The NIST Cybersecurity Framework 2.0, published in February 2024, is the most widely adopted reference standard worldwide for assessing, structuring and communicating an organization's cybersecurity posture. On this page you will find a complete technical explanation of the framework, the differences from the previous version, the six core functions and practical guidance for applying it in Brazilian companies.
What the NIST Cybersecurity Framework is
The National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, published the first version of the Cybersecurity Framework in 2014 at the request of the U.S. government to protect critical infrastructure. Since then, the framework has been adopted by organizations in more than 180 countries, including governments, banks, healthcare providers and technology startups.
The CSF is not a compliance checklist of boxes to tick. It is a common language that lets technical managers, executives and boards of directors discuss cyber risk with the same precision they use to discuss financial risk. This is relevant in Brazil because the LGPD (General Data Protection Law, Law 13.709/2018) requires adequate technical and administrative measures but does not specify what those measures are — the NIST CSF fills exactly that gap.
What changed from CSF 1.1 to CSF 2.0
Version 2.0 brings three structural changes compared with 1.1, published in 2018.
The most significant is the creation of the GOVERN function, which now heads the framework. In CSF 1.1, topics such as cybersecurity policy, definition of risk appetite, third-party risk management and executive accountability were spread out in a fragmented way. Version 2.0 consolidates them into their own function, signaling that cybersecurity is a corporate governance discipline, not just an IT problem.
The second change is the broadening of the target audience. CSF 1.1 was aimed explicitly at critical-infrastructure sectors; CSF 2.0 positions itself as a universal framework, applicable to organizations of any size and sector — from the sole proprietor who processes online payments to the multinational with operations in multiple countries.
The third change is the emphasis on cybersecurity supply chain risk management (C-SCRM). The GOVERN function dedicates an entire category to the topic, recognizing that vulnerabilities in suppliers and technology service providers represent an attack vector as critical as internal failures — as the incidents involving SolarWinds, Kaseya and MOVEit demonstrate.
The six functions of NIST CSF 2.0
The framework organizes cybersecurity activities into six high-level functions. Each function subdivides into categories (expected outcomes) and subcategories (specific controls), totaling 22 categories and 106 subcategories.
| Function | Abbreviation | Core objective | Categories |
|---|---|---|---|
| GOVERN | GV | Establish and monitor the cyber risk management strategy, expectations and policies | 6 |
| IDENTIFY | ID | Understand the organizational context, assets, risks and dependencies | 3 |
| PROTECT | PR | Implement safeguards to ensure the delivery of critical services | 5 |
| DETECT | DE | Identify the occurrence of cybersecurity events in a timely manner | 3 |
| RESPOND | RS | Take action against detected events to contain the impact | 4 |
| RECOVER | RC | Restore capabilities and services affected by a cybersecurity incident | 3 |
GOVERN — the new governance function
GOVERN is the newest and, in many respects, the most important function in CSF 2.0. It deals with defining the organizational context, determining risk appetite and tolerance, establishing cybersecurity policy, executive-leadership oversight of security activities, supply chain risk management and integrating cybersecurity into organizational strategy and culture.
For Brazilian companies, GOVERN is the starting point for demonstrating to shareholders, to the board of directors and to the National Data Protection Authority (ANPD) that formal governance exists over information security risks — an implicit condition of Article 46 of the LGPD.
IDENTIFY — know before you protect
IDENTIFY covers asset inventory (hardware, software, data, services), mapping the risks to those assets and understanding the business environment and the legal and regulatory obligations. Organizations that skip this function tend to protect what is visible, not what is critical.
PROTECT — preventive controls
PROTECT covers identity and access management, awareness training, data security, information protection processes and procedures, systems maintenance and protective technology. It is the function where most of the CIS Controls v8 and ISO 27001:2022 Annex A controls fit.
DETECT — real-time visibility
DETECT deals with continuous monitoring of security events, anomaly analysis and detection processes. Without detection capability, the average time to identify a breach — which according to the IBM Cost of a Data Breach 2024 report is 194 days globally — remains high, amplifying the financial and reputational impact.
RESPOND — structured incident response
RESPOND defines how the organization plans, communicates, analyzes, mitigates and continuously improves its incident response capability. A documented and tested response plan is an implicit requirement of the LGPD (Article 48) and a formal requirement of sector standards such as BCB Resolution 4.658 for financial institutions.
RECOVER — return to normal
RECOVER covers recovery planning, communication strategies during and after an incident, and lessons learned to improve future cycles. The function is directly related to the concept of operational resilience that financial regulators (BCB, SUSEP) and health regulators (ANS) have emphasized since 2020.
Maturity Tiers: where your organization stands
The NIST CSF 2.0 Tiers describe four levels of sophistication in cyber risk management. They are not a compliance scoring system, but a self-discovery tool for internally communicating current and aspired maturity.
Tier 1 — Partial: cyber risk management practices are informal or nonexistent. Incident responses are reactive. There is no organizational awareness of the topic.
Tier 2 — Risk Informed: risk awareness exists, but practices are neither formalized nor consistently applied. Employees know the topic matters, but there are no standardized processes.
Tier 3 — Repeatable: risk management policies and processes are formal, documented and applied across the organization. Senior leadership is engaged and the topic is integrated into strategic planning.
