NIST CSF 2.0 Controls List (With Excel Spreadsheet Download)

Home

breadcrumb icon

Blog

breadcrumb icon

NIST CSF 2.0 Controls List

NIST CSF 2.0 Controls List (With Excel Spreadsheet Download)

Author:

Rashmi Ogennavar

22 min read

Jul 15, 2026

The NIST Cybersecurity Framework (CSF) 2.0 helps organizations manage cybersecurity risk through structured functions, categories, and subcategories. Organizations commonly use the framework to strengthen governance, standardize controls, and align with frameworks such as ISO 27001, CIS Controls, and NIST 800-53.

With the release of NIST CSF 2.0 in 2024, the framework expanded from five to six core functions by introducing Govern, placing greater emphasis on cybersecurity governance, leadership accountability, and enterprise-wide risk oversight.

Rather than prescribing technologies, NIST CSF defines cybersecurity outcomes organizations are expected to achieve. These controls are commonly mapped to frameworks such as NIST 800-53, ISO 27001, and CIS Controls to support broader compliance and security programs.

In this blog, we'll break down the NIST CSF 2.0 controls list, explain the six core functions, explore how organizations implement the framework, and explain how organizations operationalize controls through governance and compliance workflows.

Diagram showing NIST CSF 2.0 controls organized under the six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.

Key Takeaways:

  • NIST CSF 2.0 contains 6 core cybersecurity functions
  • Controls are organized into categories and subcategories
  • The framework includes more than 100 cybersecurity subcategories
  • Organizations commonly map CSF controls to ISO 27001, NIST 800-53, and CIS Controls
  • Identity governance and continuous monitoring are central to implementation

What Are NIST CSF Controls?

NIST CSF controls are cybersecurity outcomes defined as subcategories within the framework structure. They help organizations manage, reduce, and monitor cybersecurity risk. The framework organizes cybersecurity practices into functions, categories, and measurable outcomes that support risk management and security maturity.

The framework is structured into:

  • Functions — high-level cybersecurity objectives
  • Categories — groups of related cybersecurity activities
  • Subcategories — specific security outcomes and controls

These subcategories form what many organizations refer to as NIST CSF controls.

Understanding the NIST CSF Structure

The framework starts with the six core NIST CSF functions:

  1. Govern
  2. Identify
  3. Protect
  4. Detect
  5. Respond
  6. Recover

Each function contains categories focused on a specific area of cybersecurity risk management. For example, the Protect function includes categories related to identity management, awareness training, and data security.

Under each category are detailed subcategories, which define measurable cybersecurity outcomes such as:

  • Maintaining asset inventories
  • Enforcing multi-factor authentication
  • Monitoring network activity
  • Conducting incident response planning

Together, these layers form the operational structure of NIST CSF 2.0.

Controls vs Implementation Methods

One important distinction is that NIST CSF does not prescribe exact technologies or tools. The framework defines what organizations should achieve, not exactly how to achieve it.

For example:

  • A CSF subcategory may require organizations to protect identities and manage access securely
  • The implementation method could involve MFA, identity governance platforms, PAM tools, or Zero Trust controls

This flexibility allows organizations to implement controls based on operational requirements and risk exposure.

Mapping to Other Security Frameworks

Another reason the NIST cybersecurity framework controls are widely adopted is that they map easily to other compliance and security frameworks.

Organizations commonly align the NIST CSF with:

  • NIST 800-53
  • ISO 27001
  • CIS Controls
  • SOC 2
  • HIPAA

This allows organizations to align cybersecurity operations with broader compliance and audit initiatives.

pro-tip-icon

Pro Tip

Organizations often fail with NIST CSF when they treat subcategories as isolated checklist items. The framework is most effective when controls are implemented as part of a connected risk management strategy.

How Many Controls Are in NIST CSF 2.0?

NIST CSF 2.0 includes more than 100 subcategories organized across six core functions and multiple categories. These subcategories act as controls-like cybersecurity outcomes that help organizations manage and reduce cyber risk.

