The NIST Cybersecurity Framework is the most widely referenced security framework in the United States. It's also one of the most frequently misapplied.
Organizations cite NIST CSF alignment in board presentations, compliance documentation, and vendor questionnaire responses. What that alignment actually means — what controls are implemented, what evidence exists, what deliverables a provider is producing against each function — varies enormously.
For mid-market companies evaluating cybersecurity providers, the question isn't whether a provider claims NIST CSF alignment. It's whether they can demonstrate what they deliver against each function, what documentation those deliverables produce, and how that output connects to your compliance obligations, cyber insurance requirements, and business risk profile.
This guide walks through each NIST CSF 2.0 function, what a provider should actually be delivering against it, and how to evaluate whether a provider's NIST CSF capability is substantive or cosmetic.
Why NIST CSF 2.0 Matters More Than Its Predecessors
NIST CSF 2.0, released in February 2024, made one structural change that significantly affects how mid-market companies should think about provider selection: it added a sixth core function — Govern — to the original five.
The original framework covered Identify, Protect, Detect, Respond, and Recover. Each function addressed technical and operational security requirements. What the original framework didn't explicitly address was the organizational infrastructure — risk management strategy, policy development, accountability structures, supply chain risk management — that makes the technical controls coherent and sustainable.
The Govern function exists because NIST recognized that organizations were implementing security tools without the governance layer that makes those tools defensible. A provider that claims NIST CSF 2.0 alignment must now address governance explicitly — not just technical operations.
This matters for mid-market companies because governance is exactly where the gap between IT support and security program leadership shows up. Tools implement the Protect, Detect, Respond, and Recover functions. Leadership implements the Govern and Identify functions. Providers that deliver only tools are delivering half a framework.
NIST CSF 2.0 also now explicitly applies to organizations of all sizes — not just critical infrastructure operators. The 2.0 update removed the critical infrastructure framing that made some mid-market companies treat the framework as aspirational rather than applicable.
Function 1: Govern
What the function requires: The Govern function establishes organizational context for cybersecurity — risk management strategy, organizational accountability, policy framework, supply chain risk management, and alignment between cybersecurity decisions and business objectives.
Specific requirements include: a documented cybersecurity risk management strategy, defined roles and responsibilities for cybersecurity across the organization, a policy framework covering security expectations for all organizational functions, and supply chain risk management processes for vendors and partners.
What a provider should deliver:
A documented risk register identifying your organization's specific threat profile, existing control gaps, and risk prioritization based on business impact. This isn't a generic template — it reflects your actual environment, your industry's threat landscape, and your specific compliance obligations.
A security policy framework aligned to your applicable requirements — HIPAA, CMMC, FTC Safeguards, Ohio Safe Harbor, or cyber insurance — covering access control, incident response, data handling, vendor management, and acceptable use. Policies that are updated when your environment changes, not filed and forgotten.
Defined security roles and responsibilities — who owns what in your security program, what decisions require leadership involvement, and how security accountability flows through your organization.
A vendor risk management process — identifying which vendors carry significant security risk, what assessments or attestations you require from them, and how you handle vendor changes.
What this produces: Risk register, security policy framework, RACI documentation for security responsibilities, vendor risk inventory, and a security roadmap connecting risk priorities to remediation timelines.
If a provider claims NIST CSF alignment but can't produce these specific Govern function outputs for your organization, their alignment is cosmetic.
Function 2: Identify
What the function requires: The Identify function develops organizational understanding of assets, risks, and vulnerabilities — creating the foundation for all subsequent security decisions.
Specific requirements include: comprehensive asset inventory covering hardware, software, data, and third-party dependencies; business environment context connecting security priorities to business processes; risk assessment identifying threats and vulnerabilities specific to your environment; and improvement processes measuring security program effectiveness over time.
What a provider should deliver:
A complete asset inventory — not just managed devices, but all hardware connected to your network, all software running in your environment, all cloud services and SaaS applications, and all third parties with system access. The inventory should be maintained continuously, not produced once at engagement start and left to drift.
