The Framework 83% of Organizations Claim to Follow — But Few Actually Implement

When the City of Dallas was hit by a devastating ransomware attack in May 2023, investigations revealed systemic gaps in risk management, incident response, and access controls — the exact areas the NIST Cybersecurity Framework was designed to address. Dallas isn't unique. I've seen dozens of organizations that check the "we follow NIST" box on vendor questionnaires while ignoring the framework's core functions in practice.

The NIST Cybersecurity Framework isn't a compliance checklist you laminate and hang in the server room. It's a living risk management structure. And with NIST CSF 2.0 now fully in effect, the framework has evolved significantly — adding a sixth core function and expanding its scope beyond critical infrastructure to every organization, regardless of size or sector.

This post breaks down what's actually in the framework, what changed in version 2.0, and how you turn it from a PDF on a shelf into an operational security program. Whether you're a CISO at a mid-market firm or an IT manager at a 50-person company, this is the practical walkthrough you need.

What Is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a voluntary set of standards, guidelines, and best practices published by the National Institute of Standards and Technology to help organizations manage and reduce cybersecurity risk. Originally released in 2014 and updated to version 2.0 in February 2024, it provides a common language for understanding, managing, and communicating cyber risk across an organization — from the boardroom to the SOC.

It's not a regulation. Nobody fines you for not following it. But it has become the de facto standard that regulators, insurers, and business partners use to evaluate your security posture. If you're pursuing cyber insurance in 2026, your underwriter is almost certainly mapping your controls against NIST CSF functions.

The Six Core Functions — And What They Actually Mean

NIST CSF 2.0 organizes cybersecurity activities into six core functions. Here's what each one demands in practice, not theory.

Govern (The New Addition in CSF 2.0)

This is the function most organizations skip, and it's the one that holds everything else together. Govern establishes your cybersecurity risk management strategy, expectations, and policy. It answers: Who is accountable? What's our risk appetite? How do we make cybersecurity decisions?

In my experience, organizations that lack a Govern function end up with security teams making million-dollar risk decisions without executive buy-in. That's how you get shadow IT, unpatched systems, and budget fights after a breach instead of before one.

Identify

You can't protect what you don't know about. Identify requires a complete asset inventory, understanding of your business environment, a documented risk assessment, and a supply chain risk management process. The Verizon 2024 Data Breach Investigations Report found that exploitation of vulnerabilities as an initial access vector increased 180% year over year — many of those in assets organizations didn't even know were exposed.

Protect

This is where most organizations spend the bulk of their budget: firewalls, endpoint detection, multi-factor authentication, encryption, zero trust architecture. But Protect also covers something most teams underinvest in — security awareness training. Your employees are a control, not just a liability. Equipping them through cybersecurity awareness training is a Protect function activity, full stop.

Detect

Detection is about shrinking dwell time — the gap between when a threat actor gets in and when you notice. The global median dwell time has dropped significantly in recent years, but many small and mid-sized organizations still measure it in months, not hours. Continuous monitoring, anomaly detection, and log analysis live here.

Respond

Having an incident response plan isn't enough. NIST CSF requires that you test it. I've walked into tabletop exercises where the "incident response plan" was last updated in 2019 and listed a phone number for an employee who left two years ago. Respond covers analysis, mitigation, communication, and improvements after an event.

Recover

Recovery planning, improvements, and communications. This function forces you to answer: after a ransomware attack encrypts your file servers at 2 AM on a Saturday, how fast can you restore operations? What's your actual, tested recovery time objective?

CSF 2.0: What Changed and Why It Matters

The jump from CSF 1.1 to 2.0 wasn't a cosmetic refresh. Three changes matter most:

  • The Govern function was added. This elevates cybersecurity governance from an implied best practice to a named core function. It sends a clear signal: cybersecurity is a board-level concern, not just an IT problem.
  • Scope expanded to all organizations. CSF 1.1 was written for critical infrastructure. CSF 2.0 explicitly applies to organizations of all sizes, sectors, and maturity levels — including small businesses and nonprofits.
  • Implementation examples and quick-start guides. NIST added practical, tiered guidance for organizations that don't have a 20-person security team. This makes the framework genuinely accessible for the first time.