Tier 4 — Adaptive: the organization continuously adapts its practices based on threat intelligence, lessons learned and changes in the business environment. Cybersecurity is part of the organizational culture and of decision-making at every level.
Most Brazilian SMEs operate at Tier 1 or 2. Mid-sized companies with dedicated IT teams generally reach Tier 2 or 3. Tier 4 is typical of banks, telecommunications operators and technology companies with mature security programs.
Profiles: the maturity gap map
A Profile is a record of the implementation state of each CSF 2.0 subcategory for a specific organization. The framework recommends building two profiles:
The Current Profile describes how the organization manages cyber risk today, subcategory by subcategory. Building it requires collecting real evidence: documented policies, system logs, penetration test results, training records.
The Target Profile describes the desired state, determined by the organization's risk appetite, its business objectives, regulatory obligations and tolerance for disruption. In general, the Target Profile is more demanding on critical assets and processes and more lenient on peripheral ones.
The gap between the two profiles directly generates the security roadmap: the subcategories with the greatest distance between current and desired state are the ones that represent the greatest risk and should be prioritized in the investment plan.
Relationship with ISO 27001, CIS Controls and the LGPD
NIST CSF 2.0 is not a competitor to other frameworks — it is complementary. NIST itself maintains public mapping tables between the CSF and ISO/IEC 27001:2022, CIS Controls v8, NIST SP 800-53 Rev. 5 and other standards, available at nist.gov/cyberframework.
ISO 27001:2022: ISO 27001 is a certifiable standard that defines requirements for an Information Security Management System (ISMS). The NIST CSF is an outcome-oriented framework. Organizations seeking ISO 27001 certification can use the CSF as a diagnostic and prioritization tool before or during ISMS implementation.
CIS Controls v8: the 18 CIS controls are prescriptive and technical — they say exactly what to implement. The NIST CSF is more abstract and risk-oriented. Many organizations use the CSF to define priorities and the CIS Controls to detail the technical implementation.
LGPD: the General Data Protection Law requires security measures, both technical and administrative, capable of protecting personal data. CSF 2.0 provides the framework to demonstrate that these measures exist, are proportional to the risk and are reviewed continuously — elements assessed by the ANPD in the event of an investigation into a security incident involving personal data.
Frequently asked questions
- What is the NIST Cybersecurity Framework 2.0?
- It is a voluntary set of guidelines, recommended practices and standards published by the U.S. National Institute of Standards and Technology (NIST) in February 2024. It provides a common language for organizations of any size to assess, communicate and improve their cybersecurity posture, regardless of sector or size.
- What is the main difference between NIST CSF 2.0 and CSF 1.1?
- The central change is the addition of the GOVERN function, which formalizes requirements for governance, organizational culture, supply chain risk management and executive oversight — topics that in CSF 1.1 were diluted or absent. The framework also shifted from a focus on critical infrastructure to explicit guidance for organizations of all sizes and sectors.
- Is NIST CSF 2.0 mandatory for Brazilian companies?
- It is not a legal requirement in Brazil, but it is widely adopted as a technical reference. It complements the LGPD by detailing operational controls that the law does not specify, and it is accepted by auditors, enterprise clients and international partners as evidence of information security maturity.
- How many controls are there in NIST CSF 2.0?
- CSF 2.0 is organized into 6 functions, 22 categories and 106 subcategories (controls). Each subcategory describes a desired cybersecurity outcome and can be mapped to other frameworks such as ISO/IEC 27001:2022, CIS Controls v8 and NIST SP 800-53.
- What are Tiers and Profiles in NIST CSF 2.0?
- Tiers (1 to 4) describe the level of sophistication with which the organization manages cyber risk: from Tier 1 (Partial, with no formal processes) to Tier 4 (Adaptive, with continuous improvement and integrated threat intelligence). Profiles record the current state and the target state of the security posture, making it possible to identify gaps and prioritize investments.
- How do you start implementing NIST CSF 2.0 in an SME?
- The recommended entry point is to build a Current Profile through an assessment of the 106 subcategories, assigning implementation levels to each one. Next, a Target Profile is defined based on risk appetite and business requirements. The gap between the two guides the roadmap of controls to implement, in a prioritized way proportional to the company's size.
References
- NIST Cybersecurity Framework 2.0 — nist.gov/cyberframework
- NIST CSF 2.0 Quick Start Guides — nist.gov/cyberframework/getting-started
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations
- ISO/IEC 27001:2022 — Information Security Management Systems
- CIS Controls v8 — Center for Internet Security
- IBM Cost of a Data Breach Report 2024
- LGPD — Law 13.709/2018, articles 46 and 48
How Decripte applies NIST CSF 2.0
Decripte performs maturity assessments based on NIST CSF 2.0 for companies of 1 to more than 100,000 employees. The process begins with building the Current Profile through structured interviews, documentation analysis and technical testing. Next, we produce the Target Profile appropriate to the organization's sector, size and risk appetite and deliver a prioritized roadmap of controls with cost and impact estimates.
For companies that need to go beyond the diagnostic, Decripte's Threat Management plan includes continuous vulnerability monitoring, threat intelligence and support for implementing the controls identified as critical gaps — operationally covering the DETECT, RESPOND and RECOVER functions of CSF 2.0.
Access the free Threat Management plan to learn your organization's risk posture with no commitment, or talk to our specialists for a complete NIST CSF maturity assessment.
