Back to Frameworks

NIST Cybersecurity Framework 2.0

United States
v2.0
12 domains
106 controls

Voluntary framework for managing and reducing cybersecurity risk, organized around six core functions

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (12)

DE - Detect

11 controls

Find and analyze possible cybersecurity attacks and compromises

Controls in the DE - Detect domain of NIST Cybersecurity Framework 2.011 controls
CodeTitle
NIST-CSF-DE.AE-02Potentially adverse events are analyzed to better understand associated activities
NIST-CSF-DE.AE-03Information is correlated from multiple sources
NIST-CSF-DE.AE-04Estimated impact and scope of adverse events are understood
NIST-CSF-DE.AE-06Information on adverse events is provided to authorized staff
NIST-CSF-DE.AE-07Cyber threat intelligence and contextual information are integrated into analysis
NIST-CSF-DE.AE-08Incidents are declared when adverse events meet defined criteria
NIST-CSF-DE.CM-01Networks and network services are monitored to find potentially adverse events
NIST-CSF-DE.CM-02The physical environment is monitored to find potentially adverse events
NIST-CSF-DE.CM-03Personnel activity and technology usage are monitored to find potentially adverse events
NIST-CSF-DE.CM-06External service provider activities are monitored to find potentially adverse events
NIST-CSF-DE.CM-09Computing hardware and software are monitored to find potentially adverse events

Detect

0 controls

GV - Govern

28 controls

Establish and monitor cybersecurity risk management strategy, expectations, and policy

Controls in the GV - Govern domain of NIST Cybersecurity Framework 2.028 controls
CodeTitle
NIST-CSF-GV.OC-01Organizational context for cybersecurity risk management is understood
NIST-CSF-GV.OC-02Internal and external stakeholders are understood
NIST-CSF-GV.OC-03Legal, regulatory, and contractual requirements are understood
NIST-CSF-GV.OC-04Critical objectives, capabilities, and services are understood
NIST-CSF-GV.OC-05Outcomes and dependencies of critical services are understood
NIST-CSF-GV.PO-01Cybersecurity risk management policy is established based on context and strategy
NIST-CSF-GV.PO-02Policy is reviewed, updated, communicated, and enforced
NIST-CSF-GV.RM-01Risk management objectives are established and agreed upon
NIST-CSF-GV.RM-02Risk appetite and risk tolerance statements are established
NIST-CSF-GV.RM-03Cybersecurity risk management activities and outcomes are included in enterprise risk
NIST-CSF-GV.RM-04Strategic direction for cybersecurity risk management is established
NIST-CSF-GV.RM-05Communication lines for cybersecurity risk management are established
NIST-CSF-GV.RM-06A standardized method for calculating and expressing cybersecurity risk is established
NIST-CSF-GV.RM-07Opportunities for improvements are identified from risk assessments
NIST-CSF-GV.RR-01Organizational leadership is responsible for cybersecurity risk management
NIST-CSF-GV.RR-02Roles and responsibilities for cybersecurity risk management are established
NIST-CSF-GV.RR-03Adequate resources are allocated for cybersecurity risk management
NIST-CSF-GV.RR-04Cybersecurity is included in human resources practices
NIST-CSF-GV.SC-01Cybersecurity supply chain risk management program is established
NIST-CSF-GV.SC-02Cybersecurity roles and responsibilities for suppliers are established
NIST-CSF-GV.SC-03Supply chain risk management is integrated into risk management
NIST-CSF-GV.SC-04Suppliers are known and prioritized by criticality
NIST-CSF-GV.SC-05Requirements are established and managed for suppliers
NIST-CSF-GV.SC-06Planning and due diligence are performed to reduce supply chain risks
NIST-CSF-GV.SC-07Supply chain risk management is verified throughout supplier relationships
NIST-CSF-GV.SC-08Relevant suppliers and partners are included in incident planning
NIST-CSF-GV.SC-09Supply chain security practices are integrated into security program
NIST-CSF-GV.SC-10Cybersecurity supply chain risk management plans include provisions for post-acquisition activities