An annual risk assessment that evaluates your threat profile against your current controls, identifies gaps, and produces a written output that satisfies both NIST CSF Identify requirements and the risk analysis requirements of HIPAA § 164.308(a)(1), CMMC, and FTC Safeguards simultaneously.
Ongoing measurement — metrics showing how your security posture is improving over time, what risks have been reduced, and what gaps remain open. Without measurement, a security program can't demonstrate continuous improvement to auditors or underwriters.
What this produces: Asset inventory, annual risk assessment report, risk register with priority rankings, and security posture metrics for executive reporting.
Function 3: Protect
What the function requires: The Protect function implements safeguards to limit the impact of cybersecurity events — access controls, security awareness training, data security, technology infrastructure protection, and platform security.
Specific requirements include: identity management and access control, security awareness training, data security measures including encryption and data handling procedures, technology infrastructure protection including endpoint security and network controls, and platform security covering cloud and application environments.
What a provider should deliver:
Identity management with MFA enforcement across all systems accessing sensitive data. Role-based access control with regular access reviews. Privileged access management for administrative accounts. Automated provisioning and deprovisioning tied to HR processes.
Security awareness training with measurable completion rates and phishing simulation programs. Cyber insurance underwriters require annual training for all employees with documented completion rates — training that can't be documented doesn't satisfy this requirement.
Endpoint detection and response across 100% of managed endpoints with active monitoring. Network segmentation isolating critical systems. Email security with anti-phishing controls and DMARC/DKIM/SPF configuration.
Data encryption for sensitive data at rest and in transit. Data classification and handling procedures aligned to your compliance obligations.
What this produces: MFA coverage reports, access review records, training completion metrics, phishing simulation results, EDR deployment and coverage reports, network architecture documentation, and encryption configuration records.
Function 4: Detect
What the function requires: The Detect function enables timely discovery and analysis of cybersecurity events — continuous monitoring, anomaly detection, and adverse event analysis.
Specific requirements include: continuous monitoring of systems, networks, and personnel activities; anomaly and event detection; and adverse event analysis to understand what happened and its potential impact.
What a provider should deliver:
24/7 monitoring of your environment — not business-hours monitoring with overnight alerting. System intrusion surged from 36% to 53% of all breaches in 2025 per the Verizon DBIR. Attacks timed for after-hours require after-hours detection capability.
SIEM-based log collection and correlation across endpoints, identity systems, network infrastructure, and cloud platforms. Alert triage with human analyst review — not just automated alerting to an email inbox.
Healthcare-specific, industry-specific, or environment-specific detection logic tuned to your threat profile. Generic detection rules produce noise. Tuned detection rules produce signal.
Regular threat hunting — proactive investigation for indicators of compromise that automated detection may miss.
Mean time to detect metrics measured and reported. If your provider isn't measuring MTTD, they're not managing detection performance.
What this produces: Monitoring coverage documentation, alert log records with response times, MTTD and MTTR metrics, threat hunting activity records, and monthly detection performance reports.
Function 5: Respond
What the function requires: The Respond function enables action on detected cybersecurity incidents — incident management, analysis, mitigation, reporting, and improvement.
Specific requirements include: incident response plan execution, incident analysis determining impact and scope, incident mitigation containing and eradicating threats, incident reporting to appropriate stakeholders, and improvements based on incident lessons learned.
What a provider should deliver:
A written incident response plan covering roles, escalation paths, severity tiers, containment procedures, notification timelines, and evidence preservation. The plan must align to your compliance framework's specific requirements — HIPAA's four-factor breach determination, CMMC's incident response family, FTC Safeguards' 30-day notification requirement.
Annual tabletop exercises with documented scenarios, participants, decisions, gaps identified, and remediation items tracked to closure. Cyber insurance underwriters require evidence of testing — not just that a plan exists.
