Getting Started
Quick Start Architecture
AI Agents
MSP Hunter Threat Researcher Tech Support Compliance Agent Account Manager Onboarding Agent
Compliance
HIPAA SOC 2 PCI-DSS NIST
Guides
First 30 Days Scaling
API
Overview Endpoints

NIST Cybersecurity Framework Guide

📋 Compliance 35 min read Updated June 2026

The NIST Cybersecurity Framework (CSF) is the most widely referenced cybersecurity framework in the world, used by organizations from small businesses to Fortune 500 enterprises and US federal agencies. CSF 2.0 — released in February 2024 — expanded the original five functions to six with the addition of "Govern," reflecting the growing recognition that cybersecurity is a board-level enterprise risk issue, not just a technical problem. This guide covers everything MSPs need to know: the full framework, NIST SP 800-53 control catalog, who requires it, implementation tiers, and how Gridlock automates NIST compliance across your entire managed portfolio.

NIST CSF 2.0 — What Changed in February 2024

NIST CSF 2.0 is not a minor revision. The new "Govern" function elevates cybersecurity strategy, roles, policies, and supply chain risk to the top level. The framework also dramatically expanded supply chain guidance, added new implementation resources, and published Community Profiles for specific sectors. If your NIST assessments are still based on CSF 1.1, it is time to update them.

NIST CSF 2.0 Overview — The 6 Functions

The NIST Cybersecurity Framework organizes cybersecurity activities into six Functions. Each Function is subdivided into Categories, which are further broken down into Subcategories — specific, actionable outcomes that map to existing standards, guidelines, and practices. The six Functions are not sequential steps; they are meant to be performed concurrently and continuously.

GV — New in 2.0

Govern

Establishes the organizational context for cybersecurity: strategy, policies, roles and responsibilities, supply chain risk management, and oversight. The foundation for all other Functions.

ID

Identify

Develop understanding of assets, data, systems, and capabilities — and the cybersecurity risks to them. Asset inventory, risk assessment, and business environment understanding.

PR

Protect

Implement safeguards to ensure delivery of critical services. Access control, data security, protective technology, awareness training, and maintenance processes.

DE

Detect

Develop and implement activities to identify the occurrence of a cybersecurity event. Continuous monitoring, anomaly detection, and detection processes.

RS

Respond

Take action regarding a detected cybersecurity incident. Response planning, communications, analysis, containment, and improvements from lessons learned.

RC

Recover

Maintain resilience and restore capabilities or services that were impaired during an incident. Recovery planning, improvements, and communications.

The Govern Function — What's New in CSF 2.0

The Govern function is the most significant addition in CSF 2.0. It covers six category areas:

Supply Chain Risk Is Now a First-Class Requirement

GV.SC — Supply Chain Risk Management — is now a top-level category in the Govern function. For MSPs, this is significant: your clients who follow NIST CSF 2.0 will increasingly require their IT service providers to demonstrate their own cybersecurity posture. Gridlock provides the documentation and evidence packages MSPs need to satisfy client supply chain due diligence requests.

Categories and Subcategories Breakdown

Function Categories Example Subcategories
Govern (GV) OC, RM, RR, PO, OV, SC GV.RM-01: Risk management objectives are established; GV.SC-06: Planning and due diligence for suppliers
Identify (ID) AM, RA, IM ID.AM-01: Inventories of hardware managed; ID.RA-01: Vulnerabilities in assets identified and validated
Protect (PR) AA, AT, DS, PS, IR PR.AA-01: Identities and credentials issued and managed; PR.DS-01: Data at rest protected
Detect (DE) CM, AE DE.CM-01: Networks and infrastructure monitored; DE.AE-02: Events analyzed to understand attack targets
Respond (RS) MA, AN, CO, MI RS.MA-01: Incident response plan executed; RS.AN-03: Performed analyses to establish root cause
Recover (RC) RP, CO RC.RP-01: Recovery plan executed during or after cybersecurity incident; RC.CO-04: Recovery communicated to stakeholders

NIST SP 800-53 — The Control Catalog

While the CSF provides the high-level framework, NIST Special Publication 800-53 (currently at Revision 5) is the comprehensive control catalog. SP 800-53 is the authoritative source for federal information systems and is heavily referenced in FedRAMP, CMMC, and many state and private-sector security programs. It contains over 1,000 individual controls and control enhancements organized into 20 control families.

