ScalePad
ControlMap

NIST CSF 2.0 Field Guide

NIST CSF 2.0: the common language, made operational

The framework that organizes everything else: the six functions and 106 outcomes, full visibility into Tiers and Profiles, and the path from your own MSP's target profile to the language every boardroom, insurer, and RFP speaks, with a step-by-step ControlMap workflow.

Start Here

NIST CSF 2.0 at a glance: why your MSP speaks it

The NIST Cybersecurity Framework is the U.S. government's free, voluntary taxonomy of cybersecurity outcomes, not a control checklist, but the organizing language the entire industry agreed to speak. Version 2.0 (February 2024) rebuilt it around a new GOVERN function and expanded its audience from critical infrastructure to every organization, which is exactly why boards, insurers, regulators, and RFPs now phrase their questions in its terms. An MSP fluent in CSF can translate any client conversation into a plan.

The Shape of 2.0

6 functions

The executive view, six words a board member can hold.

22 categories

The working rows every profile is built from.

106 subcategories

The outcomes, what good looks like, never how.

What Changed & How It Works

What's new since 1.1

The GOVERN function elevates strategy, roles, policy, oversight, and supply-chain risk to a function of their own; the scope statement dropped "critical infrastructure"; and NIST shipped a working toolkit, Implementation Examples, Informative References, Quick Start Guides, and a live online reference tool.

How it works

CSF describes what good looks like ("assets are inventoried," "incidents are contained") and leaves the how to you. The machinery is the Organizational Profile: document your Current Profile against the outcomes, define a Target Profile, and the gap between them is the roadmap, measured against four Tiers of rigor.

CSF vs CIS Controls

The question this series answers with "both"

CSF is the map

A risk-based taxonomy of outcomes: the language for scoping, board reporting, insurance forms, and government/enterprise RFPs. It tells you where you are and where to go; it deliberately doesn't tell you which knobs to turn.

CIS is the route

Prescriptive, prioritized safeguards: the to-do list (see this series' CIS guide). CIS v8.1 aligned its terminology to CSF 2.0 on purpose: the two frameworks are designed to snap together, safeguards under outcomes.

The MSP play

Talk CSF, do CIS. Structure assessments, QBRs, and roadmaps in CSF's six functions, executives grasp them instantly; then implement and evidence with CIS safeguards underneath. One program, two languages, zero duplicate work.

Orientation: what CSF Is & Isn't

It is

Free, voluntary, outcome-based, and universally cross-mapped: the connective tissue between every framework in this series. NIST's Informative References do the mapping officially.

It isn't

A certification, a law, or a control set, there's no "CSF certified," no auditor, and no safeguard text. Rigor comes from the Tiers you claim and the evidence behind them.

Which means

You can adopt it today, profile yourself this quarter, and use it as the spine of every client conversation: the lowest-friction strategic framework in security.

Why fluency pays: when the cyber-insurance form asks about "governance and supply-chain risk management," when the enterprise RFP requires "alignment with NIST CSF," when a board member asks "are we covered?", those are CSF questions, and the MSP who answers in CSF terms with a current-vs-target profile chart wins the room. The MSP who answers with a product list doesn't. Like CIS, this starts with your own profile: run it on yourself first.

The Operating Model

Client zero: your security team × your leadership

CSF 2.0's headline change, GOVERN, is a structural statement: cybersecurity is an enterprise risk, owned by leadership, not an IT department's hobby. So the split below runs inside your own MSP first, exactly as the CIS guide prescribes: the technical team operates outcomes in Identify-through-Recover; leadership owns Govern. Rehearse it at home, then sell the rehearsal.

Security/ops × leadership: who runs what

The same split you'll later sell to clients, rehearsed on your own MSP: the technical team operates the wheel, leadership owns GOVERN, and the profile machinery sits in the middle.

