6 functions
The executive view, six words a board member can hold.
NIST CSF 2.0 Field Guide
The framework that organizes everything else: the six functions and 106 outcomes, full visibility into Tiers and Profiles, and the path from your own MSP's target profile to the language every boardroom, insurer, and RFP speaks, with a step-by-step ControlMap workflow.
Start Here
The NIST Cybersecurity Framework is the U.S. government's free, voluntary taxonomy of cybersecurity outcomes, not a control checklist, but the organizing language the entire industry agreed to speak. Version 2.0 (February 2024) rebuilt it around a new GOVERN function and expanded its audience from critical infrastructure to every organization, which is exactly why boards, insurers, regulators, and RFPs now phrase their questions in its terms. An MSP fluent in CSF can translate any client conversation into a plan.
The Shape of 2.0
The executive view, six words a board member can hold.
The working rows every profile is built from.
The outcomes, what good looks like, never how.
What Changed & How It Works
The GOVERN function elevates strategy, roles, policy, oversight, and supply-chain risk to a function of their own; the scope statement dropped "critical infrastructure"; and NIST shipped a working toolkit, Implementation Examples, Informative References, Quick Start Guides, and a live online reference tool.
CSF describes what good looks like ("assets are inventoried," "incidents are contained") and leaves the how to you. The machinery is the Organizational Profile: document your Current Profile against the outcomes, define a Target Profile, and the gap between them is the roadmap, measured against four Tiers of rigor.
CSF vs CIS Controls
A risk-based taxonomy of outcomes: the language for scoping, board reporting, insurance forms, and government/enterprise RFPs. It tells you where you are and where to go; it deliberately doesn't tell you which knobs to turn.
Prescriptive, prioritized safeguards: the to-do list (see this series' CIS guide). CIS v8.1 aligned its terminology to CSF 2.0 on purpose: the two frameworks are designed to snap together, safeguards under outcomes.
Talk CSF, do CIS. Structure assessments, QBRs, and roadmaps in CSF's six functions, executives grasp them instantly; then implement and evidence with CIS safeguards underneath. One program, two languages, zero duplicate work.
Orientation: what CSF Is & Isn't
Free, voluntary, outcome-based, and universally cross-mapped: the connective tissue between every framework in this series. NIST's Informative References do the mapping officially.
A certification, a law, or a control set, there's no "CSF certified," no auditor, and no safeguard text. Rigor comes from the Tiers you claim and the evidence behind them.
You can adopt it today, profile yourself this quarter, and use it as the spine of every client conversation: the lowest-friction strategic framework in security.
Why fluency pays: when the cyber-insurance form asks about "governance and supply-chain risk management," when the enterprise RFP requires "alignment with NIST CSF," when a board member asks "are we covered?", those are CSF questions, and the MSP who answers in CSF terms with a current-vs-target profile chart wins the room. The MSP who answers with a product list doesn't. Like CIS, this starts with your own profile: run it on yourself first.
The Operating Model
CSF 2.0's headline change, GOVERN, is a structural statement: cybersecurity is an enterprise risk, owned by leadership, not an IT department's hobby. So the split below runs inside your own MSP first, exactly as the CIS guide prescribes: the technical team operates outcomes in Identify-through-Recover; leadership owns Govern. Rehearse it at home, then sell the rehearsal.
The same split you'll later sell to clients, rehearsed on your own MSP: the technical team operates the wheel, leadership owns GOVERN, and the profile machinery sits in the middle.
A real current profile, a leadership-approved target profile, real gap tickets, a real quarterly review. The first GOVERN outcome you implement is your own owner chairing the meeting.
Supply-chain risk management got a 10-outcome category because of incidents that came through providers like you. Your clients' GV.SC programs will assess your MSP, arrive with your own profile already done.
Your own profile becomes the demo, the template, and the answer to every "show me yours" questionnaire, plus the function-wheel scorecard becomes the QBR chart every client gets, quarter after quarter.
Golden rule: CSF rewards honesty about the gap: the framework's entire engine is the distance between Current and Target profiles. There's no auditor to impress and no score to inflate: a candid profile that drives a funded roadmap is worth infinitely more than a flattering one that drives nothing. Profile truthfully, target deliberately, close visibly.
