NIST 2.0 Compliance Checklist: The 2026 Implementation Guide
Reading time: 25 minutes | Technical level: Intermediate
TL;DR
NIST Cybersecurity Framework (CSF) 2.0, released in February 2024, introduces significant changes including a new GOVERN function, expanded supply chain guidance, and broader applicability beyond critical infrastructure. This checklist covers all 6 functions (GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER), 23 categories, and 108 subcategories. Implementation roadmap: (1) Gap assessment using this checklist, (2) Prioritize based on risk profile, (3) Implement tiered approach (Tier 1-4), (4) Continuous improvement cycle. Organizations using NIST CSF report 40% faster incident response and improved regulatory audit outcomes.
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
NIST CSF 2.0 Overview
What's New in 2.0
| Change | Description | Impact |
|---|---|---|
| GOVERN function | New sixth function focusing on cybersecurity governance | Elevates governance to equal footing with operations |
| Supply chain | Enhanced third-party risk guidance | Addresses supply chain as primary concern |
| Broad audience | Not just critical infrastructure | All organizations can adopt |
| Implementation examples | Added for all subcategories | Practical guidance included |
| CSF 2.0 Reference Tool
Free Resource Free Compliance Readiness ChecklistAssess your current compliance posture in 15 minutes. Used by Australian SMBs preparing for ISO 27001, SOC 2, and Privacy Act audits. Download Free Checklist → | New online resource | Simplifies implementation |
| Organizational profiles | Simplified approach | Easier customization |
The Six Functions
┌─────────────────────────────────────────────────────────────┐
│ NIST CSF 2.0 CORE │
├────────┬────────┬────────┬────────┬────────┬────────────────┤
│ GOVERN │IDENTIFY│PROTECT │ DETECT │RESPOND │ RECOVER │
│ GV │ ID │ PR │ DE │ RS │ RC │
├────────┼────────┼────────┼────────┼────────┼────────────────┤
│Policy │Asset │Identity│Anomaly │Incident│Improvements │
│Risk │Risk │Access │Event │Analysis│Communications │
│Third │Improve-│Aware │Cont. │Response│ │
│Party │ment │Training│Monitor.│ │ │
│ │ │Data │Detec. │ │ │
│ │ │Security│Process.│ │ │
│ │ │Platform│ │ │ │
│ │ │Resil. │ │ │ │
└────────┴────────┴────────┴────────┴────────┴────────────────┘Implementation Tiers
| Tier | Characteristics | Maturity Level |
|---|---|---|
| Tier 1 | Partial, reactive, limited awareness | Initial |
| Tier 2 | Risk-informed, approved by management | Developing |
| Tier 3 | Repeatable, organization-wide approach | Defined |
| Tier 4 | Adaptive, using predictive indicators | Optimized |
Tier Selection Guidance:
- Match tier to risk profile, threat landscape, and resources
- Higher tiers require greater investment but provide better resilience
- Progression should be deliberate, not automatic
FUNCTION: GOVERN (GV)
Purpose: Establish and monitor the organization's cybersecurity risk management strategy, expectations, and policy.