Security/ops team runs

  • Asset inventories (ID.AM)
  • Identity & access (PR.AA)
  • Platform hardening (PR.PS)
  • Monitoring & detection (DE)
  • Incident handling (RS)
  • Backup & recovery (RC)
  • Evidence collection

Shared

  • The profile assessment
  • Risk assessment (ID.RA)
  • Gap prioritization
  • Awareness training (PR.AT)
  • Vendor reviews (GV.SC)
  • Improvement loop (ID.IM)
  • The posture scorecard

Leadership owns

  • Risk appetite & strategy
  • Roles & accountabilities
  • Policy approval
  • Oversight & review chair
  • Supply-chain decisions
  • The target profile call
  • Telling the market

Treat yourself like a client

A real current profile, a leadership-approved target profile, real gap tickets, a real quarterly review. The first GOVERN outcome you implement is your own owner chairing the meeting.

Take GV.SC personally

Supply-chain risk management got a 10-outcome category because of incidents that came through providers like you. Your clients' GV.SC programs will assess your MSP, arrive with your own profile already done.

Bank the by-products

Your own profile becomes the demo, the template, and the answer to every "show me yours" questionnaire, plus the function-wheel scorecard becomes the QBR chart every client gets, quarter after quarter.

Golden rule: CSF rewards honesty about the gap: the framework's entire engine is the distance between Current and Target profiles. There's no auditor to impress and no score to inflate: a candid profile that drives a funded roadmap is worth infinitely more than a flattering one that drives nothing. Profile truthfully, target deliberately, close visibly.

01

The Maturity Dial

Tiers & Profiles: the framework's engine

Where CIS scopes with Implementation Groups, CSF scopes with two instruments. Profiles answer which outcomes, to what state, Current vs Target, gap = roadmap. Tiers answer how rigorously the risk practice itself runs, from ad hoc to adaptive. Together they size the program, set the bar, and give every quarterly review its plot.

Four Tiers of Rigor

The four Tiers: from ad hoc to adaptive

TierThe risk practiceThe MSP read
Tier 1PartialRisk managed ad hoc, reactively; little awareness outside IT; no organizational process.Where most unmanaged SMBs honestly sit: the assessment finding, never the target.
Tier 2Risk InformedLeadership approves practices and priorities flow from risk, but it isn't yet organization-wide policy.A realistic year-one target for most SMB clients on a managed program.
Tier 3RepeatableFormal policy, organization-wide practice, regular updates as risk changes: the loop runs on rails.The natural home for an MSP and for regulated clients; the client-zero machinery in Section 03 lands you here.
Tier 4AdaptiveContinuous improvement from lessons learned and predictive indicators; security woven into culture and budgeting.Earned, not declared, reach it by years of Tier-3 loops, like IG3 in the CIS guide.

Tiers characterize the rigor of risk governance and management, they are not maturity grades per outcome, and NIST is explicit that higher isn't automatically better: the right tier balances risk, cost, and feasibility.

The Profile Mechanism

Current → Target, gap → roadmap

  1. 1

    Current Profile

    For each in-scope outcome: where you honestly are today, achieved, partial, or not, with the evidence that says so.

  2. 2

    Target Profile

    Where leadership decides you need to be, driven by risk appetite, obligations, customer requirements, and the chosen Tier.

  3. 3

    The gap = the plan

    Prioritized, priced, and scheduled: the action plan that becomes your remediation pipeline and the QBR's progress story.

Check Community Profiles first

Community Profiles are pre-built target profiles for a sector or use case, NIST and industry groups publish them, a shortcut worth checking before authoring a target profile from scratch for a common client type.

The two-tier strategy, CSF edition

Mirror the CIS guide's play: run your MSP at Tier 3 (Repeatable, formal, organization-wide, loop on rails) and target clients at Tier 2 (Risk Informed) in year one, with Tier 3 as the documented upgrade for the regulated ones. Underneath, it's the same CIS two-IG strategy, IG2 for you, IG1 baseline for clients, wearing executive language.

Where the Outcomes Live

Where the outcomes live: 106 subcategories across 6 functions

Each bar is one function, sized by its outcome count, with its category count alongside. Read the shape: GOVERN is the biggest function in CSF 2.0, and inside it, supply-chain risk (GV.SC) is the single largest category in the entire framework. The technical functions your stack covers, Detect, Respond, Recover, are deliberately lean: outcomes, not knob-lists.