Incident response execution capability — when an incident occurs, the provider can contain and eradicate the threat, preserve forensic evidence, and support the notification process within your policy's required timeline.
Post-incident reviews that translate incident lessons into program improvements. A security program that doesn't learn from incidents isn't improving.
What this produces: Written IR plan, tabletop exercise documentation, incident response records for any events during the year, and post-incident review reports.
Function 6: Recover
What the function requires: The Recover function enables restoration of assets and systems — recovery planning, improvement based on recovery lessons, and recovery communications.
Specific requirements include: recovery plan execution, improvement of recovery planning based on lessons learned, and communications during and after recovery activities.
What a provider should deliver:
Documented recovery plans for critical systems — what gets restored first, in what order, from what backup source, with what dependencies. For healthcare organizations, which clinical systems take priority. For manufacturers, which production systems are most critical to operational continuity.
Immutable or offline backup management with tested restoration capability. 93% of companies experiencing prolonged data loss go bankrupt. Untested recovery plans are not recovery plans.
Recovery time and recovery point objectives documented and tested. RTO and RPO commitments should be based on actual restoration test performance, not vendor estimates.
Recovery communications — who gets notified when, what they're told, and what your public-facing response looks like. For regulated industries, this includes regulatory notification timelines.
What this produces: Recovery plan documentation, backup testing records with restoration outcomes, RTO/RPO documentation, and recovery communication templates.
The NIST CSF Deliverable Matrix
| Function | Key Deliverables | Compliance Frameworks Satisfied |
|---|---|---|
| Govern | Risk register, policy framework, vendor inventory | HIPAA, CMMC, FTC Safeguards, Ohio Safe Harbor, Cyber Insurance |
| Identify | Asset inventory, risk assessment, posture metrics | HIPAA § 164.308(a)(1), CMMC RA family, NIST CSF |
| Protect | MFA reports, EDR coverage, training completion | All frameworks, Cyber Insurance |
| Detect | Monitoring records, MTTD metrics, alert logs | HIPAA § 164.312(b), CMMC AU family |
| Respond | IR plan, tabletop documentation, incident records | HIPAA § 164.308(a)(6), CMMC IR family, Cyber Insurance |
| Recover | Recovery plans, backup testing, RTO/RPO records | HIPAA § 164.308(a)(7), Cyber Insurance |
Where Securafy Fits
Securafy delivers NIST CSF 2.0-aligned security programs for mid-market companies across the United States with a core focus on Ohio. The delivery model maps each function to specific operational outputs:
Govern — NIST-aligned risk assessment and risk register, security policy framework development and maintenance, vendor risk management program, and security roadmap with prioritized remediation timelines.
Identify — Continuous asset inventory management, annual risk assessment satisfying HIPAA, CMMC, and cyber insurance requirements simultaneously, and security posture metrics for executive reporting.
Protect — MFA enforcement and coverage reporting, managed EDR with 24/7 monitoring, email security with anti-phishing controls, security awareness training with phishing simulation and completion tracking.
Detect — 24/7 SOC monitoring with SIEM-based detection, healthcare and industry-specific detection logic, continuous alert review, and MTTD/MTTR reporting.
Respond — IR plan development aligned to applicable compliance frameworks, annual tabletop exercise facilitation with documented outcomes, and incident response execution capability.
Recover — Immutable backup management with tested restoration documentation, recovery plan development, and RTO/RPO documentation based on actual test performance.
For Ohio businesses, NIST CSF program alignment simultaneously satisfies the Ohio Safe Harbor documentation requirement under ORC § 1354 — providing both security program value and litigation protection from a single documented program.
If you want to understand where your current environment stands against the NIST CSF 2.0 functions, a free network assessment gives you an objective baseline in under an hour.
To discuss what a NIST CSF-aligned security program would look like for your specific organization, book a strategy call.
The 2026 Cybersecurity Buyer's Guide covers the security program fundamentals every mid-market company should understand before evaluating any compliance-focused cybersecurity provider.