NIST CSF 2.0: Using the Framework to Measure and Improve Security Maturity

Most security frameworks tell you what to do. NIST CSF tells you how well you're doing it.

That distinction matters more than you'd think. SOC 2 gives you a pass/fail audit report. ISO 27001 hands you a certificate. But neither one tells you where you stand on a continuum of maturity — or gives you a clear, repeatable way to measure improvement over time.

The NIST Cybersecurity Framework (CSF) 2.0, released in February 2024, is a different animal. It's not a compliance checkbox. It's a maturity model. A measuring stick. A way to answer the question every CISO eventually gets from the board: "How secure are we, really?"

If you've been comparing frameworks and aren't sure where NIST CSF fits in the landscape, our compliance framework comparison breaks down SOC 2, ISO 27001, HIPAA, PCI DSS, and NIST CSF side by side. This post goes deeper on CSF 2.0 specifically — how to use it as a practical tool for measuring, communicating, and improving your security program.

🔄 What Changed in CSF 2.0

The original NIST CSF (version 1.1) targeted critical infrastructure. Solid, but it had rough edges. CSF 2.0 addresses those head-on:

• The Govern function: The headline change. A sixth core function that wraps around the other five, elevating cybersecurity governance from implicit assumption to explicit requirement.
• Expanded scope: No longer just for critical infrastructure. Designed for organizations of all sizes, sectors, and maturity levels.
• Better implementation guidance: More detailed examples, quick-start guides for small businesses, and a reorganized reference tool for cross-standard mapping.
• Supply chain emphasis: Dedicated subcategories under Govern formalize supply chain risk management that used to be scattered across Identify and Protect.
• Refined profiles and tiers: "Profiles" (current vs. target state) and "tiers" (maturity levels) are more actionable and less abstract.

The net result: CSF 2.0 is a day-to-day security management tool — not a reference document you download once and shelve.

🏛️ The 6 Functions Explained

CSF 2.0 is organized around six core functions. Think of them as the lifecycle of cybersecurity — from governance through recovery. Each function breaks down into categories and subcategories that get progressively more specific.

Govern (GV) — NEW in 2.0

Govern sits at the center of the framework, informing and connecting the other five functions. It's about organizational context, risk strategy, roles, and accountability.

• Organizational context: Mission, stakeholder expectations, legal and regulatory requirements
• Risk management strategy: Risk appetite, tolerance, and priorities
• Roles, responsibilities, and policy: Who is accountable, and what policies reflect the risk strategy
• Oversight: Board and executive-level governance of cybersecurity risk
• Supply chain risk management: Integrating third-party risk into the governance model

Before CSF 2.0, governance was sort of assumed. Now it's explicit — giving security leaders a powerful tool for anchoring cybersecurity conversations in business terms.

Identify (ID)

You can't protect what you don't know about. Identify is about building a comprehensive understanding of your organization's assets, risks, and business context.

• Asset management: Hardware, software, data, systems, people, facilities — know what you have
• Risk assessment: Identify, analyze, and prioritize cybersecurity risks
• Improvement: Use assessments, lessons learned, and operational data to continually refine your understanding of risk

Protect (PR)

Protect covers the safeguards that keep things secure during normal operations.

• Identity management and access control: Authentication, authorization, least privilege
• Awareness and training: Your people know how to operate securely
• Data security: Encryption, classification, integrity protections
• Platform security and resilience: Securing infrastructure and building in redundancy

Detect (DE)

Bad things will happen. Detect is about finding them quickly.

• Continuous monitoring: Ongoing surveillance of networks, systems, and environments
• Adverse event analysis: Identifying and correlating anomalies and potential incidents

This is where your SIEM, EDR, and monitoring tools live. The faster you detect, the less damage accumulates.

Respond (RS)

Detection without response is just expensive observation.

• Incident management: Executing response plans, triaging, coordinating
• Incident analysis: Scope, root cause, and impact
• Reporting and communication: Keeping stakeholders informed
• Mitigation: Containing and eliminating the threat

Recover (RC)

Getting back to normal — and getting better.

• Recovery plan execution: Restoring systems and services per prioritized plans
• Recovery communication: Coordinating with stakeholders during restoration

Recover feeds back into Govern and Identify — lessons learned should inform your risk strategy going forward. It's a cycle, not a checklist.

📏 Maturity Scoring: How to Assess Where You Are

One of CSF's most powerful features is its tier model for measuring organizational maturity. CSF 2.0 defines four tiers that describe increasing levels of rigor and sophistication:

Tier 1: Partial

Ad hoc and reactive. No formalized processes. You're putting out fires — decisions happen case by case.

Tier 2: Risk Informed

Management-approved practices, but not organization-wide. Policies exist but aren't consistently implemented. Some teams are more mature than others.

Tier 3: Repeatable

Formally approved, policy-driven, and organization-wide. Consistent methods for responding to changes in risk. Regular updates based on lessons learned. This is where most mature organizations land.