Six functions, 106 outcomes

GV · GOVERN6 categories
31
ID · IDENTIFY3 categories
21
PR · PROTECT5 categories
22
DE · DETECT2 categories
11
RS · RESPOND4 categories
13
RC · RECOVER2 categories
8
Counts from the source guide's function chart, GV.SC at 10 outcomes is the framework's largest category, bigger than all of RECOVER. Per-category counts appear in the Section 02 tables.

Reading the Shape

What the shape tells you

Half the framework is governance and knowing yourself (GV + ID = 52 of 106 outcomes), paperwork-and-process outcomes a GRC platform and an analyst close fast. The "technical" half (PR/DE/RS/RC = 54) is where your stack already operates. For an MSP, neither half requires new invention: the gap is articulation and evidence.

The GV.SC signal

Ten outcomes on supply-chain risk, bigger than all of RECOVER. Translation: every CSF-aligned client must formally manage providers, contracts, and provider incidents, and their biggest provider is you. Your own profile, handed over proactively, turns their hardest category into your easiest renewal argument.

Scoping note: unlike CIS's IGs, CSF doesn't pre-assign outcomes to tiers, every organization profiles against all 106 and decides per outcome what its target is. That sounds heavier than it is: for an SMB, many outcomes resolve to one sentence and one piece of evidence, and the CIS cross-walk underneath pre-answers most of PR/DE/RS/RC.

02

The Executive View

The six functions: the whole game in one wheel

The functions are the executive view, six words a board member can hold. GOVERN sits at the center informing the other five; Identify-through-Recover run as the operational wheel around it. Below, every one of the 22 categories gets its row: what its outcomes ask for in plain language, the MSP-stack translation, and the subcategory count.

In the Order the Story Tells

GOVERN: the new core

Strategy, roles, policy, oversight, and supply-chain risk: the decisions that aim everything else. New as a function in 2.0, and deliberately first: outcomes here are leadership's, not IT's. GV · 31 outcomes.

IDENTIFY

Know thyself: assets, suppliers, vulnerabilities, threats, and risks, plus the improvement loop (ID.IM) that learns from all of it. The function every other one assumes. ID · 21 outcomes.

PROTECT

The safeguards: identity and access, training, data security, platform hardening, and infrastructure resilience, where the MSP stack does most of its daily work. PR · 22 outcomes.

DETECT

Continuous monitoring plus adverse-event analysis, finding the anomaly and deciding it's an incident. Lean by design; heavy in operation, this is the MDR seat. DE · 11 outcomes.

RESPOND

Incident management, analysis, communication, and mitigation: the plan meeting reality. The regulated guides' breach clocks (HIPAA, FTC, state law) all plug into RS.CO. RS · 13 outcomes.

RECOVER

Recovery-plan execution and recovery communication, restoring operations and trust. Smallest function, biggest day: the eight outcomes a ransomware Tuesday is judged on. RC · 8 outcomes.

How to read the tables

Each category row shows its identifier, what its outcomes ask for in plain language, the MSP-stack translation, and the subcategory count. Building a profile, work row by row, mark current state, set target state, note the evidence. 22 rows later, the profile exists.

Your stack pre-answers

PR, DE, and RC map almost one-to-one onto identity, EDR/SIEM, and backup: your stack pre-answers them the way Stacks pre-answers CIS. The genuinely new work for most MSPs is GV: writing down the strategy you've been running implicitly.

