Framework library / NIST CSF
Data & Security · regulatory framework
NIST Cybersecurity Framework 2.0.
The US cybersecurity framework — CSF 2.0 elevates supply-chain risk management into the new Govern function.
What it is
NIST CSF 2.0 (2024) organizes cybersecurity outcomes into six functions — Govern, Identify, Protect, Detect, Respond, Recover. The new Govern function makes cybersecurity supply chain risk management (C-SCRM, GV.SC) explicit: suppliers must be known, prioritized, contractually bound and monitored, with outcomes documented.
Who it applies to
US federal suppliers and critical infrastructure, plus the growing set of enterprises that adopt CSF as their security baseline.
The evidence auditors expect
- Supplier inventory with criticality prioritization (GV.SC-04)
- Security requirements flowed into supplier contracts
- Supplier assessment and monitoring records
- Incident coordination expectations documented with key suppliers
How ComplianceFlow keeps you ready
- A prioritized, risk-scored supplier inventory with the evidence behind each score
- Requirement-to-supplier mapping shows which suppliers owe which security proof
- Continuous monitoring surfaces lapses in supplier posture as they happen
Related frameworks
See NIST CSF evidence assemble itself.
ComplianceFlow keeps a living copy of NIST CSF mapped to your suppliers, products and evidence — so what you must prove is always current, and always exportable.
Book a demo Get the audit checklist
TraceR2C