GV.RM - Risk Management Strategy
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| GV.RM-01 | Risk management strategy established, approved, communicated | Policy document | |
| GV.RM-02 | Cybersecurity risk appetite statement defined | Risk appetite statement | |
| GV.RM-03 | Cybersecurity risk tolerance defined | Tolerance thresholds | |
| GV.RM-04 | Risk management strategy reviewed and updated | Review records | |
| GV.RM-05 | Strategic direction for cybersecurity aligned with mission | Alignment documentation | |
| GV.RM-06 | Cybersecurity requirements for suppliers identified | Supplier requirements | |
| GV.RM-07 | Cybersecurity requirements for products/services identified | Procurement policies |
Implementation Examples:
- Develop comprehensive risk management policy
- Define risk appetite in financial terms where possible
- Establish regular risk review cadence (quarterly minimum)
- Integrate cybersecurity into strategic planning
GV.PO - Policy
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| GV.PO-01 | Cybersecurity policy established and communicated | Policy document | |
| GV.PO-02 | Policy reviewed and updated regularly | Review schedule |
Implementation Examples:
- Create comprehensive cybersecurity policy
- Annual policy review minimum
- Version control and distribution tracking
- Acknowledgment tracking for employees
GV.OV - Oversight
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| GV.OV-01 | Cybersecurity risk management results reported to leadership | Board reports | |
| GV.OV-02 | Cybersecurity risk management strategy progress monitored | KPI dashboard | |
| GV.OV-03 | Regulatory and contractual requirements identified | Compliance matrix |
GV.SC - Cybersecurity Supply Chain Risk Management
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| GV.SC-01 | Supply chain cybersecurity risk management program established | Program charter | |
| GV.SC-02 | Cyber supply chain risk assessment performed | Assessment reports | |
| GV.SC-03 | Suppliers categorized by risk level | Supplier risk tiers | |
| GV.SC-04 | Supplier security requirements in contracts | Contract templates | |
| GV.SC-05 | Suppliers monitored for compliance | Monitoring reports | |
| GV.SC-06 | Supply chain incident response plan includes third parties | IR plan section | |
| GV.SC-07 | Supply chain risk reassessed after incidents | Post-incident reviews | |
| GV.SC-08 | Supply chain security tested before deployment | Testing records | |
| GV.SC-09 | Supply chain security incidents tracked | Incident log | |
| GV.SC-10 | Supply chain risks shared with suppliers | Risk sharing agreements |
FUNCTION: IDENTIFY (ID)
Purpose: Help the organization understand its current cybersecurity risks to systems, people, assets, data, and capabilities.
ID.AM - Asset Management
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| ID.AM-01 | Physical devices and systems inventory | CMDB/asset register | |
| ID.AM-02 | Software platforms and applications inventory | Software inventory | |
| ID.AM-03 | Organizational communication and data flows mapped | Data flow diagrams | |
| ID.AM-04 | External systems cataloged | External system list | |
| ID.AM-05 | Resources prioritized based on classification | Asset valuation | |
| ID.AM-06 | Cybersecurity roles and responsibilities established | RACI matrix | |
| ID.AM-07 | Cybersecurity roles and responsibilities reassessed | Review schedule | |
| ID.AM-08 | Critical asset identification criteria established | Critical asset policy | |
| ID.AM-09 | Hardware and software authorized before acquisition | Procurement process | |
| ID.AM-10 | Assets managed throughout lifecycle | Asset lifecycle process |
ID.RA - Risk Assessment
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| ID.RA-01 | Vulnerability identification performed | Vulnerability reports | |
| ID.RA-02 | Threat intelligence received and analyzed | Threat intel reports | |
| ID.RA-03 | Internal threats identified and assessed | Insider threat program | |
| ID.RA-04 | Likelihood and impact of risks assessed | Risk register | |
| ID.RA-05 | Risk responses identified, prioritized, and implemented | Risk treatment plan | |
| ID.RA-06 | Risk assessment process improved | Process reviews | |
| ID.RA-07 | Changes assessed for cybersecurity risk | Change management | |
| ID.RA-08 | Mission impact assessed for supply chain compromise | BIA with supply chain | |
| ID.RA-09 | Criticality of products/services assessed | Criticality ratings | |
| ID.RA-10 | Third-party risk assessment performed | Third-party assessments |
ID.IM - Improvement
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| ID.IM-01 | Improvements to organizational cybersecurity evaluated | Improvement tracking | |
| ID.IM-02 | Cybersecurity risk management strategy improvements assessed | Strategy reviews | |
| ID.IM-03 | Identified improvements implemented | Implementation records | |
| ID.IM-04 | Technology and service improvements assessed | Tech roadmap reviews |
FUNCTION: PROTECT (PR)
Purpose: Support the ability to limit or contain the impact of potential cybersecurity events.