Strategy, Knowledge & the Loop

GOVERN & IDENTIFY: the writing half

CategoryWhat the outcomes ask forMSP translationOutcomes
GV.OC · Organizational contextMission, stakeholder expectations, and legal/regulatory/contractual requirements understood: the inputs that aim the program.The obligation register: who requires what of this client, laws, contracts, insurers.5
GV.RM · Risk management strategyRisk appetite and tolerance stated, strategy established, and risk discussed in business terms, including how cyber risk rolls into enterprise risk.A one-page risk strategy leadership signs: appetite statements, scoring method, review cadence.7
GV.RR · Roles & responsibilitiesAccountabilities defined, resourced, and communicated, including leadership's own.The RACI: client exec accountable, MSP responsible: the vCISO/QI pattern from the regulated guides.4
GV.PO · PolicySecurity policy established, communicated, and enforced, and kept current.The policy library with attestations and an annual review cycle.2
GV.OV · OversightStrategy outcomes reviewed, performance measured, and the program adjusted, leadership watching the watchers.The quarterly review with the score trend: your QBR, formalized as governance.3
GV.SC · Supply-chain risk mgmtLargest category in CSFA C-SCRM program: suppliers known and prioritized, security in contracts, providers assessed before and during the relationship, provider incidents planned for, and exits managed.The vendor register with diligence cadence: your MSP is row one; arrive with your own profile and this category sells itself.10
ID.AM · Asset managementHardware, software, services, and data inventoried; flows mapped; assets prioritized by criticality and managed through their lifecycle.RMM-driven inventories plus the data map, CIS controls 1–3 wearing CSF language.7
ID.RA · Risk assessmentVulnerabilities and threats identified, likelihood and impact analyzed, responses chosen and tracked, plus integrity-of-supply checks and vulnerability-disclosure handling.The risk register fed by scans, threat intel, and assessments; treatment decisions with owners.10
ID.IM · ImprovementLessons from assessments, tests, exercises, and incidents drive improvement, plans updated, the loop visibly turning.The corrective-action log plus tabletop findings closing as tickets, clause-10 discipline, CSF edition.4

Where client-zero profiles stall: GV.RM (the risk appetite nobody ever wrote down), GV.SC (the vendor list that exists only in accounts payable), and ID.AM's data flows (everyone knows them; no one has drawn them). All three are writing problems, not engineering problems, an analyst-week each, and they unlock the executive credibility the whole framework trades on.

The Operational Wheel

PROTECT through RECOVER: where the stack lives

CategoryWhat the outcomes ask forMSP translationOutcomes
PR.AA · Identity, authentication & accessIdentities managed lifecycle-long, credentials protected, users and services authenticated (MFA, risk-proportionate), access least-privilege and reviewed, physical access controlled.SSO + MFA + JML workflow + access reviews, CIS 5/6 in CSF dress.6
PR.AT · Awareness & trainingThe workforce, and specialized roles, trained to do their security jobs.Awareness platform plus role-based modules with completion exports.2
PR.DS · Data securityData-at-rest, data-in-transit, and data-in-use protected; backups created, protected, and tested.Encryption posture plus immutable, restore-tested backup.4
PR.PS · Platform securityConfiguration managed, software maintained and patched, logging enabled, unauthorized software prevented, secure development practiced.Hardening baselines, patch automation, log coverage, application control.6
PR.IR · Technology infrastructure resilienceNetworks protected from unauthorized access, environments resilient, capacity managed, built to bend, not break.Segmentation, redundancy, capacity monitoring: the architecture conversation.4
DE.CM · Continuous monitoringNetworks, endpoints, personnel activity, and provider activity monitored for adverse events.EDR + SIEM + the watch-floor, control 13's territory; the MDR seat.5
DE.AE · Adverse event analysisAnomalies analyzed, correlated, impact estimated, and the call made: incident or not, with information shared to those who respond.Alert triage runbook plus the declaration threshold, written down.6
RS.MA / RS.AN · Incident management & analysisThe IR plan executed with triage, categorization, and escalation; incidents investigated thoroughly enough to support response and recovery, with evidence preserved.The IR plan from template, exercised annually; post-mortems filed.5 + 4
RS.CO / RS.MI · Reporting, communication & mitigationStakeholders and authorities notified as required; incidents contained and eradicated.The breach-clock matrix from this series' regulated guides (HIPAA, FTC, PCI) plugs in here.2 + 2
RC.RP / RC.CO · Recovery execution & communicationRecovery runs from the plan: backup integrity verified before restore, restoration confirmed, end declared, with progress communicated honestly inside and out.BCDR runbooks plus restore-test evidence plus the comms templates written before the bad Tuesday.6 + 2

The Delivery Split

Who does what: when you deliver CSF to a client

The typical split when an MSP delivers a CSF program to a client: the operational wheel runs MSP-heavy, GOVERN runs client-heavy, and GV.SC sits deliberately in the middle, because the client's supply-chain program is assessing you. And per the source chart's own title: when the client is your own MSP, all three bars are you.