Govern

3 controls
Controls in the Govern domain of NIST Cybersecurity Framework 2.03 controls
CodeTitle
GV.OV-01Risk management strategy outcomes are reviewed
GV.OV-02Risk management strategy is reviewed for coverage
GV.OV-03Risk management performance is evaluated

ID - Identify

21 controls

Understand current cybersecurity risks to the organization

Controls in the ID - Identify domain of NIST Cybersecurity Framework 2.021 controls
CodeTitle
NIST-CSF-ID.AM-01Inventories of hardware managed by the organization are maintained
NIST-CSF-ID.AM-02Inventories of software, services, and systems managed by the organization are maintained
NIST-CSF-ID.AM-03Representations of authorized network communication and data flows are maintained
NIST-CSF-ID.AM-04Inventories of services provided by suppliers are maintained
NIST-CSF-ID.AM-05Assets are prioritized based on classification, criticality, resources, and impact
NIST-CSF-ID.AM-07Inventories of data and corresponding metadata are maintained
NIST-CSF-ID.AM-08Systems, hardware, software, and services are managed throughout their life cycles
NIST-CSF-ID.IM-01Improvements are identified from security test and exercise results
NIST-CSF-ID.IM-02Improvements are identified from security assessments
NIST-CSF-ID.IM-03Improvements are identified from operational activities and incidents
NIST-CSF-ID.IM-04Incident response plans and other cybersecurity plans are established and maintained
NIST-CSF-ID.RA-01Vulnerabilities in assets are identified, validated, and recorded
NIST-CSF-ID.RA-02Cyber threat intelligence is received from information sharing forums
NIST-CSF-ID.RA-03Internal and external threats are identified and recorded
NIST-CSF-ID.RA-04Potential impacts and likelihoods of threats exploiting vulnerabilities are identified
NIST-CSF-ID.RA-05Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk
NIST-CSF-ID.RA-06Risk responses are chosen, prioritized, planned, tracked, and communicated
NIST-CSF-ID.RA-07Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
NIST-CSF-ID.RA-08Effectiveness of risk responses is assessed
NIST-CSF-ID.RA-09Integrity and accuracy of risk assessment results are verified
NIST-CSF-ID.RA-10Critical suppliers are assessed on the basis of their risk

Identify

0 controls

PR - Protect

22 controls

Use safeguards to prevent or reduce cybersecurity risk

Controls in the PR - Protect domain of NIST Cybersecurity Framework 2.022 controls
CodeTitle
NIST-CSF-PR.AA-01Identities and credentials for authorized users, services, and hardware are managed
NIST-CSF-PR.AA-02Identities are proofed and bound to credentials based on the context of interactions
NIST-CSF-PR.AA-03Users, services, and hardware are authenticated
NIST-CSF-PR.AA-04Identity assertions are protected, conveyed, and verified
NIST-CSF-PR.AA-05Access permissions, entitlements, and authorizations are defined and managed
NIST-CSF-PR.AA-06Physical access to assets is managed, monitored, and enforced
NIST-CSF-PR.AT-01Personnel are provided awareness and training to perform cybersecurity duties
NIST-CSF-PR.AT-02Individuals in specialized roles are provided awareness and training
NIST-CSF-PR.DS-01The confidentiality, integrity, and availability of data-at-rest are protected
NIST-CSF-PR.DS-02The confidentiality, integrity, and availability of data-in-transit are protected
NIST-CSF-PR.DS-10The confidentiality, integrity, and availability of data-in-use are protected
NIST-CSF-PR.DS-11Backups of data are created, protected, maintained, and tested
NIST-CSF-PR.IR-01Networks and environments are protected from unauthorized access
NIST-CSF-PR.IR-02The organization's technology assets are protected from environmental threats
NIST-CSF-PR.IR-03Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
NIST-CSF-PR.IR-04Adequate resource capacity to ensure availability is maintained
NIST-CSF-PR.PS-01Configuration management practices are established and applied
NIST-CSF-PR.PS-02Software is maintained, replaced, and removed commensurate with risk
NIST-CSF-PR.PS-03Hardware is maintained, replaced, and removed commensurate with risk
NIST-CSF-PR.PS-04Log records are generated and made available for continuous monitoring
NIST-CSF-PR.PS-05Installation and execution of unauthorized software is prevented
NIST-CSF-PR.PS-06Secure software development practices are integrated throughout the SDLC

