NIST CSF 2.0 · 6 Functions · incl. Govern

NIST CSF 2.0, run as
continuous outcomes.

All 6 functions and 106 subcategories mapped to live tests against your real stack. Track your Implementation Tier from Current to Target Profile, and reuse the same evidence for SOC 2 and ISO 27001.

Book a DemoSee the 6 functions
Current Profile
Target: Tier 3 · Repeatable
GovernT3
IdentifyT3
ProtectT2
DetectT2
RespondT3
RecoverT2
106 subcategoriesscored from live evidence
6 / 6
functions mapped
Govern, Identify, Protect, Detect, Respond, Recover — including the new Govern function added in CSF 2.0.
106
subcategories tracked
Every outcome across 22 categories, mapped to a continuous test or policy/document evidence.
T1 → T4
tier maturity, scored live
Partial → Risk Informed → Repeatable → Adaptive, measured from real evidence, not a self-assessment survey.

The 6 functions, each tied to real evidence

CSF 2.0 organizes 106 outcomes under 6 functions. Strac maps every one — automatable outcomes run as continuous tests, the rest as pre-mapped policy and document evidence.

GV31 subcategories

GovernNew in 2.0

Strategy, roles, policy, oversight, and supply-chain risk (GV.SC) — mapped to your policy approvals and a live vendor register.

ID21 subcategories

Identify

Asset, data, and risk inventory — driven by continuous discovery across AWS, endpoints (Jamf), and SaaS, not a one-time questionnaire.

PR22 subcategories

Protect

Identity, access, and data security — MFA, encryption, and least-privilege validated by daily tests on Okta, Google Workspace, and AWS.

DE11 subcategories

Detect

Continuous monitoring and adverse-event detection — CloudTrail and audit-log coverage proven, not assumed.

RS13 subcategories

Respond

Incident management, analysis, and reporting — playbooks with evidence capture and third-party coordination (RS.MA).

RC8 subcategories

Recover

Recovery plan execution and communications — DR/BCP documentation and AWS Backup posture tied to RC.RP.

How it works

From a Target Profile to a board-ready tier report — without the consultant spreadsheet.

1

Set your Target Profile

Pick your target tier per function based on your risk tolerance, sector, and regulatory obligations.

2

Connect & test

Connect AWS, Google Workspace, Okta, GitHub, and more. Continuous tests map to CSF subcategories automatically.

3

Track Current Profile

Your Current Profile and per-function tier are scored from live evidence — gaps surface as they happen.

4

Report the maturity

Export a tier heatmap and a CSF binder for the board, an assessor, or your cyber-insurance renewal.

Maturity, not just pass/fail

Track your tier from Partial to Adaptive.

CSF isn't a checkbox standard — it's a maturity model. Strac scores your Current Profile against your Target across all four Implementation Tiers, per function, from live evidence. That is the view a board and a cyber-insurer actually ask for — and the one a flat control checklist can't give them.

  • Set a Target Profile and per-function target tier
  • Current Profile scored continuously from real test + policy evidence
  • Gap-to-target surfaced per function, not buried in a 106-row sheet
  • Export a tier heatmap for the board and your cyber-insurance renewal
T1
Partial

Ad-hoc, inconsistent practices in pockets across the organization.

T2
Risk InformedYou are here

Risk-aware decisions, but practices vary by team and aren’t enterprise-wide.

T3
Repeatable

Formalized policies and controls applied consistently, with stable governance.

T4
Adaptive

Continuous monitoring and learning; automation drives proactive improvement.

The headline change in CSF 2.0

The new Govern function is real evidence here — not a policy PDF.

CSF 2.0 added Govern (31 subcategories) to make cybersecurity a board-level and supply-chain concern. Most tools answer it with a template policy library. Strac maps GV to live artifacts: roles and oversight to your org + policy approvals, and supply-chain risk (GV.SC) to a continuously-scored vendor register — so “we govern third-party risk” is provable, not just asserted.

See how GV.SC maps to Strac TPRM

Beyond the framework tab

For Vanta and Drata, NIST CSF is one more checklist bolted onto a SOC 2 dashboard. Strac runs it as the maturity model it actually is.

Capability
Vanta / Drata
Strac Comply
NIST CSF 2.0 coverage
Partial / 1.1-era mappings
Full 2.0 — all 6 functions, 106 subcategories
The Govern function (GV)
Generic policy checklist
Mapped to live policies + vendor register
Implementation Tier tracking
Current → Target profile, per function
Evidence freshness
Periodic / questionnaire
Daily tests on real AWS, GWS, Okta
Board / insurer reporting
Pass-fail control list
Tier heatmap by function
Supply-chain risk (GV.SC)
Static spreadsheet
Continuous TPRM, deterministic scoring
Cross-framework reuse
Re-entered per framework
One test → CSF + SOC 2 + ISO 27001
One evidence base

One test. Three frameworks.

CSF's Protect and Detect outcomes overlap heavily with SOC 2 and ISO 27001. A single MFA test satisfies all three at once.

Okta + Google Workspace · MFA enforced
NIST CSF · PR.AA-01SOC 2 · CC6.1ISO 27001 · A.8.5
SOC 2ISO 27001PCI DSSGDPR

Frequently asked

What changed in NIST CSF 2.0 versus 1.1?

The headline change is the new Govern function (6 categories, 31 subcategories) elevating cybersecurity to enterprise governance and supply-chain risk. CSF 2.0 (February 2024) also broadened from critical infrastructure to organizations of every size and sector, added Implementation Examples and Quick-Start Guides, and is now structured as 6 functions / 22 categories / 106 subcategories. Strac maps the full 2.0 core.

Is NIST CSF mandatory?

No — CSF is voluntary. But it has become the de facto baseline for U.S. enterprise security and a stepping stone toward FedRAMP, CMMC, and NIST SP 800-53. Enterprise customers and cyber-insurers increasingly ask vendors to attest against it, and Strac gives you the continuous evidence to answer in days.

What are Implementation Tiers, and do we pick one?

Tiers describe how mature and consistent your cybersecurity risk practices are: Partial (1), Risk Informed (2), Repeatable (3), Adaptive (4). You set a Target Profile and per-function target tier; Strac scores your Current Profile from live evidence and shows the gap — the maturity view boards and insurers actually want.

How does NIST CSF map to SOC 2 and ISO 27001?

Closely. CSF’s Protect and Detect subcategories overlap heavily with SOC 2’s Common Criteria and ISO 27001 Annex A. Strac maintains the cross-framework mapping so a single MFA, logging, or encryption test counts toward all three — one evidence base, no duplicate work.

Do you cover the Govern function’s supply-chain outcomes (GV.SC)?

Yes. GV.SC maps to Strac TPRM — third-party discovery (including shadow AI), a deterministic vendor risk engine, and continuous monitoring — so your supply-chain governance is backed by live evidence, not a spreadsheet.

Know your tier. Prove your outcomes.

See your NIST CSF 2.0 Current Profile scored from real evidence — and a clear path to your Target tier.

Book a DemoSee the 6 functions →