The responsibility split, function by function

PROTECT, DETECT & RECOVER operationsPR, DE, RC
MSP
Shared
Client
IDENTIFY: inventories, risk, improvementID
MSP
Shared
Client
RESPOND: handling vs decisions & notificationsRS
MSP
Shared
Client
GOVERN: strategy, policy, oversightGV
MSP
Shared
Client
GV.SC: supply-chain riskThe client assessing you
MSP
Shared
Client
MSP leadsSharedClient leadsProportions measured from the source chart, for your own MSP as client zero, all three bars are you.

The pattern to notice: the operational wheel (PR→RC) is where your stack lives; GOVERN is where the client's accountability lives; and the profile makes both visible. That's why CSF is the QBR framework, one wheel chart, read unaided by any owner.

03

Run It: You First

Run it: you first: the client-zero playbook

Turn the framework into a running program on your own MSP, profiled, targeted, gap-funded, and reviewed on a cadence; then clone the machinery for clients. Same 90-day discipline as the CIS guide; here the deliverable is the profile pair and the wheel chart that makes it executive-legible.

Your First 90 Days on Yourself

The client-zero arc

  1. 1

    Govern first

    Leadership writes the GV outcomes for real: context, risk appetite, roles, policy, and picks the Tier target (Tier 3 for an MSP).

  2. 2

    Profile honestly

    Current state across all 22 categories, evidence noted: the CIS baseline underneath pre-answers most of PR/DE/RC.

  3. 3

    Target deliberately

    Leadership sets the target profile per category, risk, obligations, and customer expectations driving, not vendor brochures.

  4. 4

    Fund the gap

    The current→target delta becomes the priced, scheduled action plan, writing-week items first, projects second.

  5. 5

    Review & tell

    Quarterly GV.OV review with the wheel chart trend; then publish the profile summary; GV.SC questionnaires answer themselves.

Scoring that means something

Score each category 0–4 against its target (not implemented → partial → largely → achieved → exceeds) and render the six-function wheel, current ring vs target ring. Two numbers run the program: target-attainment % and the GOVERN score specifically, the one executives can move themselves. The same wheel later becomes every client's QBR centerpiece.

Don't double-build

If you ran the CIS guide's client-zero arc, you already did the profile and gap-funding steps, cross-mapping lifts the CIS baseline straight into the CSF profile. The genuinely new work is GV's writing week and the wheel-chart reporting layer. One program, two languages.

From Practice to Clients

From your practice to your clients: productize & cross-map

With your own profile running, CSF becomes your conversation layer: the assessment that opens executive doors, the wheel chart that runs QBRs, and the taxonomy that organizes every framework underneath. The CaaS Build Guide holds packaging and pricing; here's where CSF slots in.

Where CSF Slots In

The assessment, the program, the springboard

The CSF Posture Assessment

The executive-level paid entry: profile the client across all 22 categories, deliver the current-vs-target wheel, top risks in business language, and a phased roadmap.

When CSF beats CIS as the opener: board-driven or insurance-driven buyers, RFPs that name NIST, and any client whose decision-maker is an owner, not an IT manager.

Converts to: the gap-closure projects plus a managed tier with quarterly re-profiling.

The managed program: talk CSF, do CIS

Two layers, one program: operate CIS safeguards as the delivery layer; report in CSF functions as the executive layer. The QBR wheel shows current vs target by function; the appendix shows what moved it.

The QBR line that renews it: "GOVERN went from 1.5 to 3.0 this year, here's the wheel, and here's what your insurer sees now."

GV.SC makes the renewal structural: you're inside their supply-chain program by name.

The translation springboard

The mechanism: CSF's Informative References map every outcome to the control frameworks officially, so a maintained profile pre-answers the structure of any regulated engagement that lands.

The pitch: "Your profile already organizes this, here's the 800-171 delta, mapped."

The pricing: the same 40–60% second-framework pricing mechanic from the CaaS guide.