Protect

0 controls

RC - Recover

8 controls

Restore assets and operations affected by a cybersecurity incident

Controls in the RC - Recover domain of NIST Cybersecurity Framework 2.08 controls
CodeTitle
NIST-CSF-RC.CO-03Recovery activities and progress are communicated to stakeholders
NIST-CSF-RC.CO-04Public updates on incident recovery are shared using approved methods
NIST-CSF-RC.RP-01The recovery portion of the incident response plan is executed
NIST-CSF-RC.RP-02Recovery actions are selected, scoped, and prioritized
NIST-CSF-RC.RP-03The integrity of backups is verified before use in restoration
NIST-CSF-RC.RP-04Critical functions and services are restored to operational capability
NIST-CSF-RC.RP-05Integrity of restored assets is verified
NIST-CSF-RC.RP-06End-of-recovery is declared based on criteria and documentation

RS - Respond

13 controls

Take action regarding a detected cybersecurity incident

Controls in the RS - Respond domain of NIST Cybersecurity Framework 2.013 controls
CodeTitle
NIST-CSF-RS.AN-03Analysis is performed to determine what has taken place during an incident
NIST-CSF-RS.AN-06Actions performed during an investigation are recorded
NIST-CSF-RS.AN-07Incident data and metadata are collected and their integrity preserved
NIST-CSF-RS.AN-08Incidents are analyzed to determine root cause
NIST-CSF-RS.CO-02Internal and external stakeholders are notified of incidents
NIST-CSF-RS.CO-03Information is shared with designated internal and external stakeholders
NIST-CSF-RS.MA-01The incident response plan is executed in coordination with relevant third parties
NIST-CSF-RS.MA-02Incident reports are triaged and validated
NIST-CSF-RS.MA-03Incidents are categorized and prioritized
NIST-CSF-RS.MA-04Incidents are escalated or elevated as needed
NIST-CSF-RS.MA-05Criteria for initiating incident recovery are applied
NIST-CSF-RS.MI-01Incidents are contained
NIST-CSF-RS.MI-02Incidents are eradicated

Recover

0 controls

Respond

0 controls

Your Compliance Coverage

If you comply with NIST Cybersecurity Framework 2.0, you already cover:

Maps to 251 other frameworks

106 total controls
Belgium CyberFundamentals
32 source controls mapped|44 target controls covered
30%
ASIC Cyber Resilience Good Practices
32 source controls mapped|27 target controls covered
30%
ASEAN Data Management Framework
25 source controls mapped|26 target controls covered
24%
21%
Azure Security Benchmark
22 source controls mapped|19 target controls covered
21%
Australian Energy Sector Cyber Security Framework (AESCSF)
19 source controls mapped|19 target controls covered
18%
NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements
19 source controls mapped|15 target controls covered
18%
NIST Privacy Framework
18 source controls mapped|7 target controls covered
17%
NIST SP 800-53 Rev 5
18 source controls mapped|23 target controls covered
17%
SSAE 18 - Attestation Standards (SOC Reporting)
18 source controls mapped|13 target controls covered
17%
BIMCO Cyber Security
17 source controls mapped|26 target controls covered
16%
Canada ITSG-33 - IT Security Risk Management
16 source controls mapped|18 target controls covered
15%
APRA CPS 234
16 source controls mapped|14 target controls covered
15%
Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct
15 source controls mapped|22 target controls covered
14%
PSD2 SCA
15 source controls mapped|4 target controls covered
14%
OSFI B-13
15 source controls mapped|5 target controls covered
14%
Open Banking Security
15 source controls mapped|5 target controls covered
14%
FFIEC IT Examination Handbook
15 source controls mapped|12 target controls covered
14%
PCI SSF
15 source controls mapped|12 target controls covered
14%
PCI P2PE
15 source controls mapped|12 target controls covered
14%
PCI PIN Security
15 source controls mapped|13 target controls covered
14%
FFIEC Cybersecurity Assessment Tool (CAT)
14 source controls mapped|10 target controls covered
13%
ISO 27019
14 source controls mapped|10 target controls covered
13%
IEC 62443
14 source controls mapped|10 target controls covered
13%
API 1164
14 source controls mapped|10 target controls covered
13%
NIST SP 1800-32
14 source controls mapped|10 target controls covered
13%
O-RAN WG11 Security Specification
13 source controls mapped|5 target controls covered
12%
C2M2
13 source controls mapped|22 target controls covered
12%
ISO/IEC 27400:2022
13 source controls mapped|9 target controls covered
12%
NIST SP 800-146
13 source controls mapped|4 target controls covered
12%
NIST SP 800-145
13 source controls mapped|3 target controls covered
12%
NIST SP 800-144
13 source controls mapped|4 target controls covered
12%
ISO 27017
13 source controls mapped|9 target controls covered
12%
ISO 27018
13 source controls mapped|9 target controls covered
12%
Annex 11 to EU GMP - Computerised Systems
13 source controls mapped|5 target controls covered
12%
AWS Well-Architected Security Pillar
13 source controls mapped|9 target controls covered
12%
NIST SP 800-190
13 source controls mapped|9 target controls covered
12%
ASD Strategies to Mitigate Cyber Security Incidents
13 source controls mapped|13 target controls covered
12%
BSI IT-Grundschutz
12 source controls mapped|12 target controls covered
11%
NIST AI Risk Management Framework (AI RMF 1.0)
12 source controls mapped|9 target controls covered
11%
APRA CPS 230 Operational Risk Management
12 source controls mapped|8 target controls covered
11%
ASIS SPC.1-2009 - Organizational Resilience Standard
12 source controls mapped|6 target controls covered
11%
ISO 28001:2007 Supply Chain Security Management
12 source controls mapped|5 target controls covered
11%
CISA Industrial Control Systems (ICS) Security Guidance
12 source controls mapped|16 target controls covered
11%
ISO/IEC 27011:2024
11 source controls mapped|9 target controls covered
10%
TSA Pipeline Cybersecurity Directives
11 source controls mapped|2 target controls covered
10%
SOC 2
11 source controls mapped|9 target controls covered
10%
AS9100D - Aerospace Quality Management System
10 source controls mapped|8 target controls covered
9%
ISO/IEC 27003:2017
10 source controls mapped|8 target controls covered
9%
ISO/IEC 27031:2011
10 source controls mapped|6 target controls covered
9%
Authorised Economic Operator (AEO) Programmes - Global Standards
10 source controls mapped|9 target controls covered
9%
Oman National Cybersecurity Framework
10 source controls mapped|4 target controls covered
9%
ISO 22320:2018
10 source controls mapped|7 target controls covered