Tier 4: Adaptive

Continuous improvement driven by data and predictive indicators. Cybersecurity risk management is fully integrated into organizational culture. You're not just responding to risk — you're anticipating it.

Important nuance: You don't need to be Tier 4 everywhere. Set a target tier per function based on your risk appetite and business context. A small SaaS company might target Tier 3 broadly and Tier 4 in Detect. A regulated financial institution might aim for Tier 4 in Govern and Respond.

🔍 Building a Gap Analysis with CSF 2.0

The framework practically hands you a gap analysis template:

1. Create your Current Profile. Assess your current tier for each function, category, and subcategory. Be honest — inflating scores defeats the purpose.
2. Define your Target Profile. Set target tiers based on risk appetite, regulatory requirements, and business objectives.
3. Identify the gaps. Current minus target equals your gap analysis. This is your investment map.
4. Prioritize. Rank gaps by risk impact, regulatory pressure, effort to close, and dependencies.
5. Build your roadmap. Turn prioritized gaps into a sequenced plan with owners, timelines, and milestones.

This is where a tool like episki's NIST CSF framework mapping shines. Rather than building profiles in a spreadsheet, you can map controls to CSF subcategories, visually identify coverage gaps, and track maturity improvements over time — all in one place.

📊 Communicating Maturity to the Board

Here's where NIST CSF earns its keep as a communication tool. Boards and executives don't want to hear about 108 subcategories. They want answers to three questions:

1. Where are we? (current state)
2. Where should we be? (target state)
3. Are we getting better? (trend)

Visual Scoring

A radar chart showing maturity across the six functions is worth a thousand words. Current state on one line, target on another. The gap is immediately visible:

• Govern: 2.1 → 3.0 | Identify: 2.8 → 3.0 | Protect: 2.5 → 3.0
• Detect: 1.8 → 3.0 | Respond: 2.2 → 2.5 | Recover: 1.9 → 2.5

Even a non-technical board member can see that Detect and Recover are the biggest gaps. No jargon needed.

Trend Over Time

Show the same chart quarterly. When the board sees the current-state line moving toward the target, you've turned "are we secure?" into a visible, measurable trajectory.

If you're already tracking GRC metrics that executives care about — control coverage, evidence freshness, remediation time — CSF maturity scores add a strategic layer on top. Operational metrics tell you what's happening. Maturity scores tell you what it means.

Risk-Based Narrative

Pair the visual with a narrative that connects gaps to business risk:

"Our Detect function is at Tier 1.8, below our target of 3.0. We're relying on reactive detection rather than continuous monitoring. A breach could go undetected for weeks rather than hours. We're investing in SIEM deployment this quarter to close this gap."

That's a conversation an executive can engage with. Compare it to "we need to implement subcategory DE.CM-01 through DE.CM-09" — technically accurate and completely useless in a boardroom.

🗺️ CSF as a Unifying Framework

Here's one of the most underappreciated aspects of NIST CSF: it maps to practically everything. NIST provides official crosswalks to SP 800-53, ISO 27001:2022, and CIS Controls v8. The community has built mappings to SOC 2, HIPAA, PCI DSS, CMMC, and more.

If you're managing multiple frameworks — and most growing companies eventually are — NIST CSF can serve as your internal backbone. Run your security program against CSF, then map CSF to whatever external frameworks your auditors and customers require.

For teams doing more security work with fewer resources, this is a massive efficiency play. Implement a control once, map it to the CSF subcategory, and let that mapping flow through to SOC 2, ISO 27001, or whatever else you need.

episki is built around this principle. Map a control to a NIST CSF subcategory and the platform shows which requirements across your other frameworks that control also satisfies. Build once, get credit everywhere.

📝 Key Takeaways

Let's bring it together:

• CSF 2.0 is a maturity model, not a compliance checklist. Use it to measure where you are, define where you want to be, and track improvement.
• The new Govern function makes cybersecurity governance explicit. It's the hook for board-level conversations and organizational accountability.
• The six functions (Govern, Identify, Protect, Detect, Respond, Recover) form a complete lifecycle — from strategy through recovery and back again.
• The tier model (Partial → Risk Informed → Repeatable → Adaptive) gives you a common language for maturity that works across teams and up to the board.
• Gap analysis is built in. Current profile minus target profile equals your roadmap. Prioritize by risk, effort, and dependencies.
• It's a communication tool. Radar charts, trend lines, and risk-based narratives turn abstract security concepts into boardroom-ready conversations.
• It unifies your frameworks. Use CSF as the backbone, map to external frameworks for audits and customer requirements. Build once, satisfy many.
• You don't need to be Tier 4 everywhere. Set targets that match your risk appetite and business context. Perfect is the enemy of good enough.

Whether you're just starting your security program or managing five frameworks simultaneously, CSF 2.0 gives you a structure for knowing where you stand and where to invest next. That's not compliance theater. That's actual security improvement.

Ready to map your controls to NIST CSF and track maturity over time? episki comes with pre-built CSF 2.0 templates, visual maturity scoring, and cross-framework mapping — so you spend less time building spreadsheets and more time closing gaps.