The Framework Nobody Reads — Until After the Breach

In February 2024, Change Healthcare suffered a ransomware attack that disrupted pharmacy operations across the United States for weeks. UnitedHealth Group eventually disclosed that the breach affected roughly 100 million individuals — making it one of the largest healthcare data breaches in history. The root cause? Stolen credentials and the absence of multi-factor authentication on a critical remote access portal. Every single failure in that chain maps directly to a control the NIST Cybersecurity Framework already addresses.

I've spent years watching organizations treat NIST CSF like a compliance checkbox rather than an operational playbook. They download the PDF, skim the five functions, and file it away. Then a threat actor finds the one gap nobody mapped, and suddenly the framework feels very relevant.

This post is a practical walkthrough of the NIST Cybersecurity Framework as it exists in 2025 — specifically CSF 2.0, released in February 2024. I'll cover what changed, what each function actually requires of your team, and how to implement it without a seven-figure consulting contract. If you're a small or mid-sized organization trying to build real security posture, this is for you.

What Is the NIST Cybersecurity Framework (And What Changed in 2.0)?

The NIST Cybersecurity Framework is a voluntary set of standards, guidelines, and best practices developed by the National Institute of Standards and Technology to help organizations manage cybersecurity risk. Originally released in 2014 and updated in 2018, NIST published CSF 2.0 in February 2024. The biggest structural change? A sixth function — Govern — now sits at the center of everything.

CSF 2.0 also expanded its scope beyond critical infrastructure. NIST explicitly designed version 2.0 for organizations of all sizes, in every sector. That matters if you're a 50-person company that previously assumed NIST was only for federal contractors and Fortune 500 firms.

The Six Functions at a Glance

  • Govern (GV): Establish cybersecurity strategy, risk management, roles, and policies at the organizational level.
  • Identify (ID): Understand your assets, business environment, supply chain risks, and vulnerabilities.
  • Protect (PR): Implement safeguards — access controls, security awareness training, data security, and platform hardening.
  • Detect (DE): Develop and deploy capabilities to identify cybersecurity events in real time.
  • Respond (RS): Plan and execute actions when an incident is detected.
  • Recover (RC): Restore capabilities and services after an incident.

Each function breaks down into categories and subcategories with specific, measurable outcomes. That granularity is what makes NIST CSF useful — if you actually dig into it.

Govern: The Function Most Organizations Skip

The addition of Govern in CSF 2.0 wasn't cosmetic. NIST added it because they recognized that cybersecurity failures are fundamentally governance failures. When the board doesn't understand cyber risk, when nobody owns the security budget, when policies exist but nobody enforces them — that's a Govern problem.

In my experience, the organizations that get breached most often aren't the ones with weak firewalls. They're the ones where security decisions happen by accident. Nobody formally decided not to require MFA on that remote access portal at Change Healthcare. Nobody formally decided anything — and that's exactly the problem Govern is designed to fix.

What Govern Actually Requires

Govern expects you to document cybersecurity roles and responsibilities, establish risk appetite statements, integrate cyber risk into enterprise risk management, and create accountability structures that reach the C-suite and board. If your CISO reports to the IT director who reports to the CFO who sometimes mentions security at board meetings, you have a Govern gap.

Start with three deliverables: a written cybersecurity policy signed by leadership, a risk register that gets reviewed quarterly, and a clear organizational chart showing who owns what in a security incident. These aren't glamorous. They save organizations.

Identify: You Can't Protect What You Don't Know Exists

The Identify function is where most small and mid-sized organizations discover uncomfortable truths. Asset inventories are incomplete. Shadow IT is rampant. Nobody has mapped data flows or documented which third-party vendors have access to sensitive systems.

The 2024 Verizon Data Breach Investigations Report found that credential theft and exploitation of vulnerabilities in web applications were among the top initial access vectors. You can't patch vulnerabilities in assets you don't know about. You can't revoke credentials to systems you haven't inventoried.

Practical Steps for Identify

Run an automated asset discovery scan across your network. Document every SaaS application your employees use — including the ones IT didn't approve. Map your data: where does personally identifiable information live, who can access it, and how does it move between systems? Then assess your supply chain. The CISA cyber threats and advisories page is a solid resource for understanding which third-party risks are actively being exploited.

Repeat this process quarterly. Asset inventories that are twelve months old are fiction.

Protect: Where Security Awareness Earns Its Keep

The Protect function covers the controls most people think of when they hear "cybersecurity" — access management, encryption, endpoint protection, network segmentation, and security awareness training. CSF 2.0 explicitly calls out workforce training as a core Protect subcategory.

This is where I get blunt. Technical controls are necessary but insufficient. The FBI's Internet Crime Complaint Center (IC3) reported over $12.5 billion in cybercrime losses in 2023, with business email compromise and phishing among the costliest attack types. Social engineering bypasses firewalls entirely. It targets your people.

