Services NIST Cybersecurity Framework 2.0
NIST CSF 2.0 · Comprehensive

NIST Cybersecurity Framework 2.0.

An independent assessment against the NIST Cybersecurity Framework 2.0, released in February 2024. The CSF is cross-industry, voluntary, and intentionally outcome-driven. It is the most comprehensive of the four frameworks we offer, and the right choice when you need a thorough, federally recognized program assessment. We assess against all six Functions of the current 2.0 release, including the new Govern Function that did not exist in CSF 1.1.

Schedule an assessment What's included
01 / Who this is for

A comprehensive view. Not a checklist.

NIST CSF is the right framework when you need a thorough, defensible view of your cybersecurity program against a federally recognized, cross-industry standard. It is not industry-specific like HIPAA or FTC Safeguards. It is comprehensive by design, which makes it more rigorous than Complyn Core and a strong fit for businesses graduating into a more mature compliance posture.

A good fit if
  • You're a federal contractor or subcontractor where NIST alignment is required or expected
  • A customer, partner, or board has asked for a NIST CSF assessment specifically
  • You have an existing CSF 1.1 assessment and need to update to the 2.0 release
  • You're going through M&A due diligence and need a comprehensive program review
  • You've outgrown a general baseline and need a more rigorous framework
  • You want a cross-industry framework that does not lock you into a single vertical
  • You're building toward a more formal certification like ISO 27001, SOC 2, or CMMC and need a foundation
Look elsewhere if
  • You're a small business that needs a simpler starting point (consider Complyn Core)
  • You're a covered entity or business associate handling PHI (consider HIPAA Compliance)
  • You're a non-banking financial services firm and the FTC Safeguards Rule is your driver (consider FTC Safeguards)
  • You need a formal third-party certification with an issued attestation (consider SOC 2 or ISO 27001 with a certifying body)
  • You're a DoD contractor needing a CMMC certification specifically
02 / What's included

All six Functions. Including Govern, new in 2.0.

The 2.0 release reorganized the framework around six Functions. The five operational Functions (Identify, Protect, Detect, Respond, Recover) carry over from CSF 1.1, refined and updated. The sixth, Govern, is new and represents the organizational and risk management context that wraps the others. We assess all six.

Govern · New in 2.0

Govern

The organizational context for managing cybersecurity risk. Roles and responsibilities, risk management strategy, policies, oversight, and supply chain risk management. Govern is foundational to the other five Functions and is the most common gap we find in businesses migrating from CSF 1.1, simply because it did not exist in the prior version.

Identify

Identify

Understanding the assets, systems, data, people, and capabilities that need to be protected. Asset management, business environment, governance of risk, risk assessment, and risk management strategy. You cannot protect what you have not first identified, scoped, and prioritized.

Protect

Protect

The safeguards designed to limit the impact of a cybersecurity event. Access control, awareness and training, data security, information protection processes, maintenance, and protective technology. This is where most operational security controls live.

Detect

Detect

The capabilities to identify the occurrence of a cybersecurity event. Anomalies and events, continuous monitoring, detection processes. Most small and mid-sized businesses are under-invested here, which is the reason incidents go undetected for weeks or months before discovery.

Respond

Respond

The capabilities to take action on a detected cybersecurity event. Response planning, communications, analysis, mitigation, and improvements. The Respond Function is where a documented incident response plan becomes operational, and where most organizations discover their plan was not actually usable until they tried.

Recover

Recover

The capabilities to maintain resilience and restore operations after a cybersecurity event. Recovery planning, improvements, and communications. The Recover Function answers how you get back to business, how long it takes, and what is acceptable to lose along the way.

03 / What you receive

A comprehensive report. A real conversation.

Every NIST CSF 2.0 engagement produces the same set of deliverables. The output is structured to satisfy what a federal contracting officer, an enterprise customer, an acquirer, or your board would expect to see.

  1. 01

    Written assessment report

    A complete written assessment of your program against all six Functions and their underlying Categories. Each finding includes the relevant CSF reference, what we observed in your business, the assigned Implementation Tier, and a specific recommendation. The report covers your current Profile (where you are today) and a Target Profile (where the assessment suggests you should be), grounded in your industry, scale, and risk appetite.

  2. 02

    Risk-ranked remediation roadmap

    Findings ranked by risk and effort, with realistic time and resource estimates. What to address this quarter, this year, and longer term. Designed to be defensible against an auditor and operational for your team.

  3. 03

    One-hour roadmap conversation

    Once you've had time to read the report, we sit down for an hour to walk through findings, answer questions, and align on next steps. You leave knowing exactly what to do, in what order, and why.

  4. 04

    Thirty days of follow-up support

    For thirty days after the roadmap conversation, you can reach us by email or through the Complyn Client Portal with follow-up questions at no charge. We want the engagement to land.

04 / Built to last

Your engagement doesn't end when the report is delivered.

Most compliance work disappears into an inbox. We do it differently. Every Complyn client gets access to the Complyn Client Portal, a dedicated space where your reports, files, and conversations stay organized and accessible for up to three years after the engagement ends.

