Blog

5 Steps to Greater Security with NIST CSF 2.0

This guide helps provide a roadmap to using NIST CSF to drive greater cybersecurity maturity in control systems.

Data Center IT Specialist and System administrator Talk, Use Laptop Computer, Wearing Safety West. Server Cloud Farm Facility with Two Female Information Technology Engineers Doing Maintenance.

NIST released Version 2.0 of the NIST Cyber Security Framework (CSF) in 2024. The original NIST CSF gained significant traction since its release in early 2014, while Version 1.1 added important new elements to help companies continue to advance their cybersecurity practices.

Version 2.0 takes it a step further and focuses on measuring the effectiveness of cybersecurity activities. This version incorporates the following updates:

Govern function to emphasize risk management governance outcomes
Guidance on supply chain risk management and measuring cybersecurity outcomes
New templates for creating organized profiles
Integration improvements with broader organizational risk management

This guide will provide you with a roadmap to using NIST CSF to help drive greater cybersecurity maturity in control systems.

Nist-based Approach Framework — The NIST CSF 2.0 update incorporates an additional measure that those within the operational risk management space must consider. Here are the latest NIST CSF functions.

NIST CSF Framework 2.0 Functions

Govern

The Govern function within the NIST CSF framework involves monitoring, communicating, and establishing the cybersecurity risk management strategy, expectations, and policies.

What it does: Helps organizations decide which cybersecurity actions to prioritize based on their goals and stakeholder needs.
Why it matters: It’s critical to incorporate cybersecurity into an organization’s broader enterprise risk management (ERM) strategy.

Identify

The Identify function highlights the current cybersecurity risks.

What it does: Helps organizations understand their vulnerabilities and opportunities for improvement across policies, plans, and procedures that affect the remaining functions.
Why it matters: Knowledge of the organization’s assets, suppliers, and cybersecurity risk helps prioritize efforts identified under the Govern function.

Protect

The Protect function uses safety measures to manage cybersecurity risks.

What it does: Focuses on the outcomes of security, identity management, access control, and authentication for critical infrastructure.
Why it matters: Securing identified and prioritized assets can help lower the chance and impact of cybersecurity attacks.

Detect

The Detect function finds and analyzes possible cybersecurity attacks.

What it does: Identifies and examines compromise indicators, adverse events, and anomalies that can indicate an ongoing cyberattack.
Why it matters: It supports an organization’s successful response and recovery efforts and can lessen the adverse effects of a cyberattack.

Respond

The Respond function takes action against the detected cybersecurity incident.

What it does: Provides incident management, analysis, mitigation, reporting, and communication outcomes.
Why it matters: It supports the ability to contain the effects of the cybersecurity incident.

Recover

The Recover function restores affected operations and assets.

What it does: Repairs damages, identifies learnings from the cybersecurity incidents, and changes the plan to help reduce future incidents.
Why it matters: It helps organizations minimize the impact of a cybersecurity incident, get back to normal more quickly, and meet compliance requirements.

Profiles and Tiers

NIST CSF 2.0 also integrates profiles and tiers for organizations to understand and improve their cybersecurity point of view. Profiles document the organization’s desired cybersecurity state and highlight what the organization wants to achieve. These are classified into the seven functions: Govern, Identify, Protect, Detect, Respond, and Recover. It also incorporates the organization’s mission, risks, and stakeholder expectations.

chart showing maturity journey across the NIST cybersecurity framework

Tiers describe the maturity of an organization’s cybersecurity risk management practices, note how the organization is doing, and identify opportunities for improvement. They range from Tier 1 (Partial) to Tier 4 (Adaptive). Tiers can inform profile development by

Providing context for how an organization manages risk
Helping prioritize actions to achieve target outcomes within the functions

Common NIST CSF Implementation Challenges

Integrating NIST CSF in your organization may come with several challenges during the implementation phase, including:

Resource limitations such as qualified personnel, finances, and time
Lack of existing cybersecurity infrastructure or expertise
Staff pushing back on the changes
Keeping up with the latest cyber threats
Finding time to continuously monitor and update the practices

Read the five steps below to help your organization succeed and achieve NIST CSF maturity.

5 Steps to Greater Security Maturity with NIST CSF

Step 1: Rapid Assessment

The first step in following the NIST CSF is to establish a robust—but rapid—assessment of your current status. The key to gaining momentum is to conduct a rapid assessment within 60–90 days across the organization. This rapid assessment process helps provide enough detail to build an initial maturity roadmap and to enable the company to progress. It is not intended to diagnose every threat pathway or endpoint vulnerability.

The rapid assessment should provide input on the cybersecurity baseline on people, processes, policies, and technology. It typically encompasses the following:

Agreement on the “Profiles” or levels that your company will establish for different stages of maturity.
Brief surveys (less than 50 questions) to key personnel in the organization and targeted interviews to round out the quantitative survey results.
Supply chain risk management (SCRM) assessment to identify critical suppliers, access levels, and their security practices. You can complete this through a brief questionnaire or supplier certifications.
Gather endpoint and network info directly from systems to assess patch, configuration, user, network, and other vulnerabilities.
Create prioritized risks against a standard framework such as defense in depth or CIS Top 18 Controls.

Step 2: Target Maturity Roadmap

OT cybersecurity roadmap with layered defenses evolving over time in the NIST cybersecurity framework

The assessment provides the baseline starting point, but the critical step is to then lay out your company’s cybersecurity maturity aspiration based on your specific business needs, regulatory requirements, etc., and build a robust roadmap based on a portfolio of initiatives across process development, technology deployment, and training, and awareness.

