per Subcategory, gap quantified.
  • Tier scoring — automatic Tier 1–4 derivation from your evidence stream.
  • Govern dashboard — the new function gets first-class treatment: strategy, roles, oversight, supply chain.
  • Board pack export — one page per Function, current vs target, top three gaps.
  • Cross-framework reuse — your CSF Subcategories map to ISO Annex A, SOC 2 TSCs, Essential Eight mitigations.
app.cybereen.com / standards / nist-csf / profile
LIVE
Cybereen NIST CSF — Organisational Profile current vs target, tier by Function
COMMON MISTAKES

Three places CSF programmes drift.

Outcomes-based frameworks are flexible — and that flexibility is where most teams trip.

Mistake 01

Treating tiers as a score to hit.

Tier 4 isn't a target for every org — it's appropriate for high-target ones. Aiming for Tier 4 across the board burns budget on adaptive practices for risks you don't carry. Tiers should map to risk appetite, not vanity.

Fix: Set tier targets per Function. Govern Tier 3, Recover Tier 2 is fine.
Mistake 02

Skipping Govern because "we have ISO".

Govern overlaps with ISO clauses 4–6 but is broader — it includes supply chain risk and roles in a way ISO doesn't quite. Reusing ISO evidence is right; assuming Govern is "covered" is wrong.

Fix: Map ISO clause coverage to GV Categories, gap-fill the rest.
Mistake 03

Profile as a one-time exercise.

The Organisational Profile is the live picture of your cyber posture — not a slide your CISO drew in March. If the only time anyone touches it is your annual board update, it's a relic by week six.

Fix: Cybereen rebuilds the Profile nightly from your evidence stream.
NIST CSF 2.0 FAQ

Questions before you adopt 2.0.

The framework changed enough between 1.1 and 2.0 to matter.

Is CSF mandatory for AU organisations?
No — CSF is a voluntary framework. It's mandatory only for US federal civilian agencies. AU adoption is driven by partner/customer expectations: US-headquartered customers, insurers, and federal contracts increasingly cite CSF as the assessment yardstick. If you sell into US enterprise or fed-adjacent markets, CSF maturity questions arrive eventually.
We're on CSF 1.1 — what changes in 2.0?
Three big changes. (1) New Govern Function — strategy, roles, supply chain pulled into a dedicated function. (2) Scope is any organisation, not just critical infrastructure. (3) Stronger emphasis on Organisational Profiles as living artefacts, not one-off assessments. Cybereen ships a migration view that shows 1.1 → 2.0 mappings and the new Subcategories.
How does CSF relate to ISO 27001 and Essential Eight?
CSF is the strategy framework; ISO and E8 are the controls frameworks. CSF answers "what outcomes are we aiming for"; ISO Annex A and E8 mitigations answer "what controls get us there". They compose — Cybereen ships official NIST cross-walks for both, so a single evidence point can satisfy a CSF Subcategory, an Annex A control, and an E8 mitigation simultaneously.
Can we certify against CSF?
No. NIST does not certify against CSF and does not authorise third parties to do so. What customers and insurers want is a self-assessment, ideally backed by an attestation from an auditor reviewing your Profile and evidence. Cybereen produces both — the Profile as an artefact, and an evidence pack your assessor signs.
How do we set tier targets?
Tiers should be set per Function, informed by your risk register and customer commitments. A SaaS handling PII at scale might target Govern T3, Identify T3, Protect T3, Detect T3, Respond T2, Recover T2. A bank-adjacent fintech will push Protect and Detect to T4. Cybereen ships sector defaults you can take or tune.
Does Cybereen replace our SIEM / EDR / risk-management tool?
No. The operational tools you already run stay where they are. Cybereen sits above them — recording outcomes per Subcategory, calculating tier, producing the Profile. Direct integrations to those tools are on the roadmap; today evidence is uploaded or attested. The audit trail is what makes the Profile defensible.

Your CSF Profile in 90 minutes — for real.

Answer a structured set of questions per Function. Cybereen builds your current Profile, asks for the evidence behind each Subcategory, and shows the gap to your target. Free trial, no card.

Start free trial → Book a 20-minute walk-through
Other standards on Cybereen →
Essential Eight APRA CPS 230 ISO 27001 ISO 27002 ISO 42001 NIST CSF 2.0