Unlike prescriptive control catalogs such as NIST 800-53, the NIST CSF controls list is organized around cybersecurity outcomes rather than detailed technical requirements. These outcomes are structured as subcategories under broader functions and categories.

With the release of NIST CSF 2.0, the framework expanded from five to six core functions by adding Govern, which focuses on cybersecurity governance, enterprise risk oversight, and leadership accountability.

The framework now includes:

  • 6 core functions
  • 20+ categories
  • 100+ subcategories (controls-like outcomes)

These subcategories collectively define the operational outcomes within NIST CSF 2.0.

NIST CSF 2.0 Structure Overview

Framework LayerCount
Functions6
Categories20+
Subcategories100+

NIST CSF 1.1 vs NIST CSF 2.0

A major update in CSF 2.0 was the introduction of the Govern function.

VersionCore Functions
NIST CSF 1.15 Functions
NIST CSF 2.06 Functions

The addition of Govern reflects the growing importance of:

  • Cybersecurity governance
  • Third-party risk management
  • Supply chain security
  • Leadership involvement in cyber risk decisions

This change makes the framework more aligned with modern cybersecurity and enterprise risk management practices.

Are NIST CSF Subcategories "Controls"?

Technically, NIST CSF refers to them as subcategories, but many organizations treat them like security controls because they describe measurable cybersecurity outcomes.

For example, subcategories may require organizations to:

Organizations then implement technologies, policies, and processes to achieve those outcomes.

The 6 Core Functions of NIST CSF 2.0

The six core functions of NIST CSF 2.0 represent the lifecycle of cybersecurity risk management, from governance and protection to detection, response, and recovery. The NIST CSF functions provide a structured way for organizations to manage cybersecurity risks across people, processes, technology, and governance. Together, these functions provide a structured model for managing cybersecurity risk across the organization.

NIST CSF 2.0 six cybersecurity functions lifecycle diagram
1

Govern (GV)

The Govern function was introduced in NIST CSF 2.0 to strengthen cybersecurity governance and enterprise-wide risk oversight. This function focuses on aligning cybersecurity strategy with business objectives, defining accountability, and integrating cyber risk into organizational decision-making.

Example controls include:

  • Defining cybersecurity risk management strategies
  • Establishing security roles and responsibilities
  • Managing third-party and supply chain security risks

Govern integrates cybersecurity into enterprise risk and operational decision-making.

2

Identify (ID)

The Identify function focuses on understanding the organization's assets, risks, systems, and business environment. Effective security depends on visibility into systems, identities, assets, and business processes. This function helps establish visibility into infrastructure, applications, users, vendors, and critical business processes.

Example controls include:

  • Asset inventory management
  • Risk assessments
  • Supply chain and vendor risk analysis

This function forms the foundation for effective cybersecurity risk management.

3

Protect (PR)

The Protect function includes safeguards designed to secure systems, applications, identities, and sensitive data. This is one of the largest areas within the NIST cybersecurity framework controls, covering preventive security measures that reduce the likelihood and impact of attacks.

Example controls include:

  • Identity and access control
  • Security awareness and training
  • Data encryption and protection

Protect aligns closely with Zero Trust and identity-centric security models.

4

Detect (DE)

The Detect function focuses on identifying cybersecurity events, anomalies, and suspicious activity as quickly as possible. Organizations use this function to establish continuous monitoring and improve visibility into threats across systems and networks.

Example controls include:

  • Security monitoring
  • Log analysis
  • Intrusion detection systems (IDS)

Strong detection capabilities improve visibility into threats and reduce response delays.

5

Respond (RS)

The Respond function covers the actions organizations take after detecting a cybersecurity incident.

The goal is to contain threats, minimize impact, communicate effectively, and coordinate remediation efforts.

Example controls include:

  • Incident response planning
  • Threat analysis and investigation
  • Communication with internal and external parties

A mature response capability improves containment, coordination, and operational resilience.