01
The Maturity Dial
Where CIS scopes with Implementation Groups, CSF scopes with two instruments. Profiles answer which outcomes, to what state, Current vs Target, gap = roadmap. Tiers answer how rigorously the risk practice itself runs, from ad hoc to adaptive. Together they size the program, set the bar, and give every quarterly review its plot.
Four Tiers of Rigor
| Tier | The risk practice | The MSP read |
|---|---|---|
| Tier 1Partial | Risk managed ad hoc, reactively; little awareness outside IT; no organizational process. | Where most unmanaged SMBs honestly sit: the assessment finding, never the target. |
| Tier 2Risk Informed | Leadership approves practices and priorities flow from risk, but it isn't yet organization-wide policy. | A realistic year-one target for most SMB clients on a managed program. |
| Tier 3Repeatable | Formal policy, organization-wide practice, regular updates as risk changes: the loop runs on rails. | The natural home for an MSP and for regulated clients; the client-zero machinery in Section 03 lands you here. |
| Tier 4Adaptive | Continuous improvement from lessons learned and predictive indicators; security woven into culture and budgeting. | Earned, not declared, reach it by years of Tier-3 loops, like IG3 in the CIS guide. |
Tiers characterize the rigor of risk governance and management, they are not maturity grades per outcome, and NIST is explicit that higher isn't automatically better: the right tier balances risk, cost, and feasibility.
The Profile Mechanism
For each in-scope outcome: where you honestly are today, achieved, partial, or not, with the evidence that says so.
Where leadership decides you need to be, driven by risk appetite, obligations, customer requirements, and the chosen Tier.
Prioritized, priced, and scheduled: the action plan that becomes your remediation pipeline and the QBR's progress story.
Community Profiles are pre-built target profiles for a sector or use case, NIST and industry groups publish them, a shortcut worth checking before authoring a target profile from scratch for a common client type.
Mirror the CIS guide's play: run your MSP at Tier 3 (Repeatable, formal, organization-wide, loop on rails) and target clients at Tier 2 (Risk Informed) in year one, with Tier 3 as the documented upgrade for the regulated ones. Underneath, it's the same CIS two-IG strategy, IG2 for you, IG1 baseline for clients, wearing executive language.
Where the Outcomes Live
Each bar is one function, sized by its outcome count, with its category count alongside. Read the shape: GOVERN is the biggest function in CSF 2.0, and inside it, supply-chain risk (GV.SC) is the single largest category in the entire framework. The technical functions your stack covers, Detect, Respond, Recover, are deliberately lean: outcomes, not knob-lists.
Reading the Shape
Half the framework is governance and knowing yourself (GV + ID = 52 of 106 outcomes), paperwork-and-process outcomes a GRC platform and an analyst close fast. The "technical" half (PR/DE/RS/RC = 54) is where your stack already operates. For an MSP, neither half requires new invention: the gap is articulation and evidence.
Ten outcomes on supply-chain risk, bigger than all of RECOVER. Translation: every CSF-aligned client must formally manage providers, contracts, and provider incidents, and their biggest provider is you. Your own profile, handed over proactively, turns their hardest category into your easiest renewal argument.
Scoping note: unlike CIS's IGs, CSF doesn't pre-assign outcomes to tiers, every organization profiles against all 106 and decides per outcome what its target is. That sounds heavier than it is: for an SMB, many outcomes resolve to one sentence and one piece of evidence, and the CIS cross-walk underneath pre-answers most of PR/DE/RS/RC.
02
The Executive View
The functions are the executive view, six words a board member can hold. GOVERN sits at the center informing the other five; Identify-through-Recover run as the operational wheel around it. Below, every one of the 22 categories gets its row: what its outcomes ask for in plain language, the MSP-stack translation, and the subcategory count.
In the Order the Story Tells
Strategy, roles, policy, oversight, and supply-chain risk: the decisions that aim everything else. New as a function in 2.0, and deliberately first: outcomes here are leadership's, not IT's. GV · 31 outcomes.
Know thyself: assets, suppliers, vulnerabilities, threats, and risks, plus the improvement loop (ID.IM) that learns from all of it. The function every other one assumes. ID · 21 outcomes.
