NIST CSF 2.0 Mapping

View coverage across all six Cybersecurity Framework 2.0 functions, with linked risks, evidence, and remediation guidance.

Govern25%

Establish and monitor the organization's cybersecurity risk management strategy, expectations, and policy.

2 risks2 evidence
Identify33%

Understand assets, business environment, and risks to systems, people, and data.

2 risks1 evidence
Protect64%

Implement safeguards to deliver critical infrastructure services.

4 risks3 evidence
Detect0%

Develop activities to identify the occurrence of a cybersecurity event.

1 risks1 evidence
Respond0%

Take action regarding a detected cybersecurity incident.

1 risks1 evidence
Recover0%

Restore capabilities or services impaired due to a cybersecurity incident.

2 risks1 evidence
Govern
Govern — Control Mapping
Control AreaRelated RiskCurrent StatusEvidence RequiredEvidence StatusRecommended Remediation
Third-Party Risk
No vendor risk management process
R-007
OpenVendor assessment formRequestedEstablish vendor intake questionnaire and annual review cycle.
Governance
Incomplete policy documentation
R-010
OpenApproved policy setReviewedAdopt SOC 2 policy pack; assign owners; review annually.
Identify
Identify — Control Mapping
Control AreaRelated RiskCurrent StatusEvidence RequiredEvidence StatusRecommended Remediation
Vulnerability Management
No formal vulnerability management
R-008
OpenVulnerability scan reportMissingDeploy Tenable/Qualys with monthly scans and SLAs by severity.
Asset Management
No comprehensive asset inventory
R-011
OpenAsset inventory exportCollectedDeploy Kandji + AWS Config aggregator; reconcile monthly.
Protect
Protect — Control Mapping
Control AreaRelated RiskCurrent StatusEvidence RequiredEvidence StatusRecommended Remediation
Identity & Access Management
MFA not enforced on critical systems
R-001
OpenMFA enforcement policy screenshotCollectedEnforce MFA via Okta for all SaaS apps and AWS root/admin accounts.
Identity & Access ManagementNo active riskPassword policy documentMissingPublish password policy; enforce length, complexity, and breach detection in Okta.
Access Management
No periodic access reviews
R-002
OpenQuarterly access review reportMissingImplement quarterly access review process owned by IT with manager attestation.
HR Security
Inconsistent onboarding/offboarding
R-003
OpenJoiner/leaver SOPMissingAutomate joiner/mover/leaver workflow between HRIS and Okta.
Data ProtectionNo active riskEncryption configuration exportMissingEnable KMS encryption on all S3 buckets, RDS, and EBS volumes; enforce TLS 1.2+.
Awareness & Training
Inconsistent security awareness training
R-006
OpenTraining completion reportRequestedDeploy KnowBe4 training with quarterly phishing simulations.
Endpoint SecurityNo active riskEDR coverage reportMissingDeploy CrowdStrike Falcon via MDM; alert on missing coverage.
Detect
Detect — Control Mapping
Control AreaRelated RiskCurrent StatusEvidence RequiredEvidence StatusRecommended Remediation
Logging & Monitoring
Logs not centrally reviewed
R-009
OpenSIEM dashboard screenshotMissingCentralize logs in SIEM (Datadog/Splunk) with detection rules.
Respond
Respond — Control Mapping
Control AreaRelated RiskCurrent StatusEvidence RequiredEvidence StatusRecommended Remediation
Incident Response
No tested incident response plan
R-005
OpenIncident response plan & tabletop notesMissingDraft IR plan; run a tabletop exercise quarterly.
Recover
Recover — Control Mapping
Control AreaRelated RiskCurrent StatusEvidence RequiredEvidence StatusRecommended Remediation
Resilience
Backups not tested via restore
R-004
OpenBackup restore test resultsMissingSchedule semi-annual restore tests and document results.
Business Continuity
No BCP/DR plan in place
R-012
OpenBCP/DR planMissingDocument BCP/DR with RTO/RPO; run annual failover test.