6

Recover (RC)

The Recover function focuses on restoring systems, services, and business operations after a cybersecurity event. Recovery is not just about restoring systems, it also involves improving resilience and applying lessons learned to reduce future risk.

Example controls include:

  • Disaster recovery planning
  • System and service restoration
  • Post-incident improvements

This function supports operational resilience and business continuity after security incidents.

Implement NIST CSF 2.0 Systematically

A practical rollout plan for controls, governance, and visibility.

NIST CSF 2.0 Categories and Example Controls

Each NIST CSF function contains categories that represent key cybersecurity practices and operational security outcomes. The framework organizes cybersecurity outcomes across governance, protection, detection, response, and recovery activities.

While the framework does not prescribe exact technologies, each category represents an important area of cybersecurity risk management that organizations are expected to address through policies, processes, and technical controls.

Below is a simplified overview of the NIST CSF 2.0 controls list by category.

NIST CSF Controls List by Function & Category

Sr. NoFunctionCategoryExample Control
1GVGovernance StrategyDefine cyber risk management policies
2IDAsset ManagementMaintain inventory of systems and assets
3PRAccess ControlImplement MFA and least privilege access
4DEMonitoring & DetectionPerform continuous security monitoring
5RSIncident ResponseContain and investigate security incidents
6RCRecovery PlanningRestore critical systems and operations

How Categories Support Cybersecurity Risk Management

Each category within the NIST cybersecurity framework controls focuses on a different aspect of security maturity.

For example:

  • Governance categories focus on cybersecurity oversight and accountability
  • Identify categories improve visibility into assets, risks, and operational context
  • Protect categories strengthen safeguards such as identity security and encryption
  • Detect categories improve monitoring and threat visibility
  • Respond and Recover categories improve resilience and incident handling

Together, these categories create a structured cybersecurity risk management framework that organizations can adapt based on their industry, environment, and risk profile.

Why Organizations Use the NIST CSF Controls List

Organizations commonly use the NIST CSF 2.0 controls list to:

  • Assess cybersecurity maturity
  • Build risk management programs
  • Align security operations with business goals
  • Support audits and compliance initiatives
  • Map controls to ISO 27001, CIS Controls, or NIST 800-53

Its outcome-focused structure makes the framework adaptable across industries and operational environments.

NIST CSF Controls for Identity & Access Security

Identity security plays a central role in the NIST CSF controls list, particularly within the Identify and Protect functions. Modern attacks increasingly target identities, privileged accounts, weak authentication, and excessive permissions rather than infrastructure directly. As a result, identity and access security have become critical components of the NIST cybersecurity framework controls.

Within NIST CSF 2.0, identity-related controls appear across multiple categories, especially under the Identify (ID) and Protect (PR) functions.

1. Identity Governance

Identity governance helps organizations manage who has access to systems, applications, and sensitive data.

This includes:

Strong identity governance improves access visibility and reduces risks related to excessive permissions and unmanaged accounts.

2. Access Reviews

Regular access reviews are a critical part of maintaining compliance and reducing identity-related risk.

Organizations should continuously review:

  • User access rights
  • Privileged accounts
  • Third-party access
  • Role assignments

Without periodic reviews, excessive access accumulates over time and increases operational risk.

3. Least Privilege Access

The principle of least privilege ensures users only have access to the systems and data required for their role.

This helps reduce:

Least privilege is a foundational concept within Zero Trust and aligns closely with several NIST CSF security controls.

4. Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) helps organizations assign permissions based on job responsibilities instead of individual user requests. RBAC improves consistency, simplifies access management, and reduces manual errors. It also improves accountability and audit visibility across critical systems.

How Identity Governance Platforms Support NIST CSF Controls

Identity governance platforms help organizations operationalize many NIST CSF 2.0 controls by automating access management and improving visibility into identities across environments.