The safeguards: identity and access, training, data security, platform hardening, and infrastructure resilience, where the MSP stack does most of its daily work. PR · 22 outcomes.
Continuous monitoring plus adverse-event analysis, finding the anomaly and deciding it's an incident. Lean by design; heavy in operation, this is the MDR seat. DE · 11 outcomes.
Incident management, analysis, communication, and mitigation: the plan meeting reality. The regulated guides' breach clocks (HIPAA, FTC, state law) all plug into RS.CO. RS · 13 outcomes.
Recovery-plan execution and recovery communication, restoring operations and trust. Smallest function, biggest day: the eight outcomes a ransomware Tuesday is judged on. RC · 8 outcomes.
Each category row shows its identifier, what its outcomes ask for in plain language, the MSP-stack translation, and the subcategory count. Building a profile, work row by row, mark current state, set target state, note the evidence. 22 rows later, the profile exists.
PR, DE, and RC map almost one-to-one onto identity, EDR/SIEM, and backup: your stack pre-answers them the way Stacks pre-answers CIS. The genuinely new work for most MSPs is GV: writing down the strategy you've been running implicitly.
Strategy, Knowledge & the Loop
| Category | What the outcomes ask for | MSP translation | Outcomes |
|---|---|---|---|
| GV.OC · Organizational context | Mission, stakeholder expectations, and legal/regulatory/contractual requirements understood: the inputs that aim the program. | The obligation register: who requires what of this client, laws, contracts, insurers. | 5 |
| GV.RM · Risk management strategy | Risk appetite and tolerance stated, strategy established, and risk discussed in business terms, including how cyber risk rolls into enterprise risk. | A one-page risk strategy leadership signs: appetite statements, scoring method, review cadence. | 7 |
| GV.RR · Roles & responsibilities | Accountabilities defined, resourced, and communicated, including leadership's own. | The RACI: client exec accountable, MSP responsible: the vCISO/QI pattern from the regulated guides. | 4 |
| GV.PO · Policy | Security policy established, communicated, and enforced, and kept current. | The policy library with attestations and an annual review cycle. | 2 |
| GV.OV · Oversight | Strategy outcomes reviewed, performance measured, and the program adjusted, leadership watching the watchers. | The quarterly review with the score trend: your QBR, formalized as governance. | 3 |
| GV.SC · Supply-chain risk mgmtLargest category in CSF | A C-SCRM program: suppliers known and prioritized, security in contracts, providers assessed before and during the relationship, provider incidents planned for, and exits managed. | The vendor register with diligence cadence: your MSP is row one; arrive with your own profile and this category sells itself. | 10 |
| ID.AM · Asset management | Hardware, software, services, and data inventoried; flows mapped; assets prioritized by criticality and managed through their lifecycle. | RMM-driven inventories plus the data map, CIS controls 1–3 wearing CSF language. | 7 |
| ID.RA · Risk assessment | Vulnerabilities and threats identified, likelihood and impact analyzed, responses chosen and tracked, plus integrity-of-supply checks and vulnerability-disclosure handling. | The risk register fed by scans, threat intel, and assessments; treatment decisions with owners. | 10 |
| ID.IM · Improvement | Lessons from assessments, tests, exercises, and incidents drive improvement, plans updated, the loop visibly turning. | The corrective-action log plus tabletop findings closing as tickets, clause-10 discipline, CSF edition. | 4 |
Where client-zero profiles stall: GV.RM (the risk appetite nobody ever wrote down), GV.SC (the vendor list that exists only in accounts payable), and ID.AM's data flows (everyone knows them; no one has drawn them). All three are writing problems, not engineering problems, an analyst-week each, and they unlock the executive credibility the whole framework trades on.