CSF vs. SP 800-53 — Understanding the Relationship

NIST CSF is the strategic framework — it tells you what outcomes to achieve. SP 800-53 is the technical control catalog — it tells you specifically how to achieve them. NIST publishes official mappings between CSF subcategories and SP 800-53 controls, making it possible to use both together: the CSF for executive-level risk communication and 800-53 for technical implementation and audit evidence.

The 20 SP 800-53 Control Families

ID Control Family Key Controls Gridlock Coverage
AC Access Control Account management, least privilege, remote access, session lock, information flow enforcement Automated
AT Awareness and Training Literacy training, role-based training, insider threat awareness Partial
AU Audit and Accountability Event logging, log storage, log review, audit record protection, non-repudiation Automated
CA Assessment, Authorization, Monitoring Security assessments, plan of action and milestones, continuous monitoring Automated
CM Configuration Management Baseline configuration, configuration change control, inventory of components, security engineering principles Automated
CP Contingency Planning Backup, recovery point objectives, alternate processing sites, contingency plan testing Automated
IA Identification and Authentication Identifier management, authenticator management, MFA, device authentication Automated
IR Incident Response Incident handling, monitoring, reporting, information spillage response Automated
MA Maintenance Controlled maintenance, maintenance tools, timely maintenance Partial
MP Media Protection Media access, media storage, media transport, media sanitization Partial
PE Physical and Environmental Protection Physical access authorizations, monitoring physical access, visitor control, power and temperature Partial
PL Planning System security and privacy plan, rules of behavior, baseline selection Partial
PM Program Management Information security program plan, risk management strategy, critical infrastructure plan Partial
PS Personnel Security Position risk designation, personnel screening, termination, personnel transfer Partial
PT PII Processing and Transparency Purpose specification, consent, data minimization, privacy notice Partial
RA Risk Assessment Risk assessment policy, vulnerability scanning, risk response, criticality analysis Automated
SA System and Services Acquisition Acquisition process, supply chain protection, developer security testing, outsourced services Partial
SC System and Communications Protection Network segmentation, cryptographic protection, transmission confidentiality and integrity, DNS filtering Automated
SI System and Information Integrity Malicious code protection, security alerts, security function verification, spam protection Automated
SR Supply Chain Risk Management Supply chain risk management plan, provenance, component authenticity, supply chain incident response Partial

SP 800-53 Impact Levels

SP 800-53 controls are categorized by impact level — Low, Moderate, and High — based on FIPS 199 security categorization. Federal systems and their contractors must implement controls appropriate to their system's impact level. Most MSPs supporting government or regulated-industry clients will be dealing with Moderate baseline, which covers the majority of civilian federal systems.

Who Uses NIST — and Why Your MSP Clients Do Too

NIST CSF started as a voluntary framework for critical infrastructure sectors. It has since become the de facto standard for US-based cybersecurity programs, and NIST SP 800-53 is mandatory for federal civilian agencies. Understanding which of your clients are required — or effectively required — to follow NIST tells you which accounts need a NIST-aligned security program.

Government Contractors — NIST SP 800-171 and CMMC

Organizations that handle Controlled Unclassified Information (CUI) for the federal government must comply with NIST SP 800-171, which is a subset of 800-53 controls tailored for non-federal systems. The Cybersecurity Maturity Model Certification (CMMC) program — mandatory for Department of Defense contractors — is built directly on NIST 800-171 (CMMC Level 2) and 800-172 (CMMC Level 3).

Contractor Type NIST Requirement Enforcement Mechanism
DoD contractors handling CUI NIST SP 800-171 (110 controls) CMMC Level 2 certification (third-party assessment required)
DoD contractors on critical programs NIST SP 800-172 (enhanced controls) CMMC Level 3 certification (government-led assessment)
Federal civilian agencies (direct) NIST SP 800-53 Moderate baseline FISMA, FedRAMP (for cloud services), OMB mandates
Civilian agency contractors with CUI NIST SP 800-171 FAR/DFARS contract clauses, agency ATO process
State/local government NIST CSF (voluntary, widely adopted) State cybersecurity regulations, grant requirements

FedRAMP — Cloud Providers and Their MSP Partners

The Federal Risk and Authorization Management Program (FedRAMP) requires cloud service providers to obtain a FedRAMP Authorization before federal agencies can use their services. FedRAMP is built entirely on NIST SP 800-53. If your MSP manages FedRAMP-authorized cloud environments or assists federal clients in deploying cloud services, you are operating in a NIST 800-53 environment.