These platforms help enforce CSF controls by:

  • Automating provisioning and deprovisioning
  • Conducting access reviews and certifications
  • Monitoring privileged access
  • Enforcing least privilege policies
  • Detecting risky or excessive access
  • Supporting audit reporting and compliance evidence

As organizations adopt cloud platforms, SaaS applications, and hybrid environments, identity governance becomes increasingly important for maintaining continuous compliance and reducing cybersecurity risk. Solutions such as Identity Confluence by Tech Prescient help organizations move beyond manual access management toward continuous identity security and governance.

How Organizations Implement NIST CSF Controls

Implementing NIST CSF controls requires risk assessment, policy alignment, identity security, continuous monitoring, and ongoing improvement. The NIST Cybersecurity Framework is designed to be flexible, allowing organizations to implement controls based on their size, industry, and risk profile. Organizations typically implement NIST CSF incrementally, prioritizing high-risk areas such as identity security, asset visibility, and monitoring.

1. Assess Current Cybersecurity Posture

Organizations begin by evaluating their existing security posture to identify gaps, weaknesses, and high-risk areas.

This includes reviewing:

  • Existing security controls
  • Asset visibility
  • Identity and access management
  • Incident response capabilities
  • Third-party risks
  • Compliance requirements

The assessment helps determine which areas of the NIST CSF controls list require immediate attention.

2. Map Controls to Systems & Business Processes

Next, organizations map relevant NIST CSF 2.0 controls to their infrastructure, applications, cloud environments, and operational workflows.

This helps security teams understand:

  • Which systems support critical business functions
  • Where sensitive data exists
  • Which controls apply to specific environments
  • How responsibilities are assigned across teams

Mapping controls improves visibility and helps prioritize implementation efforts.

3. Implement Identity & Access Controls

Identity and access management are foundational to many NIST cybersecurity framework controls.

Organizations typically strengthen:

  • Multi-factor authentication (MFA)
  • Least privilege access
  • Role-based access control (RBAC)
  • Privileged access management
  • User provisioning and deprovisioning workflows

Strong identity governance helps reduce unauthorized access and supports continuous compliance.

4. Monitor Continuously

Cybersecurity risks evolve constantly, which is why continuous monitoring is a critical part of NIST CSF implementation.

Organizations monitor:

  • Security events and anomalies
  • User activity and access behavior
  • System vulnerabilities
  • Configuration changes
  • Threat intelligence feeds

Continuous monitoring improves threat visibility and operational response capabilities.

5. Improve Processes Continuously

NIST CSF implementation is not a one-time project. Organizations should regularly review controls, update policies, conduct assessments, and improve processes based on evolving threats and operational changes.

Continuous improvement helps organizations maintain resilience while adapting to:

  • New technologies
  • Cloud adoption
  • Regulatory changes
  • Emerging attack methods

This ongoing maturity model is one of the key strengths of the framework.

Best Practices for Managing NIST CSF Controls

Effective management of NIST CSF controls requires continuous monitoring, identity governance, Zero Trust principles, and ongoing risk assessment across internal and third-party environments.

Implementing the NIST CSF controls list is only the first step. Organizations also need a structured process to manage controls continuously as systems, users, threats, and business operations evolve. These practices help organizations improve visibility, maintain governance consistency, and strengthen operational resilience.

1. Automate Compliance Monitoring

Manual compliance tracking quickly becomes difficult in modern environments with cloud platforms, SaaS applications, hybrid infrastructure, and distributed users. Organizations should automate monitoring wherever possible to continuously track:

  • Security events and anomalies
  • Configuration changes
  • Access activity
  • Vulnerability status
  • Compliance gaps

Automation improves visibility into control effectiveness and reduces operational gaps.

2. Conduct Regular Access Reviews

Identity-related risks are one of the most common causes of security incidents and compliance failures.

Regular access reviews help organizations verify:

  • Who has access to critical systems
  • Whether permissions are still appropriate
  • If privileged access is justified
  • Whether inactive or orphaned accounts exist

Without regular reviews, excessive permissions accumulate and increase identity-related risk. Access reviews are especially important for cloud applications, third-party access, and privileged accounts.