9%
DAMA-DMBOK2 - Data Management Body of Knowledge (2nd Edition)
10 source controls mapped|5 target controls covered
9%
DORA
9 source controls mapped|11 target controls covered
8%
FBI CJIS Security Policy
9 source controls mapped|4 target controls covered
8%
ISO/IEC 23894:2023
9 source controls mapped|10 target controls covered
8%
SANS Incident Handler's Handbook and PICERL Methodology
9 source controls mapped|7 target controls covered
8%
UK Gambling Commission - Cyber Resilience Requirements
9 source controls mapped|2 target controls covered
8%
8%
UK FCA/PRA Operational Resilience Framework
8 source controls mapped|2 target controls covered
8%
UK AI Regulation Framework
8 source controls mapped|2 target controls covered
8%
OECD AI Principles
8 source controls mapped|2 target controls covered
8%
NRF Cybersecurity and Data Privacy Framework (National Retail Federation)
8 source controls mapped|3 target controls covered
8%
South Korea PIPA
8 source controls mapped|3 target controls covered
8%
EASA Part-IS - Information Security in Aviation
8 source controls mapped|8 target controls covered
8%
AS9100D:2016 - Quality Management Systems for Aviation, Space, and Defence
8 source controls mapped|5 target controls covered
8%
AICPA Privacy Management Framework (PMF)
8 source controls mapped|5 target controls covered
8%
SASB Standards
8 source controls mapped|2 target controls covered
8%
Australia Consumer Data Right - Banking (CDR)
8 source controls mapped|6 target controls covered
8%
FTC GLBA Safeguards Rule (16 CFR Part 314)
8 source controls mapped|3 target controls covered
8%
ISO/IEC 38500:2024 - Governance of IT
8 source controls mapped|5 target controls covered
8%
UK GDPR (UK General Data Protection Regulation)
7 source controls mapped|2 target controls covered
7%
ICAO Annex 17 - Aviation Security (AVSEC)
7 source controls mapped|2 target controls covered
7%
French Sapin II Law (Law No. 2016-1691)
7 source controls mapped|3 target controls covered
7%
Barbados Data Protection Act 2019
7 source controls mapped|2 target controls covered
7%
NFPA 1600 - Standard on Continuity, Emergency, and Crisis Management
7 source controls mapped|4 target controls covered
7%
ISO 41001:2018 - Facility Management Systems
7 source controls mapped|6 target controls covered
7%
ISO 39001:2012 - Road Traffic Safety Management
7 source controls mapped|6 target controls covered
7%
ISO 22313:2020 - Guidance on Business Continuity Management Systems
7 source controls mapped|6 target controls covered
7%
AML/CTF Act 2006 (Australia)
7 source controls mapped|3 target controls covered
7%
ISO/IEC 27557:2022 - Organisational Privacy Risk Management
7 source controls mapped|9 target controls covered
7%
ISO/IEC 29147:2018
7 source controls mapped|4 target controls covered
7%
PIC/S Guide to Good Manufacturing Practice for Medicinal Products
7 source controls mapped|4 target controls covered
7%
ICH Q10 - Pharmaceutical Quality System
7 source controls mapped|4 target controls covered
7%
ISO/IEC 27010:2015
7 source controls mapped|3 target controls covered
7%
CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0
7 source controls mapped|5 target controls covered
7%
ISO 20400:2017 - Sustainable Procurement
7 source controls mapped|6 target controls covered
7%
ISO 20000-1
7 source controls mapped|3 target controls covered
7%
ITIL 4
7 source controls mapped|3 target controls covered
7%
SLSA
7 source controls mapped|2 target controls covered
7%
SIG (Shared Assessments)
7 source controls mapped|3 target controls covered
7%
PTES
7 source controls mapped|3 target controls covered
7%
OWASP SAMM
7 source controls mapped|3 target controls covered
7%
OpenSSF Scorecard
7 source controls mapped|3 target controls covered
7%
NIST SP 800-92
7 source controls mapped|3 target controls covered
7%
NIST SP 800-88
7 source controls mapped|2 target controls covered
7%
NIST SP 800-63-4
7 source controls mapped|3 target controls covered
7%
NIST SP 800-61
7 source controls mapped|2 target controls covered
7%
NIST SP 800-137
7 source controls mapped|3 target controls covered
7%
NIST SP 800-123
7 source controls mapped|3 target controls covered
7%
ISO 27043
7 source controls mapped|4 target controls covered
7%
ISO/SAE 21434
7 source controls mapped|4 target controls covered
7%
ISO/IEC 23837 - Security Requirements for Quantum Key Distribution
7 source controls mapped|4 target controls covered
7%