Building a Protect Program That Works

Layer your defenses. Start with the basics: enforce multi-factor authentication everywhere, implement least-privilege access, encrypt data at rest and in transit, and segment your network so a single compromised endpoint doesn't give a threat actor the keys to the kingdom. These are zero trust principles in practice, and they align directly with NIST CSF Protect subcategories.

Then invest in your people. A well-run phishing awareness training program for your organization dramatically reduces the success rate of social engineering attacks. Phishing simulation isn't about catching employees making mistakes — it's about building the muscle memory to recognize credential theft attempts before they succeed.

Pair that with comprehensive cybersecurity awareness training for your entire workforce to cover the broader threat landscape: ransomware, pretexting, vishing, and removable media risks. The NIST Cybersecurity Framework explicitly expects organizations to maintain an informed, trained workforce. Meeting that requirement with an annual slide deck isn't enough.

Detect: Speed Is the Difference Between an Incident and a Catastrophe

The median time for an attacker to begin exfiltrating data after initial access is measured in hours, not weeks. Your Detect capabilities need to match that pace. CSF 2.0's Detect function covers continuous monitoring, anomaly detection, and event analysis.

For smaller organizations, this doesn't require a full Security Operations Center. It does require centralized logging, alerting on anomalous authentication patterns, and someone — a person, not just a tool — reviewing alerts daily. Managed detection and response services can fill this gap affordably.

Detection Essentials for Every Organization

At minimum, configure alerts for: failed login attempts exceeding a threshold, logins from unusual geographic locations, privilege escalation events, new admin accounts being created, and large data transfers outside business hours. These five alert categories catch a surprising percentage of real-world intrusion patterns.

Integrate your detection strategy with the Identify function. You can only detect anomalies against a baseline, and that baseline comes from knowing your normal network behavior, user patterns, and data flows.

Respond: Your Incident Response Plan Needs a Dress Rehearsal

Every organization I've worked with has an incident response plan. About 30% have actually tested it. The Respond function in the NIST Cybersecurity Framework demands more than a document — it demands capability. That means tabletop exercises, defined communication plans, legal and PR contacts on speed dial, and clear escalation procedures.

What a Mature Response Looks Like

When Colonial Pipeline was hit with ransomware in May 2021, the company made the decision to pay $4.4 million within hours. Whether that was the right call is debatable, but the speed of decision-making reflects a response process that had executive involvement predefined. Your response plan should answer these questions before an incident occurs: Who authorizes system shutdowns? Who contacts law enforcement? Who communicates with customers? Who approves ransom payments — or explicitly prohibits them?

Run a tabletop exercise at least twice a year. Simulate a ransomware attack in Q1 and a data breach involving customer PII in Q3. Rotate the scenarios. Include non-technical stakeholders — legal, HR, communications, and the CEO.

Recover: Business Continuity Isn't Optional Anymore

The Recover function addresses restoration of services, communication with stakeholders, and improvements based on lessons learned. This is where organizations discover whether their backup strategy actually works.

Test your backups. I don't mean verify that the backup job completed. I mean restore a critical system from backup to a clean environment and time how long it takes. If your recovery time objective is four hours and your actual restore takes three days, you have a Recover gap that no amount of documentation will fix.

Recovery Planning Checklist

  • Maintain offline, immutable backups of critical systems and data.
  • Document recovery procedures step-by-step — assume the person executing them is doing it for the first time under stress.
  • Define communication templates for customers, regulators, and media before you need them.
  • Conduct a post-incident review within 72 hours of recovery, and feed findings back into your Govern and Identify processes.

How to Start Implementing NIST CSF Without Getting Overwhelmed

Here's what I tell every organization that asks where to begin. Don't try to implement all six functions simultaneously. Start with two parallel tracks.

Track 1: Govern and Identify. Get leadership buy-in, assign roles, inventory your assets, and map your risks. This takes 30-60 days and costs almost nothing except time and honesty.

Track 2: Protect fundamentals. Enforce MFA across every system. Launch phishing simulations. Deploy endpoint detection. Train your workforce. These are the controls that stop the attacks actually happening in 2025 — not theoretical threats from a risk matrix.

Once those tracks are solid, layer in Detect, Respond, and Recover improvements. Use the NIST CSF tiers (Partial, Risk Informed, Repeatable, Adaptive) to measure your maturity over time. Be honest about where you are. A Tier 1 organization that knows it's Tier 1 is safer than a Tier 2 organization pretending to be Tier 4.

The NIST Cybersecurity Framework Isn't a Destination

The most dangerous misunderstanding about NIST CSF is treating it as a project with a completion date. It's a continuous cycle. Threat actors evolve. Your attack surface changes every time you onboard a new vendor, deploy a new application, or hire a new employee. The framework only works if you revisit it — quarterly at minimum, and after every significant change to your environment.

The organizations that get this right aren't the ones with the biggest budgets. They're the ones that build security into how they operate, not just what they buy. The NIST Cybersecurity Framework gives you the structure to do exactly that. The rest is execution.