To develop a successful roadmap, the following should be considered:

Alignment with risk management strategy: The roadmap must directly support your organization’s overall risk management strategy and clearly articulate how each initiative aligns with reducing your risk profile.
Sequence of initiatives/foundational elements: Certain initiatives are prerequisites of others. For instance, having a complete and detailed hardware and software (OS, firmware, application software, configurations, ports, services, etc.) inventory is a requirement to harden configurations and many other CSF categories.
Prioritization based on business needs, risk, and budgets: Based on the assessment, specific initiatives will rise in priority because they pose the greatest threat to business operations. The assessment should provide the core information necessary to prioritize the greatest risk to the organization. Obviously, this needs to be balanced against overall budgetary constraints.
Measurement and tracking: In parallel to any defensive or detective initiatives, the organization should be able to track and measure progress.
Integrating technology, people, and process: Implementing technology without the people or processes to support it will lead to wasted investments. Similarly, without technology, the procedures the company may develop may be too onerous to provide much insight into the cybersecurity situation.
Integrating platform (or “glue”): Over time, the number of initiatives, technology, and procedures will grow. Without careful consideration of investment in the overarching platform or glue that ties these pieces together, the program may become overwhelming.

Taken another way, the need to build on the portfolio of initiatives is executed in a cyclical fashion over multiple discrete projects and budgets. The objective is to move from the basic level of protection through higher levels of sophistication and an eventual shift from reactive to proactive monitoring and detection, as depicted in the maturity cycle.

Security monitoring maturity curve advancing from basic to proactive defense.

Maturity Cycle

It is important to note that the maturity cycle is just a general intended pattern toward a more robust security program. The specific tasks, the order they are executed and the time frame across which they are deployed have to be tied to the specific risks and objectives of the individual organization.

Step 3: Execute Foundational Initiatives

As highlighted above, every program should have a set of foundational initiatives necessary to enable the broader program. These initiatives should provide some rapid impact on security while also providing baseline capabilities.

This first “wave” of initiatives should be items that can be achieved within 90 days to demonstrate progress as well as allow for rapid movement to additional elements. These initiatives will include both “informational” or “baselining” initiatives as well as the first wave of “remediation” or “hardening” activities. The baselining-type of activities would include hardware and software inventory, configuration baselines, firewall rule maps, etc. The remediation-type activities would likely include software removal, hardening of baselines, or initial segmentation.

These initiatives normally have “corporate” and “site-level” components. In geographically dispersed organizations, they will focus on approximately 3-5 pilot sites representing a range of locations for the “site-level” components. The foundational initiatives will be rolled out at these sites and they will act as “lead dogs” to be ahead of the pack in implementing greater levels of maturity over time.

This first phase of execution will likely include several key elements:

Central components such as policies on sensitive data or password standards, procedures such as management of change or patching, and technology such as a central reporting functionality.
Site-level components such as asset inventory, configuration baselines, and network design/ segmentation reviews.
Establishing key decision points such as which controls will not apply to certain assets, decision-making on risk-reward or cost-benefit trade-offs, and rules for “technical feasibility exceptions” where devices such as PLCs or older HMIs may not be able to meet control standards and will require some form of compensating controls.

Foundational initiatives can strengthen supply chain risk management efforts (SCRM) through:

Secure software development practices, like vulnerability scanning and code reviews, to reduce the risk of introducing vulnerabilities into your system from third parties.
Requiring software bill of materials generation (SBOM) from your vendors to provide visibility of the components within your software. This enables you to identify and address vulnerabilities from third parties quickly.
Configuration baselines for your organization and vendor systems to confirm that third-party systems meet your security requirements.
Regular scanning and patching to improve your overall security and reduce entryways for threat actors.
Integrating supply chain into your incident response plan to address cyber incidents that extend from third-party vendors.

Step 4: Build on Foundation

With version 1.1, most organizations rolled out proven tool sets to additional sites, embarked on second or third-phases of security tool and procedure design, testing, and deployment to pursue a rich, multi-layered security program.

Organizations that implement NIST CSF 2.0 are more than likely in the refining, building depth, and maturing phases. Keep the following in mind as you continue to scale your security program with additional processes and technologies:

Automate routine tasks where possible.
Continue to reiterate and optimize for process improvement.
Maintain a thorough integration framework for new infrastructure.
Confirm that your employees are up to speed on the latest training.
Regularly update priorities based on risks and business needs.

Step 5: Monitor, Measure, and Improve

Bar chart showing initial vs improve maturity in OT across the NIST cybersecurity framework

A robust monitoring and measurement program is critical to a successful NIST CSF 2.0 implementation. Like all things in management, inspection and tracking of progress is critical to improvement.

Companies often forget about these measurement and tracking components until they complete steps 1-4. The resources, tools, and budgets for ongoing monitoring and measurement should be considered upfront. The measurement provides a status report and enables course correction as the initiatives are executed. The roadmap will certainly evolve over time, and measuring progress and issues as it proceeds is critical to intelligent evolution.

Metrics and dashboards make it easy to provide a visual representation of a program’s status and how it performs against key objectives. Every metric should align with outcomes in the roadmap and be tied to each NIST CSF 2.0 function. Your dashboards should be digestible and high-level enough for key stakeholders.

Measurement efforts tie back into the Governance function because it’s all about aligning with your organization’s goals and embracing data-driven decision-making. Based on your measurements, you can celebrate progress, identify areas of improvement, and monitor prioritized risks.

Conclusion

Bottom line: Cybersecurity maturity is a journey, not a destination. The key to a successful program will be its ability to continually improve the maturity level over time as new risks are identified and new solutions are developed. The roadmap described above should be a living document. The foundational elements and “glue” that integrate the information and tools together should enable the maturity levels to grow over time.

Watch our six-part webinar series to strengthen your knowledge on how the NIST framework can help from identifying threats through recovery.

Published June 11, 2025