1.8: NIST CSF Crosswalk
NIST CSF Crosswalk
NIST Cybersecurity Framework 2.0 (released February 2024) is the vocabulary auditors, consultants, regulators, and board members reach for when they talk about security programs. It organizes security into six functions: Govern, Identify, Protect, Detect, Respond, Recover.
You don’t need to run your program on NIST. You do need to be able to translate your program into NIST for ten minutes when someone asks. Think of it as a second language you can read fluently and speak passably — not the language you think in.
The six functions, in plain terms
- Govern — the policies, responsibilities, and management oversight that make a program a program and not a pile of controls. New in CSF 2.0 as a top-level function; previously an implicit thread.
- Identify — knowing what you have. Inventories of people, assets, data, risks.
- Protect — the controls that prevent bad things. Access management, encryption, training, patching.
- Detect — noticing when something is wrong. Monitoring, logging, anomaly detection.
- Respond — what you do about it. IR process, containment, communication.
- Recover — getting back to normal. Restoration, post-incident learning.
Pillar → function crosswalk
| Pillar | Govern | Identify | Protect | Detect | Respond | Recover |
|---|---|---|---|---|---|---|
| People | ✓ (policies) | ✓ (inventory) | ✓ (access) | — | — | — |
| Devices | ✓ | ✓ | ✓ | ✓ (EDR) | ✓ | ✓ |
| Data | ✓ | ✓ | ✓ (encryption) | ✓ (DLP) | — | ✓ (backup) |
| Systems | ✓ | ✓ | ✓ | ✓ (logging) | ✓ | ✓ |
| Vendors | ✓ | ✓ | ✓ (contracts) | — | — | — |
| Incidents | ✓ | — | — | ✓ | ✓ | ✓ |
Read a row to see which NIST functions a pillar touches. Read a column to see which pillars contribute to a function. The asymmetry — Devices and Systems touching everything, Vendors almost nothing under Detect/Respond/Recover — maps to how you’ll actually experience the program: most operational security work happens at the Devices/Systems layer, while Vendors is mostly upstream (Govern, Identify, Protect).
How to use this
When an auditor asks about your Detect capability, you talk about EDR (Devices), DLP (Data), and logging/monitoring (Systems) and your incident detection playbooks (Incidents). When a board member asks about Govern maturity, you talk about policy coverage across all six pillars. When a consultant does a gap assessment against NIST CSF, this table is your map between their findings and your mental model.
You don’t need to love NIST. You need to be able to speak it for ten minutes when an auditor asks. This page is your phrasebook.