3. Align with Zero Trust Security Principles

Modern cybersecurity strategies increasingly rely on Zero Trust principles, where no user or device is trusted by default. Aligning NIST cybersecurity framework controls with Zero Trust helps organizations:

  • Enforce least privilege access
  • Continuously validate identities
  • Segment access to sensitive systems
  • Reduce lateral movement during attacks

This approach strengthens both the Protect and Detect functions within the framework.

4. Integrate Identity Governance Solutions

Identity governance platforms play a major role in operationalizing many NIST CSF controls.

These solutions help organizations automate:

  • User provisioning and deprovisioning
  • Access certifications
  • Role-based access control (RBAC)
  • Privileged access monitoring
  • Separation of duties enforcement

Integrating identity governance improves visibility into who can access sensitive systems and helps maintain continuous compliance across environments. As organizations scale, identity governance becomes essential for reducing manual access management and supporting audit readiness.

5. Perform Third-Party Risk Assessments

Third-party vendors, SaaS providers, and supply chain partners can introduce significant cybersecurity risk. Organizations should regularly evaluate:

  • Vendor security practices
  • Access permissions granted to third parties
  • Compliance posture
  • Data-sharing relationships
  • Incident response capabilities

Third-party assessments help organizations identify external risks that could affect the security of their systems, data, and operations.

6. Assign Clear Control Ownership

Each control should have assigned ownership across security, IT, compliance, or business teams. Clear accountability improves remediation speed, audit readiness, and continuous compliance management.

Common Challenges in Implementing NIST CSF

Organizations often struggle to operationalize NIST CSF due to visibility gaps, identity complexity, and fragmented ownership. While the NIST Cybersecurity Framework provides a flexible structure for managing cybersecurity risk, implementation can become challenging as environments grow more distributed and complex. Many organizations struggle not with understanding the framework itself, but with operationalizing controls consistently across systems, users, and third-party environments.

1. Lack of Visibility

Many organizations lack complete visibility into their assets, identities, applications, and data flows. Without accurate visibility, it becomes difficult to map controls properly, identify risks, or understand where security gaps exist across the environment.

2. Manual Control Tracking

Organizations often rely on spreadsheets and manual processes to manage the NIST CSF controls list. As controls, systems, and compliance requirements grow, manual tracking becomes difficult to scale and maintain consistently.

3. Identity Sprawl

Modern environments include employees, contractors, third-party vendors, service accounts, and machine identities spread across cloud and SaaS platforms. Without centralized identity governance, organizations struggle to manage access consistently and enforce least privilege controls effectively.

4. Cloud Complexity

Cloud adoption introduces dynamic infrastructure, decentralized applications, and constantly changing configurations. This makes it harder to continuously monitor controls, maintain consistent policies, and ensure security visibility across hybrid and multi-cloud environments.

5. Third-Party Risk

Vendors, SaaS providers, and supply chain partners often have access to sensitive systems and data. Organizations may implement strong internal controls while still remaining exposed through poorly monitored third-party relationships and external integrations.

6. Audit Fatigue

Many security and compliance teams spend significant time preparing documentation, collecting evidence, and responding to repeated audit requests. Without centralized visibility and automation, maintaining audit readiness becomes resource-intensive.

7. Inconsistent Ownership

NIST CSF implementation often involves multiple teams across IT, security, compliance, infrastructure, and business operations. When ownership of controls is unclear or fragmented, remediation efforts slow down, and accountability gaps emerge.

NIST CSF vs Other Security Frameworks

NIST CSF focuses on cybersecurity risk management, while frameworks such as ISO 27001, NIST 800-53, and CIS Controls provide governance and implementation guidance at different levels. Organizations often use multiple frameworks together depending on their compliance requirements, industry, and security maturity. The NIST CSF controls list is widely adopted because it provides a flexible, outcome-driven approach that can align with other security and compliance frameworks.

