The CSF in plain language

The NIST Cybersecurity Framework version 2.0, released in February 2024, is the most-adopted cybersecurity organizing structure in US enterprises and federal agencies. Version 2.0 expanded the prior five functions (Identify, Protect, Detect, Respond, Recover) by adding Govern as a sixth function explicitly covering organizational context, risk strategy, supply chain, and oversight. The Govern function answers the auditor question 'who decided this control was sufficient and how is the decision reviewed' that the prior five-function model implied but did not name.

Each function decomposes into categories and subcategories. Govern, for instance, contains six categories: Organizational Context, Risk Management Strategy, Cybersecurity Supply Chain Risk Management, Roles, Responsibilities and Authorities, Policies, and Oversight. Each subcategory is a one-sentence outcome statement (for example, GV.OC-01: 'The organizational mission is understood and informs cybersecurity risk management'). The framework deliberately stops at outcomes; it does not specify the controls that produce the outcome, because the controls depend on the organization's size, sector, and risk profile.

That is why the CSF needs a control catalog. NIST SP 800-53 Revision 5 (Joint Task Force 2020) is the canonical US Government control catalog with roughly 1,000 controls organized into 20 control families (AC Access Control, AU Audit and Accountability, AT Awareness and Training, and so on). The CSF maps each subcategory to one or more SP 800-53 controls; the SP 800-53 controls map to the implementations a GRC analyst will write narratives for. Together they form the operational pair: CSF tells you what outcome to produce; SP 800-53 tells you which controls produce it.