One Profile, Every Framework

What the profile already gives you

When the client needs…Your CSF profile already gives you…What's genuinely new (see that guide)
CIS ControlsThe doing layerThe organizing taxonomy, v8.1 aligned its language to CSF 2.0; safeguards slot under outcomes one-to-many.The prescriptive safeguard work itself and the IG sequencing.
CMMC / 800-171DefenseThe functional skeleton, 800-171's families sit naturally under ID/PR/DE/RS, and your GV work covers the policy layer assessors check first.CUI scoping, the SSP/POA&M/SPRS machinery, and assessment-grade evidence.
ISO 27001CertificateGV ≈ clauses 4–6 and 9–10 in miniature: context, leadership, risk, oversight, improvement: the ISMS loop's skeleton already drawn.The SoA, mandatory documents, internal audits, and the CB cycle.
SOC 2AttestationGV maps onto CC1–CC5's governance half; the operational wheel onto CC6–CC9: the report's structure pre-organized.Trust Services scoping, the system description, and the CPA engagement.
HIPAA · PCI · FTC SafeguardsThe regulated rulesRisk analysis, training, IR, vendor oversight, and recovery outcomes each rule demands, with RS.CO holding all the breach clocks.Each rule's scoping, named roles, and notification specifics.

The pattern worth internalizing: CIS supplies the controls, the regulated frameworks add scoping and paperwork, and CSF supplies the language that holds it all together. The MSP that maintains one CSF profile per client can walk into any framework conversation in this series with the map already drawn and only the route left to quote.

ControlMap by ScalePad

One profile per client, every framework underneath: in one platform

ControlMap is ScalePad's multi-tenant GRC platform built for MSPs. Run CSF 2.0 as each client's organizing framework, let cross-mapping connect the outcomes to CIS safeguards and every regulated framework, and let Stacks pre-answer the operational half from the tools already deployed, so the profile, the evidence, and the QBR wheel all live in one workspace.

The Five-Step ControlMap Workflow for NIST CSF 2.0: Starting With Yourself

  1. 1

    Stand up client zero & adopt CSF 2.0

    Create your own MSP's workspace, load the CSF 2.0 framework, functions, categories, and outcomes pre-structured, and record the GV foundations: organizational context, risk strategy, roles, and the Tier target (Tier 3). This workspace becomes the master template every client tenant clones.

  2. 2

    Build the Current Profile

    Declare the stack and let Stacks' vendor mappings light up the outcomes your EDR, identity, backup, and email security already satisfy; an existing CIS baseline lifts straight into the profile via cross-mapping. Your analyst verifies, scores each category honestly, and works only the genuine gaps, most in GOVERN.

  3. 3

    Set the Target Profile: turn the gap into the plan

    Leadership sets target states per category, driven by the obligation register and risk appetite; the platform's gap view becomes the prioritized, owned, dated action plan, writing-week items first, projects second, and seeds the risk register from what stays open.

  4. 4

    Publish the GV layer, run the cadences

    Draft the policy set, risk strategy, and vendor-management program from templates with staff e-attestation; then turn every recurring outcome, access reviews, restore tests, vendor reassessments, training, the GV.OV quarterly review itself, into recurring tasks with evidence attached as it happens.

  5. 5

    Clone the tenant, own the QBR

    Tenant cloning turns the finished client-zero workspace into the master template: new client, cloned tenant, stack declared, profile assessed, wheel rendered, an executive-grade deliverable in the first month. When a regulated framework lands later, adopt it in the same tenant and cross-mapping quotes only the delta.

Package it as a service

Productize the arc: CSF Posture Assessment (paid entry, executive deliverable) → Gap closure (quoted projects) → Managed program (talk CSF, do CIS: the Better tier with quarterly re-profiling) → vCISO/GV add-on for clients who need the governance layer operated, not just documented.

Make the QBR land

The wheel chart is the meeting: six functions, current ring vs target ring, this quarter's movement shaded. It's the one security artifact an owner can read unaided, repeat to their board, and forward to their insurer, which is precisely what makes it renew.

Keep it alive

Profiles drift with the business: new products, vendors, obligations, incidents. Re-profile quarterly, re-set targets annually at the GV.OV review, and watch NIST's cadence, CSF revises on multi-year cycles, and the Informative References update continuously online.

Take Action

Map the platform, run the first 90 days, work the checklist

Where each part of the CSF program lives in ControlMap and the records that prove it ran; a realistic first-90-days arc for your own MSP as client zero; and the ten-point quick-start checklist that puts the whole guide in motion.