Space ISAC (Information Sharing and Analysis Center) - Threat Framework
6 source controls mapped|3 target controls covered
6%
Virginia CDPA
6 source controls mapped|1 target controls covered
6%
Vietnam PDPD
6 source controls mapped|2 target controls covered
6%
Uruguay DPL
6 source controls mapped|2 target controls covered
6%
Texas Data Privacy Act
6 source controls mapped|2 target controls covered
6%
Taiwan PDPA
6 source controls mapped|1 target controls covered
6%
Qatar DPL
6 source controls mapped|3 target controls covered
6%
Privacy Act 2020
6 source controls mapped|3 target controls covered
6%
POPIA
6 source controls mapped|2 target controls covered
6%
Personal Data Act (personopplysningsloven)
6 source controls mapped|3 target controls covered
6%
PDPA Thailand
6 source controls mapped|3 target controls covered
6%
PDPA Singapore
6 source controls mapped|3 target controls covered
6%
Oregon Consumer Privacy Act
6 source controls mapped|3 target controls covered
6%
NIST SP 800-122
6 source controls mapped|2 target controls covered
6%
New Zealand Information Security Manual (NZISM)
6 source controls mapped|3 target controls covered
6%
New Jersey Data Privacy Act
6 source controls mapped|3 target controls covered
6%
APPI
6 source controls mapped|4 target controls covered
6%
Bahrain PDPL
6 source controls mapped|4 target controls covered
6%
APRA SPS 220 Risk Management (Superannuation)
6 source controls mapped|5 target controls covered
6%
ISO/IEC 27006:2024
6 source controls mapped|6 target controls covered
6%
Automotive SPICE (ASPICE) v4.0 - Process Assessment Model
6 source controls mapped|4 target controls covered
6%
ISO 22318
6 source controls mapped|3 target controls covered
6%
ISO 22317
6 source controls mapped|3 target controls covered
6%
ISO 22316
6 source controls mapped|3 target controls covered
6%
China Data Security Law (DSL)
6 source controls mapped|7 target controls covered
6%
CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act)
6 source controls mapped|8 target controls covered
6%
CMMC 2.0
6 source controls mapped|7 target controls covered
6%
IEC 62304:2015 Medical Device Software Lifecycle Processes
6 source controls mapped|6 target controls covered
6%
BS 65000:2014 - Guidance on Organizational Resilience
6 source controls mapped|3 target controls covered
6%
IAIS Insurance Core Principles (ICPs)
6 source controls mapped|4 target controls covered
6%
SEC Climate Disclosure Rule
5 source controls mapped|1 target controls covered
5%
Own Risk and Solvency Assessment (ORSA) - NAIC Model Act
5 source controls mapped|2 target controls covered
5%
NIST SP 800-66
5 source controls mapped|2 target controls covered
5%
NIST SP 800-39
5 source controls mapped|3 target controls covered
5%
NIST SP 800-37
5 source controls mapped|4 target controls covered
5%
NIST SP 800-30
5 source controls mapped|6 target controls covered
5%
Nigeria Open Banking Regulatory Framework (CBN, 2023)
5 source controls mapped|2 target controls covered
5%
ISO 27005
5 source controls mapped|6 target controls covered
5%
ISO 31000
5 source controls mapped|6 target controls covered
5%
ISO 13485
5 source controls mapped|4 target controls covered
5%
ISO 27799
5 source controls mapped|3 target controls covered
5%
ISO 26262:2018 - Functional Safety for Road Vehicles
5 source controls mapped|3 target controls covered
5%
FedRAMP High
5 source controls mapped|4 target controls covered
5%
NIST SP 800-53 Revision 5.1 HIGH
5 source controls mapped|4 target controls covered
5%
FedRAMP Moderate
5 source controls mapped|4 target controls covered
5%
NIST SP 800-53 Rev 5 MODERATE
5 source controls mapped|3 target controls covered
5%
NIST SP 800-53 Rev 5 LOW
5 source controls mapped|3 target controls covered
5%
21 CFR Part 211 - Current Good Manufacturing Practice
5 source controls mapped|2 target controls covered
5%
BRCGS Global Standard for Food Safety Issue 9
5 source controls mapped|4 target controls covered
5%
CFTC System Safeguards (17 CFR 37, 38, 39, 49)
5 source controls mapped|9 target controls covered
5%
DoD Zero Trust Reference Architecture
5 source controls mapped|5 target controls covered
5%
Trinidad and Tobago Data Protection Act 2011
5 source controls mapped|3 target controls covered
5%
Tanzania Personal Data Protection Act (Draft)
5 source controls mapped|2 target controls covered
5%
ISO/IEC 30111:2019
5 source controls mapped|4 target controls covered
5%
IEC 60601-1 - Medical Electrical Equipment Safety