The Operational Wheel
| Category | What the outcomes ask for | MSP translation | Outcomes |
|---|---|---|---|
| PR.AA · Identity, authentication & access | Identities managed lifecycle-long, credentials protected, users and services authenticated (MFA, risk-proportionate), access least-privilege and reviewed, physical access controlled. | SSO + MFA + JML workflow + access reviews, CIS 5/6 in CSF dress. | 6 |
| PR.AT · Awareness & training | The workforce, and specialized roles, trained to do their security jobs. | Awareness platform plus role-based modules with completion exports. | 2 |
| PR.DS · Data security | Data-at-rest, data-in-transit, and data-in-use protected; backups created, protected, and tested. | Encryption posture plus immutable, restore-tested backup. | 4 |
| PR.PS · Platform security | Configuration managed, software maintained and patched, logging enabled, unauthorized software prevented, secure development practiced. | Hardening baselines, patch automation, log coverage, application control. | 6 |
| PR.IR · Technology infrastructure resilience | Networks protected from unauthorized access, environments resilient, capacity managed, built to bend, not break. | Segmentation, redundancy, capacity monitoring: the architecture conversation. | 4 |
| DE.CM · Continuous monitoring | Networks, endpoints, personnel activity, and provider activity monitored for adverse events. | EDR + SIEM + the watch-floor, control 13's territory; the MDR seat. | 5 |
| DE.AE · Adverse event analysis | Anomalies analyzed, correlated, impact estimated, and the call made: incident or not, with information shared to those who respond. | Alert triage runbook plus the declaration threshold, written down. | 6 |
| RS.MA / RS.AN · Incident management & analysis | The IR plan executed with triage, categorization, and escalation; incidents investigated thoroughly enough to support response and recovery, with evidence preserved. | The IR plan from template, exercised annually; post-mortems filed. | 5 + 4 |
| RS.CO / RS.MI · Reporting, communication & mitigation | Stakeholders and authorities notified as required; incidents contained and eradicated. | The breach-clock matrix from this series' regulated guides (HIPAA, FTC, PCI) plugs in here. | 2 + 2 |
| RC.RP / RC.CO · Recovery execution & communication | Recovery runs from the plan: backup integrity verified before restore, restoration confirmed, end declared, with progress communicated honestly inside and out. | BCDR runbooks plus restore-test evidence plus the comms templates written before the bad Tuesday. | 6 + 2 |
The Delivery Split
The typical split when an MSP delivers a CSF program to a client: the operational wheel runs MSP-heavy, GOVERN runs client-heavy, and GV.SC sits deliberately in the middle, because the client's supply-chain program is assessing you. And per the source chart's own title: when the client is your own MSP, all three bars are you.
The pattern to notice: the operational wheel (PR→RC) is where your stack lives; GOVERN is where the client's accountability lives; and the profile makes both visible. That's why CSF is the QBR framework, one wheel chart, read unaided by any owner.
03
Run It: You First
Turn the framework into a running program on your own MSP, profiled, targeted, gap-funded, and reviewed on a cadence; then clone the machinery for clients. Same 90-day discipline as the CIS guide; here the deliverable is the profile pair and the wheel chart that makes it executive-legible.
Your First 90 Days on Yourself
Leadership writes the GV outcomes for real: context, risk appetite, roles, policy, and picks the Tier target (Tier 3 for an MSP).
Current state across all 22 categories, evidence noted: the CIS baseline underneath pre-answers most of PR/DE/RC.
Leadership sets the target profile per category, risk, obligations, and customer expectations driving, not vendor brochures.
The current→target delta becomes the priced, scheduled action plan, writing-week items first, projects second.
Quarterly GV.OV review with the wheel chart trend; then publish the profile summary; GV.SC questionnaires answer themselves.
Score each category 0–4 against its target (not implemented → partial → largely → achieved → exceeds) and render the six-function wheel, current ring vs target ring. Two numbers run the program: target-attainment % and the GOVERN score specifically, the one executives can move themselves. The same wheel later becomes every client's QBR centerpiece.
If you ran the CIS guide's client-zero arc, you already did the profile and gap-funding steps, cross-mapping lifts the CIS baseline straight into the CSF profile. The genuinely new work is GV's writing week and the wheel-chart reporting layer. One program, two languages.
From Practice to Clients
With your own profile running, CSF becomes your conversation layer: the assessment that opens executive doors, the wheel chart that runs QBRs, and the taxonomy that organizes every framework underneath. The CaaS Build Guide holds packaging and pricing; here's where CSF slots in.
Where CSF Slots In
The executive-level paid entry: profile the client across all 22 categories, deliver the current-vs-target wheel, top risks in business language, and a phased roadmap.
When CSF beats CIS as the opener: board-driven or insurance-driven buyers, RFPs that name NIST, and any client whose decision-maker is an owner, not an IT manager.
