Framework guide

What Is the NIST Cybersecurity
Framework 2.0

The world’s leading reference guide for protecting your organization from cyber threats, published by the National Institute of Standards and Technology of the United States.

Who Is NIST

NIST (National Institute of Standards and Technology) is an agency of the United States Department of Commerce, founded in 1901. It develops standards, guidelines, and best practices used worldwide for technology, security, and innovation.

The Cybersecurity Framework (CSF) was first published in 2014 at the request of the U.S. federal government, to help organizations manage cyber risk in a structured manner. Version 2.0, released in February 2024, represents the most significant update since its inception.

Today, the NIST CSF is adopted by thousands of organizations worldwide — private companies, public entities, critical infrastructure — and is considered the international standard of reference for cybersecurity management.

Why It Matters for Your Organization

Cyberattacks are constantly increasing and affect businesses of every size. Ransomware, phishing, data breaches, and operational disruptions can cause severe financial damage and compromise your organization’s reputation.

The NIST CSF 2.0 provides a practical and structured approach to:

  • Understand your current level of cyber risk
  • Identify gaps in your organization’s security posture
  • Define evidence-based priorities for action
  • Communicate cybersecurity status to management and stakeholders
  • Align with regulations such as the NIS2 Directive, GDPR, and ISO/IEC 27001 standards

The 6 Framework Functions

The NIST CSF 2.0 organizes cybersecurity into 6 core functions, covering the entire risk management lifecycle.

GV

GOVERN

Defines the organization’s cybersecurity strategy: policies, roles, responsibilities, supply chain risk management, and executive-level oversight. This function was introduced in version 2.0 and represents the security governance layer.

ID

IDENTIFY

Encompasses organizational assets (hardware, software, data, people), the operational context, and associated risks. Includes asset inventory, vulnerability assessment, and business impact analysis.

PR

PROTECT

Implements security safeguards: access control, staff training, data protection, technology platform security, and infrastructure resilience.

DE

DETECT

Ensures continuous monitoring of the infrastructure to identify anomalies, suspicious events, and potential breaches. Includes detection systems, log analysis, and security event correlation.

RS

RESPOND

Defines incident response procedures: management, analysis, containment, internal and external communication, and impact mitigation. An effective response plan drastically reduces the damage from an attack.

RC

RECOVER

Covers the restoration of operations and services after a security incident. Includes business continuity plans, backup restoration, stakeholder communication, and lessons learned to improve future resilience.

22 Categories, 106 Controls

Each function is divided into specific categories. Our assessment covers all 106 subcategories of the framework, enabling a complete and detailed evaluation of your organization’s cyber maturity.

GOVERN (6 categories)

  • Organizational context
  • Risk management strategy
  • Roles, responsibilities, and authorities
  • Policy
  • Oversight
  • Cybersecurity supply chain

IDENTIFY (3 categories)

  • Asset management
  • Risk assessment
  • Continuous improvement

PROTECT (5 categories)

  • Identity management and access control
  • Awareness and training
  • Data security
  • Platform security
  • Infrastructure resilience

DETECT (2 categories)

  • Continuous monitoring
  • Adverse event analysis

RESPOND (4 categories)

  • Incident management
  • Incident analysis
  • Reporting and communication
  • Incident mitigation

RECOVER (2 categories)

  • Recovery plan execution
  • Recovery communication

What Changed in Version 2.0

Version 2.0, published by NIST in February 2024, introduces significant changes:

GV

New GOVERN Function

Introduces cybersecurity governance as a standalone function, elevating the role of organizational leadership.

Universal Applicability

No longer limited to critical infrastructure: the framework is designed for organizations of every type and size.

Supply Chain

Greater emphasis on managing cyber risk across the entire supply chain.

Continuous Improvement

The framework integrates periodic assessment and progressive improvement of security posture.

How Our Assessment Works

Our online tool allows you to evaluate for free the cyber maturity level of your organization against all 106 subcategories of the NIST CSF 2.0.

1

Answer the Questions

For each control, indicate whether it is fully implemented, partially implemented, or not implemented.

2

Get Your Score

Instantly receive an overall score and a score for each NIST function, with result interpretation.

3

Identify Priorities

Discover the most critical areas and receive guidance on improvement actions to take.

Assess Your Organization’s Cybersecurity

Free, immediate, based on the international NIST CSF 2.0 standard.

Start the Assessment