Healthcare — HIPAA and NIST Overlap

While HIPAA does not mandate NIST compliance, the HHS Office for Civil Rights has explicitly recognized NIST CSF and NIST SP 800-66 (HIPAA security rule implementation guidance) as an appropriate framework for HIPAA Security Rule compliance. Many healthcare organizations adopt NIST as the implementation vehicle for HIPAA requirements — meaning your healthcare clients may effectively require NIST even if they only explicitly discuss HIPAA.

Financial Services

Multiple financial regulators reference or endorse NIST CSF:

MSP Opportunity: NIST as the Master Framework

Because NIST CSF maps to virtually every other major framework (HIPAA, SOC 2, ISO 27001, PCI-DSS, CMMC), MSPs that build a NIST-aligned security program for clients get cross-framework compliance as a byproduct. Gridlock's Compliance Agent maintains live cross-framework mappings — when you satisfy a NIST control, it automatically checks which HIPAA, SOC 2, and PCI requirements you've also addressed.

NIST CSF Implementation Tiers

NIST CSF Implementation Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework. Tiers are not maturity levels — NIST explicitly states that progression to higher tiers is appropriate only when doing so would reduce cybersecurity risk and be cost-effective. However, in practice, regulated industries and procurement processes treat higher tiers as more desirable.

Tier 1

Partial

Ad hoc, reactive practices. Limited awareness of organizational risk. Risk management is not formalized and is applied irregularly.

Tier 2

Risk Informed

Risk management practices are approved by management but may not be established as policy. Awareness of cybersecurity risk exists but org-wide approach is not formalized.

Tier 3

Repeatable

Formal, approved risk management policies. Practices regularly updated based on changes to business requirements and threat landscape. Consistent across organization.

Tier 4

Adaptive

Cybersecurity practices continuously improved through lessons learned and predictive indicators. Active participation in information sharing communities. Risk-informed real-time adaptation.

Where Most Organizations Land — and Where They Should Be

Organization Type Typical Starting Tier Target Tier Notes
Small business (no regulated data) Tier 1 Tier 2 Basic risk-informed practices are sufficient. Focus on Protect and Detect functions first.
MSP (managing multiple clients) Tier 2 Tier 3 Repeatable, consistent practices across all clients. Supply chain risk management critical (GV.SC).
Healthcare organization Tier 1–2 Tier 3 HIPAA enforcement effectively requires Tier 3 practices, especially for risk analysis and workforce training.
DoD contractor (CMMC Level 2) Tier 2 Tier 3 CMMC requires documented, repeatable practices that align with Tier 3 characteristics.
Federal agency Tier 2–3 Tier 3–4 FISMA continuous monitoring requirements push agencies toward Tier 4 in practice.

Using Tiers in MSP Conversations

The Implementation Tier model gives MSPs a structured way to have risk conversations with clients and prospects:

How Gridlock Maps to NIST CSF Functions

Gridlock's Compliance Agent is built around NIST CSF as its primary framework. Every monitoring check, evidence collection activity, and gap alert maps to a specific CSF function, category, and subcategory. Here is a function-by-function breakdown of what Gridlock automates.

Live Cross-Framework Mapping

Every NIST control addressed by Gridlock is automatically cross-referenced to HIPAA, SOC 2, PCI-DSS, ISO 27001, and CMMC. Satisfying NIST requirements generates compliance evidence for multiple frameworks simultaneously — no double work.