Converts to: the gap-closure projects plus a managed tier with quarterly re-profiling.
Two layers, one program: operate CIS safeguards as the delivery layer; report in CSF functions as the executive layer. The QBR wheel shows current vs target by function; the appendix shows what moved it.
The QBR line that renews it: "GOVERN went from 1.5 to 3.0 this year, here's the wheel, and here's what your insurer sees now."
GV.SC makes the renewal structural: you're inside their supply-chain program by name.
The mechanism: CSF's Informative References map every outcome to the control frameworks officially, so a maintained profile pre-answers the structure of any regulated engagement that lands.
The pitch: "Your profile already organizes this, here's the 800-171 delta, mapped."
The pricing: the same 40–60% second-framework pricing mechanic from the CaaS guide.
One Profile, Every Framework
| When the client needs… | Your CSF profile already gives you… | What's genuinely new (see that guide) |
|---|---|---|
| CIS ControlsThe doing layer | The organizing taxonomy, v8.1 aligned its language to CSF 2.0; safeguards slot under outcomes one-to-many. | The prescriptive safeguard work itself and the IG sequencing. |
| CMMC / 800-171Defense | The functional skeleton, 800-171's families sit naturally under ID/PR/DE/RS, and your GV work covers the policy layer assessors check first. | CUI scoping, the SSP/POA&M/SPRS machinery, and assessment-grade evidence. |
| ISO 27001Certificate | GV ≈ clauses 4–6 and 9–10 in miniature: context, leadership, risk, oversight, improvement: the ISMS loop's skeleton already drawn. | The SoA, mandatory documents, internal audits, and the CB cycle. |
| SOC 2Attestation | GV maps onto CC1–CC5's governance half; the operational wheel onto CC6–CC9: the report's structure pre-organized. | Trust Services scoping, the system description, and the CPA engagement. |
| HIPAA · PCI · FTC SafeguardsThe regulated rules | Risk analysis, training, IR, vendor oversight, and recovery outcomes each rule demands, with RS.CO holding all the breach clocks. | Each rule's scoping, named roles, and notification specifics. |
The pattern worth internalizing: CIS supplies the controls, the regulated frameworks add scoping and paperwork, and CSF supplies the language that holds it all together. The MSP that maintains one CSF profile per client can walk into any framework conversation in this series with the map already drawn and only the route left to quote.
ControlMap by ScalePad
ControlMap is ScalePad's multi-tenant GRC platform built for MSPs. Run CSF 2.0 as each client's organizing framework, let cross-mapping connect the outcomes to CIS safeguards and every regulated framework, and let Stacks pre-answer the operational half from the tools already deployed, so the profile, the evidence, and the QBR wheel all live in one workspace.
The Five-Step ControlMap Workflow for NIST CSF 2.0: Starting With Yourself
Create your own MSP's workspace, load the CSF 2.0 framework, functions, categories, and outcomes pre-structured, and record the GV foundations: organizational context, risk strategy, roles, and the Tier target (Tier 3). This workspace becomes the master template every client tenant clones.
Declare the stack and let Stacks' vendor mappings light up the outcomes your EDR, identity, backup, and email security already satisfy; an existing CIS baseline lifts straight into the profile via cross-mapping. Your analyst verifies, scores each category honestly, and works only the genuine gaps, most in GOVERN.
Leadership sets target states per category, driven by the obligation register and risk appetite; the platform's gap view becomes the prioritized, owned, dated action plan, writing-week items first, projects second, and seeds the risk register from what stays open.
Draft the policy set, risk strategy, and vendor-management program from templates with staff e-attestation; then turn every recurring outcome, access reviews, restore tests, vendor reassessments, training, the GV.OV quarterly review itself, into recurring tasks with evidence attached as it happens.
Tenant cloning turns the finished client-zero workspace into the master template: new client, cloned tenant, stack declared, profile assessed, wheel rendered, an executive-grade deliverable in the first month. When a regulated framework lands later, adopt it in the same tenant and cross-mapping quotes only the delta.
Productize the arc: CSF Posture Assessment (paid entry, executive deliverable) → Gap closure (quoted projects) → Managed program (talk CSF, do CIS: the Better tier with quarterly re-profiling) → vCISO/GV add-on for clients who need the governance layer operated, not just documented.
