NIST Cybersecurity Framework 2.0
Crosswalk to NIST CSF 2.0 · 25 categories · Updated April 2026.
The NIST Cybersecurity Framework 2.0 is the U.S. federal reference for managing cybersecurity risk, organized around six functions — GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER — and 22 categories. SecurityStack extends this structure to the Cyber Defense Matrix 2.0 by adding an ANTICIPATE function and four new asset rows.
About NIST CSF 2.0
NIST CSF 2.0 was published in February 2024 and represents the first major revision to the framework since 2014. The headline change from 1.1 is the addition of GOVERN as a first-class function, elevating policy and risk-management disciplines that were previously embedded within IDENTIFY and PROTECT.
SecurityStack uses NIST CSF 2.0 as the methodology backbone. Every compliance crosswalk on this site maps third-party framework controls (CMMC, ISO 27001, SOC 2, CIS) back to NIST CSF 2.0 categories. The full crosswalk table below shows the mapping density by category.
Primary audience: Any U.S. organization building a risk-based security program. CSF 2.0 is the default reference in federal contracting, state regulation, and enterprise procurement questionnaires.
NIST CSF 2.0 structure
25 categories across the six core functions. SecurityStack extends this with three ANTICIPATE categories — see the Cyber Defense Matrix 2.0 methodology for the rationale.
ANTICIPATE 3 categories
| Category ID | Category name | Subcategories |
|---|---|---|
| AN.ASM | Attack Surface Management | 0 |
| AN.TE | Threat Exposure | 0 |
| AN.TI | Threat Intelligence | 0 |
DETECT 2 categories
| Category ID | Category name | Subcategories |
|---|---|---|
| DE.AE | Adverse Event Analysis | 8 |
| DE.CM | Continuous Monitoring | 9 |
GOVERN 6 categories
| Category ID | Category name | Subcategories |
|---|---|---|
| GV.OC | Organizational Context | 6 |
| GV.OV | Oversight | 3 |
| GV.PO | Policy | 2 |
| GV.RM | Risk Management Strategy | 7 |
| GV.RR | Roles, Responsibilities & Authorities | 4 |
| GV.SC | Cybersecurity Supply Chain Risk Management | 10 |
IDENTIFY 3 categories
| Category ID | Category name | Subcategories |
|---|---|---|
| ID.AM | Asset Management | 9 |
| ID.IM | Improvement | 4 |
| ID.RA | Risk Assessment | 6 |
PROTECT 5 categories
| Category ID | Category name | Subcategories |
|---|---|---|
| PR.AA | Identity Management, Authentication, and Access Control | 6 |
| PR.AT | Awareness and Training | 2 |
| PR.DS | Data Security | 12 |
| PR.IR | Technology Infrastructure Resilience | 4 |
| PR.PS | Platform Security | 6 |
RECOVER 2 categories
| Category ID | Category name | Subcategories |
|---|---|---|
| RC.CO | Incident Recovery Communication | 4 |
| RC.RP | Incident Recovery Plan Execution | 6 |
RESPOND 4 categories
| Category ID | Category name | Subcategories |
|---|---|---|
| RS.AN | Incident Analysis | 3 |
| RS.CO | Incident Response Reporting and Communication | 3 |
| RS.MA | Incident Management | 5 |
| RS.MI | Incident Mitigation | 2 |
Frequently asked questions
What changed between NIST CSF 1.1 and 2.0?
The biggest change is the addition of GOVERN as a sixth function. GOVERN elevates policy, risk management, supply chain, and oversight activities that were previously split across IDENTIFY and PROTECT. 2.0 also restructures sub-categories for clarity and adds Implementation Examples and Informative References as separate resources rather than embedding them in the framework core.
Is NIST CSF 2.0 a compliance mandate?
No — it is a voluntary framework. But it is the de facto reference for federal contracting (baseline for CMMC, FedRAMP), state regulation (New York DFS, California), and commercial procurement. If a third party asks 'are you NIST CSF aligned,' they expect you to speak its vocabulary.
What is the ANTICIPATE function and is it part of NIST CSF?
No, ANTICIPATE is a SecurityStack extension and is NOT part of NIST CSF 2.0. It covers threat intelligence (AN.TI), attack surface management (AN.ASM), and threat exposure (AN.TE) — disciplines that operate upstream of IDENTIFY. See the Cyber Defense Matrix 2.0 page for the full extension rationale.
How does SecurityStack use NIST CSF 2.0?
Every cell in the 7×9 Cyber Defense Matrix is backed by NIST CSF category references. Your assessment generates coverage percentages per function (the six NIST functions plus ANTICIPATE) and per asset row. Reports cite NIST CSF subcategories directly so findings carry forward into any audit conversation.
Next
See your stack against NIST CSF 2.0
Start a free assessment, select NIST CSF 2.0 as a required framework, and see which controls your current tools already cover — and which gaps need new investment.