5 source controls mapped|4 target controls covered
5%
ISO 37000:2021 - Governance of Organizations
5 source controls mapped|4 target controls covered
5%
Florida Digital Bill of Rights (FDBR)
5 source controls mapped|3 target controls covered
5%
IEC 62351 - Power Systems Communication Security
5 source controls mapped|4 target controls covered
5%
COBIT 2019
5 source controls mapped|2 target controls covered
5%
ISO/IEC 27007:2020
5 source controls mapped|2 target controls covered
5%
ISO/IEC 25012:2008 - Data Quality Model
5 source controls mapped|3 target controls covered
5%
ITU-T X.805 - Security Architecture for End-to-End Communications
5 source controls mapped|2 target controls covered
5%
ISO/IEC 29134:2023
4 source controls mapped|5 target controls covered
4%
ISO/IEC 27014:2020
4 source controls mapped|4 target controls covered
4%
TISAX - Trusted Information Security Assessment Exchange
4 source controls mapped|2 target controls covered
4%
China Personal Information Protection Law (PIPL)
4 source controls mapped|4 target controls covered
4%
China Cybersecurity Law (CSL)
4 source controls mapped|6 target controls covered
4%
C-TPAT - Customs-Trade Partnership Against Terrorism
4 source controls mapped|4 target controls covered
4%
Peru DPL
4 source controls mapped|3 target controls covered
4%
DFARS 252.204-7012 - Safeguarding Covered Defense Information
4 source controls mapped|4 target controls covered
4%
EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600)
4 source controls mapped|4 target controls covered
4%
WCAG 2.2
4 source controls mapped|1 target controls covered
4%
Regional Comprehensive Economic Partnership (RCEP) - E-Commerce Chapter
4 source controls mapped|1 target controls covered
4%
Illinois Biometric Information Privacy Act (BIPA)
4 source controls mapped|4 target controls covered
4%
ISO 19011
4 source controls mapped|3 target controls covered
4%
Austria Data Protection Act (Datenschutzgesetz, DSG, amended 2018)
4 source controls mapped|3 target controls covered
4%
ISO/IEC 29115:2023 - Entity Authentication Assurance Framework
4 source controls mapped|4 target controls covered
4%
Secure by Design: A Guide for Manufacturers (CISA)
4 source controls mapped|1 target controls covered
4%
SA8000:2014 - Social Accountability Standard
3 source controls mapped|1 target controls covered
3%
ISO 26000:2010
3 source controls mapped|1 target controls covered
3%
BREEAM - Building Research Establishment Environmental Assessment Method
3 source controls mapped|1 target controls covered
3%
ENISA Data Protection Engineering - From Theory to Practice
3 source controls mapped|3 target controls covered
3%
EBA Guidelines on ICT and Security Risk Management (EBA/GL/2024/07)
3 source controls mapped|4 target controls covered
3%
Critical Infrastructure Risk Management Program (CIRMP) Rules 2023
3 source controls mapped|5 target controls covered
3%
EDM Council DCAM - Data Management Capability Assessment Model
3 source controls mapped|3 target controls covered
3%
EDM Council CDMC - Cloud Data Management Capability Framework
3 source controls mapped|4 target controls covered
3%
Papua New Guinea National Cybersecurity Policy & Cybercrime Act (2016)
3 source controls mapped|1 target controls covered
3%
Nevada Gaming Control Board Cybersecurity Requirements
3 source controls mapped|1 target controls covered
3%
NIST SP 800-171
3 source controls mapped|1 target controls covered
3%
COSO Internal Control - Integrated Framework (2013)
3 source controls mapped|1 target controls covered
3%
OECD Recommendation on Artificial Intelligence (2024 Update)
3 source controls mapped|1 target controls covered
3%
Aged Care Quality Standards (Australia)
3 source controls mapped|1 target controls covered
3%
21 CFR Part 58 - Good Laboratory Practice (GLP)
3 source controls mapped|3 target controls covered
3%
Sigstore - Software Artifact Signing and Verification
3 source controls mapped|1 target controls covered
3%
CMMC 2.0 Level 1
3 source controls mapped|4 target controls covered
3%
California IoT Security Law
3 source controls mapped|2 target controls covered
3%
3GPP 5G Security Architecture (TS 33.501)
3 source controls mapped|3 target controls covered
3%
South Africa Promotion of Access to Information Act (PAIA)
3 source controls mapped|1 target controls covered
3%
UNICEF Policy Guidance on AI for Children (2021)
2 source controls mapped|1 target controls covered
2%