NIST CSF Function Gridlock Automation Key Subcategories Addressed
Govern (GV) Generates organizational risk posture dashboards, tracks policy coverage gaps, monitors supply chain vendor risk scores, maintains role-to-control mapping inventory. GV.RM-01, GV.RM-07, GV.SC-04, GV.SC-06, GV.PO-01, GV.OV-01
Identify (ID) Continuous asset discovery across all client environments, automatic asset classification, vulnerability inventory maintenance, dependency mapping, business impact analysis data collection. ID.AM-01 through ID.AM-08, ID.RA-01, ID.RA-05, ID.RA-09, ID.IM-01
Protect (PR) MFA enforcement monitoring, least-privilege access reviews, encryption verification (at rest and in transit), patch status tracking, security configuration baseline comparison, DNS filtering status, firewall rule analysis. PR.AA-01 through PR.AA-06, PR.DS-01, PR.DS-02, PR.DS-10, PR.IR-01 through PR.IR-04, PR.PS-01 through PR.PS-06
Detect (DE) Real-time threat detection across all managed environments, network traffic anomaly detection, behavioral analytics, SIEM log ingestion and correlation, threat intelligence feed integration, automated alert triage. DE.CM-01 through DE.CM-09, DE.AE-02 through DE.AE-08
Respond (RS) Automated incident escalation workflows, evidence packaging for response teams, root cause analysis reporting, stakeholder notification templates, post-incident improvement tracking, MITRE ATT&CK technique tagging on detected events. RS.MA-01 through RS.MA-05, RS.AN-01 through RS.AN-08, RS.CO-01 through RS.CO-03, RS.MI-01 through RS.MI-02
Recover (RC) Backup integrity monitoring, recovery time objective (RTO) tracking, disaster recovery test scheduling and evidence collection, restoration status dashboards, post-incident recovery communications templates. RC.RP-01 through RC.RP-06, RC.CO-03, RC.CO-04

Starting a NIST Assessment with Gridlock

A NIST CSF assessment with Gridlock follows a structured workflow that produces a current-state profile, target-state profile, and gap analysis report. The assessment can be run against a single client or across your entire managed portfolio simultaneously.

Step 1 — Scope Definition

Define the scope of the assessment: which systems, data types, and business functions are in scope. For a NIST CSF assessment, scope typically aligns with the organization's critical business functions and the information systems that support them. Gridlock's asset discovery automatically populates the scope candidate list — you review and confirm.

Step 2 — Current State Profile

Gridlock's Compliance Agent interrogates the in-scope environment to produce a Current State Profile: a snapshot of which CSF outcomes are currently being achieved and to what extent. This includes:

Step 3 — Target State Profile

The Target State Profile defines the CSF outcomes the organization needs to achieve based on its business requirements, risk appetite, and applicable regulatory obligations. Gridlock provides pre-built Target State Profiles for common scenarios:

Step 4 — Gap Analysis

The gap between the Current State Profile and the Target State Profile is the gap analysis. Gridlock produces a structured gap report with each gap categorized by:

Step 5 — Prioritized Remediation Plan

Gridlock generates a prioritized Plan of Action and Milestones (POA&M) from the gap analysis. Items are sorted by risk exposure reduction per effort unit — the highest-value, lowest-effort gaps come first. The POA&M format is directly compatible with federal reporting requirements and satisfies the documentation expectations of third-party auditors for CMMC and FedRAMP programs.

NIST CSF Gap Analysis Workflow

A systematic gap analysis against NIST CSF requires examining each of the 106 subcategories in CSF 2.0 and determining whether the organization's current practices satisfy each outcome. Gridlock automates the evidence collection step, but human review is required for policy, process, and governance elements.

Govern Function Gap Indicators

Identify Function Gap Indicators

Protect Function Gap Indicators

Detect Function Gap Indicators

Respond Function Gap Indicators

Recover Function Gap Indicators

NIST for MSPs — Government, Healthcare, and Defense Clients

MSPs serving government contractors, healthcare organizations, or defense supply chain companies face clients who are under binding NIST obligations. Understanding those obligations — and how to service them profitably — is a significant competitive advantage.

Servicing DoD Contractor Clients (CMMC)

CMMC Level 2 requires third-party assessment by a Certified Third Party Assessment Organization (C3PAO) against all 110 NIST SP 800-171 controls. Your role as an MSP supporting these clients:

Servicing Healthcare Clients (HIPAA + NIST)

NIST SP 800-66 Revision 2 (published 2023) is HHS's official HIPAA implementation guide, built on NIST SP 800-53. Healthcare organizations that use NIST 800-53 as their implementation framework automatically satisfy the technical and administrative safeguard requirements of the HIPAA Security Rule. When you run a NIST assessment on a healthcare client with Gridlock, the gap report automatically cross-maps to HIPAA Security Rule requirements.