ControlMap in Action

Mapping ControlMap to the CSF program

AreaDo this in ControlMapRecords you'll bank
Tiers & ProfilesRecord the Tier decision per tenant (your MSP at Tier 3, clients targeted at Tier 2); maintain Current and Target profiles as living assessments; track target-attainment % as the headline metric with the GV score broken out.Tier decision record · profile pair, versioned · attainment trend by quarter
The six functionsRun in-scope outcomes as owned controls; let Stacks and the CIS cross-map supply the operational answers; attach evidence on cadence, inventories, MFA reports, restore tests, triage records, vendor reviews, training exports.Outcome status history · cross-map justifications · the evidence library, organized per category
The programQuarterly re-profile with the wheel chart trend; risk register fed by gaps and incidents (ID.RA/ID.IM); the GV.OV review run from the dashboard with minutes captured; annual IR tabletop looped into improvement.Quarterly wheel charts · risk register with treatments · review minutes · tabletop closure records
The springboardWhen CIS, 800-171, ISO, SOC 2, or a regulated rule lands, adopt it in the same tenant, cross-mapping pre-fills everything the profile already satisfies and isolates the genuine delta for quoting.Cross-map coverage reports · per-framework gap lists · the "your profile already organizes this" sales artifact

For Your Own MSP as Client Zero

A realistic first-90-days arc

  1. W1-2

    Decide & write

    Tier 3 target set · GV writing week: context, risk strategy, roles · workspace live · stack declared.

  2. W3-6

    Profile & approve

    Current Profile scored across all 22 categories (Stacks + CIS cross-map accelerated) · Target Profile approved by leadership.

  3. W7-10

    Fund & operationalize

    Gap plan funded and in flight · policy set and vendor program live with attestations · cadences running as tasks.

  4. W11-13

    Review & clone

    First GV.OV review chaired by the owner with the wheel chart · profile summary published · tenant cloned as the client template · first pilot scoped.

Take Action

Your 10-point NIST CSF 2.0 quick-start checklist

1

Download CSF 2.0 and decide

Free from NIST, with its Quick Start Guides and online reference tool, and make the leadership decision: your MSP profiles itself first, targeting Tier 3.

2

Run the GV writing week

Organizational context, risk appetite, roles, policy: the strategy you've been running implicitly, finally on paper.

3

Build the Current Profile honestly

Across all 22 categories, with evidence noted, Stacks and the CIS cross-map pre-answer the operational half.

4

Set the Target Profile deliberately

Leadership decides, risk, obligations, and customers driving, with Community Profiles checked first for a head start.

5

Turn the gap into the plan

The current→target delta becomes a funded, dated action plan, writing-week items first, projects second, owners on everything.

6

Stand up GV.SC like it matters

Like your business depends on it, because your clients' supply-chain programs will assess your MSP by name.

7

Run the quarterly GV.OV review

With the owner in the chair every quarter: the wheel chart trend, closed gaps, open risks, and next quarter's targets.

8

Clone the tenant, launch the offer

Make the finished tenant your master client template; then launch the CSF Posture Assessment as your executive-level entry offering.

9

Deliver with two-language discipline

Talk CSF in the boardroom and do CIS in the stack, one program, two languages, zero duplicate work.

10

Use the profile as the springboard

When CMMC, ISO, SOC 2, or a regulated rule lands, cross-map first and quote only the genuine delta.

This guide is provided for general educational purposes and reflects the NIST Cybersecurity Framework 2.0 (February 2024) as commonly understood at time of publication. The CSF is developed and maintained by the U.S. National Institute of Standards and Technology and is free to download from nist.gov, consult the official publication, Implementation Examples, and Informative References for authoritative outcome text, and verify counts against the current release before relying on them in client deliverables. Companion guides in this series: CIS Controls v8.1, HIPAA, PCI DSS, CMMC, FTC Safeguards (GLBA), SOC 2, ISO/IEC 27001, and the CaaS Build Guide.

ControlMap

ControlMap by ScalePad

Build your common language on ControlMap

One CSF profile per client, CIS safeguards and every regulated framework cross-mapped underneath, see how MSPs run it multi-tenant in ControlMap.