Skip to main content

NIST Cybersecurity Framework 2.0

The NIST Cybersecurity Framework (CSF) was originally published in 2014 in response to a Presidential Executive Order and has since become one of the most widely adopted security frameworks globally. Version 2.0, released in 2024, expands the framework beyond critical infrastructure to be applicable to any organization regardless of size, sector, or maturity level. Unlike NIST SP 800-53, which is a prescriptive control catalog, the CSF is a risk-based framework designed to help organizations understand, assess, and communicate their cybersecurity posture. It provides a common language for security conversations between technical teams and leadership, making it particularly valuable for organizations that need to communicate risk at the board or executive level. CSF 2.0’s most significant update is the addition of a sixth core function: Govern. This addition elevates cybersecurity governance — roles, policies, risk management strategy, and executive accountability — to the same level as the operational functions. Ayliea’s 119-question assessment covers all six functions.

What Ayliea Assesses

The assessment is organized around the six CSF core functions, each representing a distinct set of cybersecurity outcomes.
New in CSF 2.0. Evaluates whether your organization has the governance structures, policies, roles, and risk management strategy in place to guide cybersecurity decisions. Includes board-level accountability, supply chain risk governance, and cybersecurity strategy alignment with business objectives.
How well your organization understands its assets, risks, and threat environment. Questions assess asset inventory completeness, business environment mapping, risk assessment processes, and improvement planning.
The controls your organization has in place to limit the impact of a cybersecurity event. Covers identity and access management, awareness training, data security, platform security, and resilience of technology infrastructure.
Your ability to identify cybersecurity events in a timely manner. Evaluates continuous monitoring capabilities, adverse event detection, and monitoring of your supply chain and business partners.
What happens when an incident occurs. Assesses incident response plan coverage, communication procedures, analysis capabilities, mitigation processes, and post-incident improvement practices.
Your ability to restore normal operations after a cybersecurity incident. Questions evaluate recovery plan completeness, backup and restoration capabilities, communication during recovery, and lessons-learned integration.

Who Needs This Assessment

  • Organizations wanting a risk-based security posture assessment that maps to business objectives
  • Security and GRC teams that need a common language for communicating risk to executives and boards
  • Organizations at any maturity level — CSF scales from early-stage programs to mature security operations
  • Companies with customers, partners, or regulators that reference CSF in their requirements
  • Organizations using CSF as a complement to more prescriptive frameworks like NIST 800-53 or CIS Controls
  • Any organization that wants a framework-neutral starting point before committing to a specific compliance standard

Getting Started

The NIST CSF assessment requires an Organization subscription. Select NIST CSF 2.0 from the framework list in the Assess tab. The six-function structure makes it natural to complete one function per session. For step-by-step instructions, see the Quickstart guide.