Servicing Federal Agency Clients

MSPs supporting direct federal agency clients operate under FISMA (Federal Information Security Modernization Act), which mandates NIST SP 800-53 compliance. Key requirements:

MSP Liability in Regulated Environments

When an MSP manages systems in scope for CMMC, FedRAMP, or FISMA, the MSP's own security posture becomes part of the client's compliance surface. A compromise of MSP infrastructure that results in unauthorized access to CUI (Controlled Unclassified Information) can trigger DFARS reporting requirements, ATO suspension for federal systems, and potential contractor debarment. Gridlock's supply chain risk management features help MSPs maintain and demonstrate their own security posture to regulators and clients.

NIST vs. SOC 2 vs. ISO 27001 Comparison

MSPs frequently ask which framework to prioritize when a client is considering multiple options. The right answer depends on the client's industry, customer base, and regulatory obligations — but understanding the key differences and overlaps speeds up that conversation.

Dimension NIST CSF 2.0 SOC 2 Type II ISO 27001:2022
Origin US government (NIST), freely available AICPA, US-focused accounting/audit standard International standard (ISO/IEC), global recognition
Type Voluntary framework (mandatory for federal systems via FISMA/CMMC) Attestation report (auditor certifies controls operated effectively over a period) Certifiable management system standard (ISO registrar issues certificate)
Audience Any organization; required for US federal/defense sector Technology and SaaS companies selling to US enterprises; SOC 2 reports requested by enterprise buyers Global enterprises, especially those operating in Europe or doing business internationally
Outcome Documented risk posture and control implementation; no third-party certification unless CMMC/FedRAMP required Auditor-issued SOC 2 report (Type I: design; Type II: operating effectiveness over 6–12 months) ISO 27001 certificate issued by accredited certification body; renewable every 3 years
Scope Flexible — organization defines scope by business function; 106 subcategories in CSF 2.0 Defined by Trust Service Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy); audit covers a defined system Information Security Management System (ISMS) scope defined by organization; 93 controls in Annex A
Cost Internal effort only (unless CMMC/FedRAMP third-party assessment required) Audit fees typically $20,000–$100,000+ depending on scope and auditor Certification fees typically $15,000–$50,000+ for initial; annual surveillance audits ongoing
Time to achieve Current-state assessment: days to weeks with Gridlock. Remediation timeline varies by gap size. SOC 2 Type II: 6–12 months minimum observation period. Type I: 2–4 months preparation. ISO 27001 initial certification: typically 6–18 months
Regulatory recognition Recognized by HIPAA, FTC, SEC, NY DFS, and many state cybersecurity regulations Required by many enterprise SaaS buyers; recognized in US financial services and cloud vendor assessments Required or preferred for EU-based contracts; recognized under GDPR as an appropriate security measure
Gridlock support Full — NIST CSF is Gridlock's primary framework. Automated assessment, gap analysis, POA&M generation, continuous monitoring. Full — SOC 2 Trust Service Criteria mapped to Gridlock monitoring checks and evidence collection. Partial — ISO 27001 Annex A controls mapped to Gridlock checks; supports pre-audit evidence collection.
Best for US organizations with government clients, defense supply chain, or wanting a comprehensive risk management framework SaaS and technology companies responding to enterprise customer security questionnaires Organizations with EU operations, international clients, or seeking globally recognized certification

Can a client do more than one framework?

Yes — and many must. A healthcare IT company that sells to hospitals and has DoD contracts might need HIPAA, CMMC Level 2, SOC 2, and NIST CSF simultaneously. The good news: the frameworks have significant overlap. Gridlock's cross-framework mapping engine shows you exactly which controls satisfy multiple frameworks, eliminating redundant work. In most cases, satisfying NIST SP 800-53 Moderate gets you 70–80% of the way to SOC 2 Security, ISO 27001, and HIPAA simultaneously.

NIST CSF Compliance Checklist

Use this checklist to assess your NIST CSF posture or that of a client. Items marked as Tier 3 targets are the minimum for regulated environments.

Govern — Foundation

Identify — Know Your Environment

Protect — Build Your Defenses

Detect — Know When Something Goes Wrong

Respond — Act When Incidents Occur

Recover — Bounce Back

Gridlock automation

NIST Compliance — What "Good" Looks Like

A well-run NIST CSF Tier 3 program has: documented governance (risk strategy, policies, roles); a maintained asset inventory; verified security controls with continuous monitoring evidence; a tested incident response capability; and a recovery plan with proven backup restoration. Gridlock automates the monitoring and evidence collection so your team can focus on the governance and process elements that require human judgment.