This index lists all 28 controls in the NIST CSF 2.0 framework organized by function. Each control page includes an implementation checklist and audit evidence requirements to help your organization achieve and maintain compliance.
About NIST CSF 2.0
The NIST CSF 2.0 provides a structured approach to managing cybersecurity risk. It organizes cybersecurity outcomes into six core functions: Govern, Identify, Protect, Detect, Respond and Recover. Each function contains categories and subcategories that define specific security outcomes organizations should achieve.
The framework is published by the National Institute of Standards and Technology (NIST) and is widely adopted across industries for cybersecurity risk management and regulatory compliance.
All Controls
GV: Govern
Establish and monitor the organization's cybersecurity risk management strategy, expectations and policy.
| Control ID | Title | Category |
|---|---|---|
| GV.OC-01 | Organizational Context | Organizational Context |
| GV.OC-02 | Internal Stakeholders | Organizational Context |
| GV.RM-01 | Risk Management Objectives | Risk Management Strategy |
| GV.RM-02 | Risk Appetite Statements | Risk Management Strategy |
| GV.SC-01 | Supply Chain Risk Management | Supply Chain Risk Management |
ID: Identify
Understand the organization's current cybersecurity risks by identifying assets, vulnerabilities and threats.
| Control ID | Title | Category |
|---|---|---|
| ID.AM-01 | Hardware Asset Inventory | Asset Management |
| ID.AM-02 | Software Asset Inventory | Asset Management |
| ID.AM-07 | Data Asset Inventory | Asset Management |
| ID.RA-01 | Vulnerability Identification | Risk Assessment |
| ID.RA-02 | Threat Intelligence | Risk Assessment |
PR: Protect
Use safeguards to prevent or reduce cybersecurity risk to acceptable levels.
| Control ID | Title | Category |
|---|---|---|
| PR.AA-01 | Identity Management | Identity Management, Authentication and Access Control |
| PR.AA-03 | Multi-Factor Authentication | Identity Management, Authentication and Access Control |
| PR.AA-05 | Access Permissions and Authorizations | Identity Management, Authentication and Access Control |
| PR.DS-01 | Data-at-Rest Protection | Data Security |
| PR.DS-02 | Data-in-Transit Protection | Data Security |
| PR.PS-01 | Configuration Management | Platform Security |
DE: Detect
Find and analyze possible cybersecurity attacks and compromises in a timely manner.
| Control ID | Title | Category |
|---|---|---|
| DE.CM-01 | Network Monitoring | Continuous Monitoring |
| DE.CM-03 | Personnel Activity Monitoring | Continuous Monitoring |
| DE.CM-06 | External Service Provider Monitoring | Continuous Monitoring |
| DE.AE-02 | Adverse Event Analysis | Adverse Event Analysis |
| DE.AE-06 | Incident Declaration | Adverse Event Analysis |
RS: Respond
Take action regarding a detected cybersecurity incident to contain and mitigate its impact.
| Control ID | Title | Category |
|---|---|---|
| RS.MA-01 | Incident Management Plan Execution | Incident Management |
| RS.MA-03 | Incident Categorization and Prioritization | Incident Management |
| RS.CO-02 | Incident Reporting | Incident Response Reporting and Communication |
| RS.MI-01 | Incident Containment | Incident Mitigation |
RC: Recover
Restore assets and operations affected by a cybersecurity incident to normal operation.
| Control ID | Title | Category |
|---|---|---|
| RC.RP-01 | Recovery Plan Execution | Incident Recovery Plan Execution |
| RC.RP-04 | Recovery Verification | Incident Recovery Plan Execution |
| RC.CO-03 | Recovery Communication | Recovery Communication |
Need Help With NIST CSF 2.0 Compliance?
Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.
Get a Compliance Assessment