PR.AA - Identity Management, Authentication, and Access Control
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| PR.AA-01 | Identities and credentials issued, managed, verified, revoked | IAM program | |
| PR.AA-02 | Physical access to assets managed | Physical security | |
| PR.AA-03 | Remote access managed | Remote access policy | |
| PR.AA-04 | Access permissions and authorizations managed | Access reviews | |
| PR.AA-05 | Access to physical and logical assets minimized | Least privilege policy | |
| PR.AA-06 | Mechanisms for managing authentication and authorization devices | Hardware token mgmt |
PR.AT - Awareness and Training
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| PR.AT-01 | Personnel provided with security awareness training | Training records | |
| PR.AT-02 | Personnel trained on their security responsibilities | Role-based training | |
| PR.AT-03 | Training effectiveness measured and improved | Training metrics | |
| PR.AT-04 | Training updated based on threat intelligence | Training updates | |
| PR.AT-05 | Physical security personnel trained | Security guard training | |
| PR.AT-06 | Senior executives trained on security risks | Executive briefings | |
| PR.AT-07 | Third-party stakeholders trained on security | Third-party training |
PR.DS - Data Security
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| PR.DS-01 | Data-at-rest protection implemented | Encryption inventory | |
| PR.DS-02 | Data-in-transit protection implemented | TLS/encryption config | |
| PR.DS-03 | Data-in-use protection implemented | Memory encryption | |
| PR.DS-04 | Adequate capacity to ensure availability | Capacity planning | |
| PR.DS-05 | Protections against data leaks implemented | DLP deployment | |
| PR.DS-06 | Data integrity checking mechanism used | Integrity verification | |
| PR.DS-07 | Development and testing environment separate from production | Environment separation | |
| PR.DS-08 | Data integrity checking for backups | Backup verification | |
| PR.DS-09 | Data destroyed per policy | Data destruction process | |
| PR.DS-10 | Data concealment mechanisms implemented | Data masking | |
| PR.DS-11 | Data backups tested | Backup testing records |
PR.PS - Platform Security
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| PR.PS-01 | Configuration management policy established | Config mgmt policy | |
| PR.PS-02 | Software maintained, replaced, and removed | Patch management | |
| PR.PS-03 | Hardware maintained, replaced, and removed | Hardware lifecycle | |
| PR.PS-04 | Log records generated and made available | Logging standard | |
| PR.PS-05 | Installation and execution of unauthorized software prevented | Application control | |
| PR.PS-06 | Secure software development practices followed | SDLC policy | |
| PR.PS-07 | Security testing during development performed | Security testing | |
| PR.PS-08 | Software integrity verified during delivery | Code signing | |
| PR.PS-09 | Unauthorized access to critical technology assets prevented | Network segmentation | |
| PR.PS-10 | Usage of critical technology assets monitored | Asset monitoring | |
| PR.PS-11 | Backup and recovery procedures for critical technology assets | Asset recovery plans |
PR.IR - Technology Infrastructure Resilience
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| PR.IR-01 | Networks and environments protected from unauthorized access | Network security | |
| PR.IR-02 | Internal and external network perimeters monitored | Network monitoring | |
| PR.IR-03 | Mechanisms implemented to achieve resilience requirements | Resilience testing | |
| PR.IR-04 | Incident recovery planning includes third parties | Third-party DR |
ISO 27001 SMB Starter Pack — $97
Gap assessment templates, policy frameworks, and an implementation roadmap. Skip months of research — start your audit-ready documentation today.
Get the Starter Pack →FUNCTION: DETECT (DE)
Purpose: Support the ability to identify the occurrence of cybersecurity events.
DE.AE - Anomaly Detection and Analysis
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| DE.AE-01 | Log records analyzed for anomalies | SIEM rules | |
| DE.AE-02 | Event detection information centralized | SOC dashboard | |
| DE.AE-03 | Event detection data correlated from multiple sources | Correlation rules | |
| DE.AE-04 | Impact of events determined | Impact assessment | |
| DE.AE-05 | Incident alert thresholds established | Alert configuration | |
| DE.AE-06 | Authorized personnel receive alerts | Alert routing | |
| DE.AE-07 | Incident detection information shared | ISAC membership |
DE.CM - Continuous Monitoring
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| DE.CM-01 | Network monitored for unauthorized devices | NAC deployment | |
| DE.CM-02 | Physical environment monitored for unauthorized access | Physical monitoring | |
| DE.CM-03 | Personnel activity monitored | UEBA deployment | |
| DE.CM-04 | Malicious code detected | AV/EDR deployment | |
| DE.CM-05 | Unauthorized mobile code detected | Mobile code policy | |
| DE.CM-06 | External service provider activity monitored | Third-party monitoring | |
| DE.CM-07 | Monitoring for unauthorized personnel, connections, devices | Access monitoring | |
| DE.CM-08 | Vulnerability scans performed | Vulnerability program | |
| DE.CM-09 | Supply chain security monitored | Supply chain monitoring | |
| DE.CM-10 | Information and data monitoring for anomalies | DLP monitoring |
DE.DP - Detection Processes
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| DE.DP-01 | Detection roles and responsibilities defined | SOC roles | |
| DE.DP-02 | Detection activities comply with requirements | Compliance mapping | |
| DE.DP-03 | Detection processes tested | Detection testing | |
| DE.DP-04 | Event detection information communicated | Communication procedures | |
| DE.DP-05 | Detection processes continuously improved | Improvement records |
FUNCTION: RESPOND (RS)
Purpose: Support the ability to contain the impact of cybersecurity incidents.