You can review the full 2.0 publication at NIST.gov.

How to Actually Implement the NIST Cybersecurity Framework

Here's where most guides fail. They explain what the framework is. They rarely tell you how to operationalize it. Here's the approach I recommend for organizations starting from scratch or rebuilding after an incident.

Step 1: Create Your Current Profile

Map what you're doing today against each of the six functions and their categories. Be brutally honest. If you don't have an asset inventory, write that down. If your last risk assessment was three years ago, note it. This isn't an audit — it's a baseline.

Step 2: Define Your Target Profile

Based on your business risk, regulatory requirements, and threat landscape, decide where you need to be. A 30-person law firm and a regional hospital will have very different target profiles. The framework is flexible by design.

Step 3: Perform a Gap Analysis

Compare your current profile to your target profile. The gaps become your prioritized action plan. In my experience, the most common gaps I see are in Govern (no formal risk management strategy), Identify (incomplete asset inventories), and Protect (no security awareness program).

Step 4: Prioritize and Execute

You won't close every gap at once. Prioritize by risk impact. Credential theft and social engineering remain the top initial access vectors for data breaches — so deploying multi-factor authentication and rolling out phishing awareness training for your organization might deliver the highest immediate risk reduction.

Step 5: Measure and Iterate

The NIST Cybersecurity Framework is a cycle, not a project. Review your profiles annually at minimum, and after any significant incident or organizational change. Treat it like a living document, because your threat landscape certainly is.

The Biggest Mistake I See Organizations Make With NIST CSF

They treat it as a documentation exercise. Someone in GRC spends three months mapping controls to categories, produces a beautiful spreadsheet, and it never changes anyone's behavior. The framework has zero value if it doesn't drive operational decisions.

The second biggest mistake? Ignoring the human element. You can have a perfectly mapped Protect function on paper, but if your employees click every phishing simulation they receive, your actual risk posture is far worse than your spreadsheet suggests. Phishing simulations aren't optional — they're how you validate that your Protect controls actually work at the human layer.

Does the NIST Cybersecurity Framework Apply to Small Businesses?

Yes, explicitly. NIST CSF 2.0 was redesigned with small and medium-sized businesses in mind. NIST published dedicated quick-start guides and CISA has built complementary resources specifically for small businesses that align with the framework's functions.

You don't need a dedicated security team to start. Begin with the Govern and Identify functions: document who owns cybersecurity decisions, inventory your assets, and assess your highest risks. Then layer in Protect controls — starting with the ones that address your most likely threats. For most small businesses in 2026, that means phishing-resistant MFA, endpoint protection, backups with tested recovery, and security awareness training for every employee.

NIST CSF and Zero Trust: How They Fit Together

Zero trust isn't a product you buy. It's an architecture philosophy: never trust, always verify. The NIST Cybersecurity Framework and zero trust are complementary. CSF provides the risk management structure. Zero trust provides a specific implementation approach for the Protect and Detect functions.

NIST published a dedicated zero trust architecture guide (NIST SP 800-207) that maps cleanly to CSF functions. If you're building a security program in 2026, using both together gives you the strategic framework and the tactical architecture in one coherent system.

Where to Start This Week

Don't let the framework's comprehensiveness paralyze you. Here are three actions you can take in the next five business days:

  • Download CSF 2.0 from NIST.gov and read the core functions overview — it's about 20 pages, not 200.
  • Run an asset inventory. Even a manual spreadsheet of your systems, cloud services, and data stores is better than nothing. You'll be surprised what you find.
  • Launch a security awareness baseline. Enroll your team in cybersecurity awareness training and run an initial phishing simulation to measure your current human risk. That data will directly inform your Protect function gap analysis.

The NIST Cybersecurity Framework gives you a common language to talk about risk, a structure to manage it, and a roadmap to improve. But only if you actually use it. The organizations that treat it as a living operational tool — not a compliance artifact — are the ones that are measurably harder to breach.