NIST CSF 2.0 checklist: the six functions, including Govern
NIST CSF isn’t a one-time certification — it’s evidence your controls operate continuously. This checklist walks every control an auditor examines, and flags which a platform can automate.
Version note: CSF 2.0 (2024) supersedes CSF 1.1 (2018). The five original Functions — Identify, Protect, Detect, Respond and Recover — carry straight into 2.0, which adds a sixth, Govern. This checklist tracks 2.0; if you’re still assessed against 1.1, every 1.1 control maps into the five non-Govern functions below.
What NIST CSF requires
NIST CSF is assessed against 106 controls across 6 functions: Govern, Identify, Protect, Detect, Respond & Recover. Each must be both designed and operating — auditors want evidence it worked throughout the period, not just that it existed on paper.
The control checklist
All 22 categories across the six CSF 2.0 functions, including the new Govern function. Use the table below as your working checklist — 22 line items. Controls marked Auto can be monitored continuously by SBCMSP; Manual controls need a documented process and human evidence.
| Control | Requirement | Coverage |
|---|---|---|
| Govern (GV) | ||
| GV.OC | Organizational context | Manual |
| GV.RM | Risk management strategy | Manual |
| GV.RR | Roles, responsibilities & authorities | Manual |
| GV.PO | Policy | Manual |
| GV.OV | Oversight | Manual |
| GV.SC | Cybersecurity supply-chain risk | Manual |
| Identify (ID) | ||
| ID.AM | Asset management | Auto |
| ID.RA | Risk assessment | Auto |
| ID.IM | Improvement | Manual |
| Protect (PR) | ||
| PR.AA | Identity management, authentication & access control | Auto |
| PR.AT | Awareness & training | Manual |
| PR.DS | Data security | Auto |
| PR.PS | Platform security | Auto |
| PR.IR | Technology infrastructure resilience | Auto |
| Detect (DE) | ||
| DE.CM | Continuous monitoring | Auto |
| DE.AE | Adverse event analysis | Auto |
| Respond (RS) | ||
| RS.MA | Incident management | Manual |
| RS.AN | Incident analysis | Manual |
| RS.CO | Incident response reporting & communication | Manual |
| RS.MI | Incident mitigation | Manual |
| Recover (RC) | ||
| RC.RP | Incident recovery plan execution | Manual |
| RC.CO | Incident recovery communication | Manual |
Evidence you must collect
For every control, an auditor expects evidence it operated throughout the review period. Common examples:
- Access reviews with timestamps and approver
- Change tickets linked to deployments
- Encryption and configuration snapshots
- Vendor / supplier risk assessments on file
Automating the checklist
Roughly two-thirds of NIST CSF controls can be monitored automatically. SBCMSP watches those continuously, collects timestamped evidence, and flags drift — so the audit becomes a review of a report you already have, not a month-long scramble.