RS.MA - Incident Management
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| RS.MA-01 | Incident management process executed | IR plan | |
| RS.MA-02 | Incidents reported and documented | Incident tickets | |
| RS.MA-03 | Incidents escalated or elevated as needed | Escalation matrix | |
| RS.MA-04 | Incident information shared | ISAC reporting | |
| RS.MA-05 | Incidents closed when resolved | Closure criteria | |
| RS.MA-06 | Post-incident analysis performed | Post-mortems | |
| RS.MA-07 | Newly identified vulnerabilities mitigated | Vulnerability mgmt |
RS.AN - Incident Analysis
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| RS.AN-01 | Investigations performed | Investigation SOP | |
| RS.AN-02 | Forensics performed | Forensics capability | |
| RS.AN-03 | Incidents categorized and prioritized | Incident taxonomy | |
| RS.AN-04 | Incidents correlated with other events | Event correlation | |
| RS.AN-05 | Impact of incidents determined | Impact assessment | |
| RS.AN-06 | Actions performed without compromising investigation | Investigation procedures | |
| RS.AN-07 | Volatile data preserved | Volatile data process | |
| RS.AN-08 | Incident data secured | Evidence handling | |
| RS.AN-09 | Incident documentation secured | Documentation controls | |
| RS.AN-10 | Incident-related vulnerability identified | Root cause analysis | |
| RS.AN-11 | Chain of custody established | Custody procedures |
RS.CO - Incident Response Communication and Coordination
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| RS.CO-01 | Personnel report suspected incidents | Reporting procedures | |
| RS.CO-02 | Incidents reported to designated officials | Reporting matrix | |
| RS.CO-03 | Information shared with designated stakeholders | Stakeholder lists | |
| RS.CO-04 | Coordination with stakeholders maintained | Coordination procedures | |
| RS.CO-05 | Incidents shared with external stakeholders | External reporting |
RS.MI - Incident Mitigation
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| RS.MI-01 | Incidents contained | Containment procedures | |
| RS.MI-02 | Incidents eradicated | Eradication procedures | |
| RS.MI-03 | Newly identified vulnerabilities mitigated | Vulnerability remediation |
FUNCTION: RECOVER (RC)
Purpose: Support timely recovery to normal operations to reduce the impact from cybersecurity incidents.
RC.RP - Incident Recovery Plan Execution
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| RC.RP-01 | Recovery plan executed | Recovery procedures | |
| RC.RP-02 | Recovery objectives achieved | RTO/RPO tracking | |
| RC.RP-03 | Recovery progress verified | Recovery testing | |
| RC.RP-04 | Recovery activities tested | DR testing schedule | |
| RC.RP-05 | BCP/DR plan available | Plan repository | |
| RC.RP-06 | Recovery plan updated | Plan maintenance | |
| RC.RP-07 | Critical infrastructure services restored | Critical systems list | |
| RC.RP-08 | Recovery communication plan executed | Comms plan | |
| RC.RP-09 | Recovery workforce managed | Workforce plans |
RC.CO - Communications
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| RC.CO-01 | Public relations managed | PR procedures | |
| RC.CO-02 | Reputation repaired | Reputation management | |
| RC.CO-03 | Recovery activities and progress communicated | Status communications | |
| RC.CO-04 | Compliance with notification requirements verified | Notification tracking |
RC.IM - Improvement
| Subcategory | Implementation | Status | Evidence |
|---|---|---|---|
| RC.IM-01 | Recovery plans and processes improved | Improvement process | |
| RC.IM-02 | Newly identified vulnerabilities mitigated | Vulnerability closure |
Implementation Roadmap
Phase 1: Foundation (Months 1-3)
- GOVERN: Establish risk management strategy
- GOVERN: Develop cybersecurity policy
- IDENTIFY: Create asset inventory
- IDENTIFY: Document data flows