Three years of access, no extra fee. The platform exists to make compliance something you can return to, not something you have to rebuild every time.

What you get

  • A direct messaging channel to your Complyn team
  • Every report and deliverable we've produced for you, easily accessible and downloadable for three years
  • Our library of compliance framework documentation and implementation guides
  • A secure file exchange for documents that shouldn't move by email
  • Billing history and invoice access in one place
  • Works on any device, anywhere
05 / How long it takes

Most engagements complete in three to five weeks.

NIST CSF is comprehensive by design, and the assessment takes longer than the more targeted frameworks. The exact timing depends on the size and complexity of your business, how many systems and departments are in scope, and how quickly your team can return documents and make people available for short interviews. Larger or multi-entity organizations may run longer.

Week 1
Discovery
Document requests, system inventory, intake meetings, initial interviews
Week 2–3
Assessment
All six Functions assessed, Categories evaluated, Implementation Tiers assigned, findings drafted
Week 4
Report
Current Profile and Target Profile finalized, roadmap built
Week 5
Delivery + roadmap
Report delivered, one-hour roadmap call scheduled within five business days
06 / Common questions

Things people ask about NIST CSF 2.0.

What's new in NIST CSF 2.0 compared to 1.1?

The biggest change is the addition of the Govern Function, which sits across the other five and represents organizational risk management, roles and responsibilities, oversight, and supply chain risk. The five operational Functions (Identify, Protect, Detect, Respond, Recover) were refined and updated. 2.0 also broadened the framework's intended audience beyond critical infrastructure, expanded supply chain coverage, and added new resources around organizational profiles. If your last CSF assessment was on the 1.1 release, the Govern Function is almost certainly a gap.

Do we need NIST CSF if we already comply with HIPAA, FTC Safeguards, or SOC 2?

It depends on what you're trying to demonstrate. HIPAA, FTC Safeguards, and SOC 2 are framework-specific. NIST CSF is comprehensive and cross-industry, and it maps to and complements other frameworks rather than replacing them. Many of our clients run a NIST CSF assessment alongside their primary framework when a federal contract, customer, or board specifically asks for it. If you have a strong existing program, a NIST CSF assessment will be efficient because much of the underlying work carries forward.

What are the Implementation Tiers?

The Implementation Tiers describe the maturity of your cybersecurity risk management, on a scale from Tier 1 (Partial) to Tier 4 (Adaptive). They are not a grade and they are not a certification. They are a way to characterize how mature, integrated, and repeatable your risk management is. Most small and mid-sized businesses start at Tier 1 or Tier 2 and target Tier 3 (Repeatable) as a realistic mature state. We assign Tiers as part of the report so you can see your current state and set a defensible target.

Do we have to assess against all 106 Subcategories?

No. NIST CSF is intentionally flexible. You can scope the assessment to the Functions, Categories, and Subcategories that are relevant to your business, your risk profile, and what you're being asked to demonstrate. Our standard engagement covers all six Functions and their Categories, and we go deeper into Subcategories where they're material to your situation. We discuss scope in the discovery call and document it in the engagement letter.

How is NIST CSF different from CMMC?

CMMC (Cybersecurity Maturity Model Certification) is mandatory for organizations in the Defense Industrial Base contracting with the Department of Defense. It draws heavily from NIST standards (primarily NIST SP 800-171) but requires a formal third-party certification by an authorized assessor. NIST CSF is voluntary, cross-industry, and self-assessable. If you specifically need CMMC certification for a DoD contract, you need an authorized C3PAO assessment, which is a different engagement. A NIST CSF assessment can be a useful foundation, but it is not a substitute for CMMC certification when CMMC is what the contract requires.

What if we have legacy systems that can't meet certain controls?

The framework allows for documented risk acceptance. Not every control will be implementable in every environment, especially for businesses with legacy systems, regulated industries, or operational constraints. The assessment documents what is in place, what is not, and what specific compensating controls or risk acceptances are appropriate. A defensible NIST CSF program is honest about gaps rather than papering over them.

Do you handle the remediation work after the report?

Just the assessment, by design. We don't sell security tools, we don't take vendor commissions, and we don't double as a managed service provider. Our independence is the whole product. If you want ongoing support implementing the roadmap, our Advisory retainer picks up where the assessment ends. For specific remediation work, we'll recommend vendors and partners who can help.

How much does a NIST CSF 2.0 assessment cost?

NIST CSF is our most comprehensive engagement and is priced accordingly. The exact figure depends on your size, complexity, scope, and whether you need a fresh assessment or an update to a prior NIST CSF or CSF 1.1 program. We provide a written scope and fixed price after a free thirty-minute discovery call. No hidden fees, no commissions, no scope creep without your approval. Schedule an assessment to get a specific quote for your situation.

Ready to know where you stand?

Tell us about your business and what's prompting this. We'll review your request, propose a scope, and set up a free thirty-minute discovery call. No obligation, no scare tactics, no high-pressure sales pitch.

Schedule an assessment