Security Framework Comparison

FrameworkPrimary FocusBest ForPrescriptive Level
NIST CSFCybersecurity risk managementRisk managementFlexible
ISO 27001Information security management systems (ISMS)Compliance governanceModerate
NIST 800-53Detailed security and privacy control catalogueFederal environmentsHighly detailed
CIS ControlsPractical prioritized cybersecurity actionsOperational hardeningPractical

How NIST CSF Differs

The NIST Cybersecurity Framework focuses on helping organizations identify, manage, and reduce cybersecurity risks through flexible functions, categories, and security outcomes.

In comparison:

  • ISO 27001 focuses more on building and maintaining a formal information security management system (ISMS)
  • NIST 800-53 provides a highly detailed catalog of technical and administrative security controls
  • CIS Controls prioritize practical cybersecurity actions designed to reduce common attack risks quickly

Many organizations use NIST CSF as a high-level risk management framework while mapping its controls to ISO 27001, NIST 800-53, or CIS Controls for implementation guidance.

Final Thoughts

NIST CSF 2.0 gives organizations a flexible framework for managing cybersecurity risk across governance, operations, identity security, and resilience. As environments become more cloud-driven and identity-centric, organizations increasingly use the framework to improve visibility, standardize governance, and strengthen long-term security maturity.

Move Beyond Static Compliance

Operationalize NIST CSF 2.0 with continuous governance workflows.

FAQs

NIST CSF controls are cybersecurity practices and security outcomes defined as subcategories within the NIST Cybersecurity Framework. These controls help organizations identify, manage, detect, respond to, and recover from cybersecurity risks. Instead of prescribing specific technologies, the framework focuses on the outcomes organizations should achieve to strengthen cybersecurity posture.

The NIST CSF 2.0 controls list includes more than 100 subcategories, which function as controls-like cybersecurity outcomes. These are organized across six core functions and multiple categories covering areas such as governance, identity security, monitoring, incident response, and recovery.

The six NIST CSF functions are Govern, Identify, Protect, Detect, Respond, and Recover. Together, these functions represent the lifecycle of cybersecurity risk management and help organizations structure their security programs around governance, protection, monitoring, response, and resilience.

Yes. Many organizations use a NIST CSF controls spreadsheet or Excel template to track functions, categories, subcategories, implementation status, ownership, and compliance progress. These spreadsheets help security and compliance teams monitor control maturity, document evidence, and manage remediation activities more efficiently.

No, the NIST Cybersecurity Framework is voluntary and not legally required for most organizations. However, it is widely adopted across industries because it provides a flexible and practical framework for cybersecurity risk management, compliance alignment, and continuous security improvement.

Share

LinkedInFacebookXMail
Rashmi Ogennavar - Content Strategist

Rashmi Ogennavar

Content Strategist

A content strategist translating complex Tech and SaaS concepts into compelling narratives for business and technical audiences. With a strategic, data-informed approach, the work bridges content and product storytelling, crafting messaging that resonates and drives decisions across the buyer journey.

Most Popular Blogs

DPDP Act Rules News Today: Latest Notification & Compliance Timeline SVG

Identity Security· 19 min read

DPDP Act Rules News Today: Latest Notification & Compliance Timeline

Latest DPDP Act rules news in India. Learn about DPDP rules notification, compliance deadlines, penalties, and the implementation timeline to 2027.

Yatin Laygude· July 15, 2026

GDPR Compliance Software: Tools, Features & Buyer Guide SVG

Identity Security· 25 min read

GDPR Compliance Software: Tools, Features & Buyer Guide

Discover the best GDPR compliance software, key features, and how to choose the right privacy management platform for SaaS, enterprises, and small businesses.

Rashmi Ogennavar· July 15, 2026

HIPAA Compliance Checklist: Step-by-Step Guide SVG

Identity Security· 27 min read

HIPAA Compliance Checklist: Step-by-Step Guide

Use this HIPAA compliance checklist to meet security, privacy & audit requirements. Includes IT, software & security rule checklists.

Rashmi Ogennavar· July 15, 2026