UNESCO Recommendation on the Ethics of AI
2 source controls mapped|1 target controls covered
2%
ISO 22000
2 source controls mapped|1 target controls covered
2%
ISO 45001
2 source controls mapped|1 target controls covered
2%
GDPR
2 source controls mapped|1 target controls covered
2%
Australia IRAP - Information Security Registered Assessors Program
2 source controls mapped|2 target controls covered
2%
APRA CPS 220 Risk Management
2 source controls mapped|2 target controls covered
2%
Cyber Security Act 2024 (Australia)
2 source controls mapped|2 target controls covered
2%
BCBS 239
2 source controls mapped|1 target controls covered
2%
UK Bribery Act 2010
2 source controls mapped|1 target controls covered
2%
Philippines Cybercrime Prevention Act (RA 10175)
2 source controls mapped|1 target controls covered
2%
NRC 10 CFR 73.54 - Nuclear Facility Cybersecurity
2 source controls mapped|2 target controls covered
2%
IATA Operational Safety Audit (IOSA) Standards Manual
2 source controls mapped|1 target controls covered
2%
ISO 56002
2 source controls mapped|4 target controls covered
2%
ISO 37002:2021 - Whistleblowing Management Systems
2 source controls mapped|3 target controls covered
2%
ISO/IEC 29100:2024
2 source controls mapped|3 target controls covered
2%
ISO 22739:2024 - Blockchain and Distributed Ledger Technologies Vocabulary
2 source controls mapped|5 target controls covered
2%
ISO 8000 - Data Quality
2 source controls mapped|2 target controls covered
2%
ISO 31000:2018
2 source controls mapped|1 target controls covered
2%
Azerbaijan Law on Personal Data (2010)
2 source controls mapped|1 target controls covered
2%
ISO/IEC 27004:2016
2 source controls mapped|3 target controls covered
2%
2%
ISO/IEC 27050 - Electronic Discovery (Parts 1-4)
2 source controls mapped|1 target controls covered
2%
Nebraska Data Privacy Act
2 source controls mapped|2 target controls covered
2%
ISO 14064 - Greenhouse Gas Accounting and Verification (Parts 1-3)
2 source controls mapped|1 target controls covered
2%
Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
2 source controls mapped|1 target controls covered
2%
W3C Verifiable Credentials (VC) Data Model 2.0
2 source controls mapped|1 target controls covered
2%
FIDO2 / WebAuthn
2 source controls mapped|1 target controls covered
2%
Bank Secrecy Act / Anti-Money Laundering (BSA/AML)
2 source controls mapped|1 target controls covered
2%
MARS-E - Minimum Acceptable Risk Standards for Exchanges
2 source controls mapped|1 target controls covered
2%
Armenia Law on Protection of Personal Data (2015)
2 source controls mapped|1 target controls covered
2%
ETSI EN 303 645
2 source controls mapped|2 target controls covered
2%
FAA Cybersecurity Framework for Aviation
1 source controls mapped|1 target controls covered
1%
Defence Security Principles Framework (DSPF)
1 source controls mapped|1 target controls covered
1%
Defence Industry Security Program (DISP)
1 source controls mapped|1 target controls covered
1%
CNCF Security Technical Advisory Group (TAG)
1 source controls mapped|1 target controls covered
1%
EU Cyber Resilience Act
1 source controls mapped|1 target controls covered
1%

Frequently Asked Questions

What is NIST Cybersecurity Framework 2.0?

NIST Cybersecurity Framework 2.0 is a compliance framework from United States with 12 domains and 106 controls. Voluntary framework for managing and reducing cybersecurity risk, organized around six core functions It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does NIST Cybersecurity Framework 2.0 have?

NIST Cybersecurity Framework 2.0 has 106 controls organised across 12 domains. The largest domains are GV - Govern (28 controls), PR - Protect (22 controls), ID - Identify (21 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does NIST Cybersecurity Framework 2.0 map to?

NIST Cybersecurity Framework 2.0 maps to 251 other compliance frameworks. The top mapping partners are Belgium CyberFundamentals (30% coverage), ASIC Cyber Resilience Good Practices (30% coverage), ASEAN Data Management Framework (24% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with NIST Cybersecurity Framework 2.0 compliance?

Start your NIST Cybersecurity Framework 2.0 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST Cybersecurity Framework 2.0 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 106 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.

Get Started Free →

Free forever — no credit card required