The wheel chart is the meeting: six functions, current ring vs target ring, this quarter's movement shaded. It's the one security artifact an owner can read unaided, repeat to their board, and forward to their insurer, which is precisely what makes it renew.
Profiles drift with the business: new products, vendors, obligations, incidents. Re-profile quarterly, re-set targets annually at the GV.OV review, and watch NIST's cadence, CSF revises on multi-year cycles, and the Informative References update continuously online.
Take Action
Where each part of the CSF program lives in ControlMap and the records that prove it ran; a realistic first-90-days arc for your own MSP as client zero; and the ten-point quick-start checklist that puts the whole guide in motion.
ControlMap in Action
| Area | Do this in ControlMap | Records you'll bank |
|---|---|---|
| Tiers & Profiles | Record the Tier decision per tenant (your MSP at Tier 3, clients targeted at Tier 2); maintain Current and Target profiles as living assessments; track target-attainment % as the headline metric with the GV score broken out. | Tier decision record · profile pair, versioned · attainment trend by quarter |
| The six functions | Run in-scope outcomes as owned controls; let Stacks and the CIS cross-map supply the operational answers; attach evidence on cadence, inventories, MFA reports, restore tests, triage records, vendor reviews, training exports. | Outcome status history · cross-map justifications · the evidence library, organized per category |
| The program | Quarterly re-profile with the wheel chart trend; risk register fed by gaps and incidents (ID.RA/ID.IM); the GV.OV review run from the dashboard with minutes captured; annual IR tabletop looped into improvement. | Quarterly wheel charts · risk register with treatments · review minutes · tabletop closure records |
| The springboard | When CIS, 800-171, ISO, SOC 2, or a regulated rule lands, adopt it in the same tenant, cross-mapping pre-fills everything the profile already satisfies and isolates the genuine delta for quoting. | Cross-map coverage reports · per-framework gap lists · the "your profile already organizes this" sales artifact |
For Your Own MSP as Client Zero
Tier 3 target set · GV writing week: context, risk strategy, roles · workspace live · stack declared.
Current Profile scored across all 22 categories (Stacks + CIS cross-map accelerated) · Target Profile approved by leadership.
Gap plan funded and in flight · policy set and vendor program live with attestations · cadences running as tasks.
First GV.OV review chaired by the owner with the wheel chart · profile summary published · tenant cloned as the client template · first pilot scoped.
Take Action
Free from NIST, with its Quick Start Guides and online reference tool, and make the leadership decision: your MSP profiles itself first, targeting Tier 3.
Organizational context, risk appetite, roles, policy: the strategy you've been running implicitly, finally on paper.
Across all 22 categories, with evidence noted, Stacks and the CIS cross-map pre-answer the operational half.
Leadership decides, risk, obligations, and customers driving, with Community Profiles checked first for a head start.
The current→target delta becomes a funded, dated action plan, writing-week items first, projects second, owners on everything.
Like your business depends on it, because your clients' supply-chain programs will assess your MSP by name.
With the owner in the chair every quarter: the wheel chart trend, closed gaps, open risks, and next quarter's targets.
Make the finished tenant your master client template; then launch the CSF Posture Assessment as your executive-level entry offering.
Talk CSF in the boardroom and do CIS in the stack, one program, two languages, zero duplicate work.
When CMMC, ISO, SOC 2, or a regulated rule lands, cross-map first and quote only the genuine delta.
This guide is provided for general educational purposes and reflects the NIST Cybersecurity Framework 2.0 (February 2024) as commonly understood at time of publication. The CSF is developed and maintained by the U.S. National Institute of Standards and Technology and is free to download from nist.gov, consult the official publication, Implementation Examples, and Informative References for authoritative outcome text, and verify counts against the current release before relying on them in client deliverables. Companion guides in this series: CIS Controls v8.1, HIPAA, PCI DSS, CMMC, FTC Safeguards (GLBA), SOC 2, ISO/IEC 27001, and the CaaS Build Guide.
ControlMap by ScalePad
One CSF profile per client, CIS safeguards and every regulated framework cross-mapped underneath, see how MSPs run it multi-tenant in ControlMap.