- PROTECT: Implement access controls
- PROTECT: Deploy MFA
Phase 2: Core Controls (Months 4-6)
- IDENTIFY: Complete risk assessment
- PROTECT: Deploy security awareness training
- PROTECT: Implement data encryption
- PROTECT: Establish vulnerability management
- DETECT: Deploy SIEM
- DETECT: Implement continuous monitoring
Phase 3: Advanced Capabilities (Months 7-9)
- GOVERN: Full supply chain risk program
- PROTECT: Zero Trust architecture deployment
- DETECT: UEBA implementation
- RESPOND: Full IR plan development
- RECOVER: DR plan implementation
- RECOVER: Backup testing program
Phase 4: Optimization (Months 10-12)
- All functions: Tier 3 or 4 maturity
- All functions: Continuous improvement established
- All functions: Metrics and reporting operational
- Full organizational profile documented
- External assessment/audit completed
Mapping to Other Frameworks
| NIST CSF 2.0 | ISO 27001:2022 | SOC 2 | PCI-DSS 4.0 |
|---|---|---|---|
| GOVERN | 5, 6 | CC1, CC2 | 3, 12 |
| IDENTIFY | 5 | CC3, CC7 | 2, 3, 12 |
| PROTECT | 5, 7, 8 | CC5, CC6, CC7 | 1, 2, 3, 4, 6, 7, 8 |
| DETECT | 8 | CC4, CC7 | 10, 11 |
| RESPOND | 8 | CC4, CC7 | 10, 12 |
| RECOVER | 8 | CC4, CC7 | 12 |
FAQ
Q: Is NIST CSF 2.0 mandatory?
A: NIST CSF is voluntary for most organizations. However, it's mandated for federal agencies via OMB M-23-07 and increasingly required by regulators, cyber insurance, and business partners.
Q: How long does NIST CSF 2.0 implementation take?
A: Full implementation typically takes 12-24 months for a medium-sized organization. A phased approach starting with critical gaps can show value in 3-6 months.
Q: What's the difference between NIST CSF and NIST SP 800-53?
A: CSF is a high-level framework for managing cybersecurity risk. SP 800-53 is a comprehensive control catalog. CSF 2.0 maps to 800-53 Rev 5 controls for detailed implementation.
Q: Do we need to implement all 108 subcategories?
A: No. The framework is outcome-based and flexible. Select subcategories relevant to your risk profile, industry, and regulatory requirements. Document your rationale for exclusions.
Q: How do we select our Implementation Tier?
A: Consider: threat landscape, regulatory requirements, business mission criticality, and resources. Most organizations should aim for Tier 2 or 3. Tier 4 is for highly targeted organizations.
Q: Can we use NIST CSF 2.0 for third-party assessments?
A: Yes. The Organizational Profile and supply chain guidance are designed for this. Many organizations now require suppliers to complete CSF-based assessments.
Q: What's new in the Organizational Profile approach?
A: CSF 2.0 simplifies to two profiles: Current (as-is state) and Target (desired state). Gap analysis between them drives your improvement roadmap.
Q: Is there an official tool for CSF 2.0?
A: Yes. NIST provides the CSF 2.0 Reference Tool online (no login required) and downloadable resources including Excel implementation examples.
Key Takeaways
- Start with GOVERN—cybersecurity governance is foundational
- Prioritize based on risk—not all subcategories are equal for your organization
- Use Organizational Profiles—document current and target states
- Integrate supply chain—third-party risk is critical
- Map to existing compliance—CSF complements, doesn't replace, other frameworks
- Continuous improvement—CSF is a journey, not a destination
Need help implementing NIST CSF 2.0? Contact lil.business for framework assessment and implementation support.
SEO Keywords: NIST CSF 2.0, NIST Cybersecurity Framework 2.0, NIST compliance checklist, NIST 2.0 implementation, cybersecurity framework 2026
Meta Description: Complete implementation checklist for NIST Cybersecurity Framework 2.0 covering all 6 functions, 23 categories, and 108 subcategories with practical guidance and implementation roadmap.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.