Cyber risk — NIST CSF
NIST Cybersecurity Framework 2.0 — manage cyber risk
The NIST Cybersecurity Framework (CSF) is a voluntary, risk-based framework for managing and reducing cybersecurity risk. Published by the U.S. National Institute of Standards and Technology and used worldwide, its current edition — CSF 2.0, released in February 2024 — broadened the framework beyond critical infrastructure to organizations of every size and added a new top-level Govern Function.
NIST CSF has no formal certification scheme — it's a framework you adopt and measure yourself against. HAiCapita helps you adopt it, profile your current and target maturity, and assemble the evidence for internal or third-party assessment.
The six CSF Functions
CSF 2.0 organizes cybersecurity outcomes into six Functions. Govern (new in 2.0) establishes and monitors the organization's cybersecurity risk-management strategy, expectations and policy. Identify covers understanding assets, risks and the business context. Protect implements safeguards. Detect finds cybersecurity events. Respond acts on detected incidents. Recover restores capabilities after an incident. Beneath the Functions sit Categories and Subcategories of specific outcomes, plus Implementation Tiers and Profiles for measuring and planning maturity.
How HAiCapita helps
Adopt a control library mapped to the six CSF Functions and their Subcategories. Build a current profile (where you are today) and a target profile (where you want to be), and use gap analysis to plan the journey between them. Collect evidence on a schedule and on demand — including screenshots and connector pulls — versioned with chain-of-custody in a tamper-evident (WORM) audit trail, so your CSF posture is backed by real, current evidence. An AI copilot drafts policies and accelerates remediation.
One control set, many frameworks
NIST CSF is often used as the organizing backbone for a broader compliance program. Author a control once and crosswalk it to ISO/IEC 27001, SOC 2, PCI DSS, the CBE Financial Cybersecurity Framework and the Egypt PDPL — so the work you do to satisfy a CSF outcome also evidences the other standards it maps to, instead of maintaining each framework in isolation.
Sovereign — SaaS or fully air-gapped
Run your CSF program as multi-tenant SaaS in-region, or fully air-gapped on your own infrastructure with no external egress and no phone-home — the same platform either way, with entitlements from a locally-verified signed license. Ideal for regulated, financial-sector and public-sector organizations in Egypt and the wider MENA region.
Frequently asked questions
Can HAiCapita certify us in NIST CSF?
NIST CSF has no formal certification scheme — it's a voluntary framework you adopt and measure against. HAiCapita gets you ready: a control library mapped to the six Functions, current and target profiles, gap analysis and assembled evidence for internal or third-party assessment. No software certifies CSF, because there's no certificate to issue.
What's new in NIST CSF 2.0?
CSF 2.0, published in February 2024, added a sixth top-level Function — Govern — to put cybersecurity risk management alongside other enterprise risks, and broadened the framework's audience from critical-infrastructure operators to organizations of all sizes and sectors. HAiCapita's control library reflects the 2.0 six-Function structure.
Can I map NIST CSF to ISO 27001 and SOC 2?
Yes. Controls are authored once and crosswalked across frameworks, so the outcomes you evidence for NIST CSF can also satisfy ISO 27001, SOC 2, PCI DSS and your other mandates at the same time — letting you use CSF as the backbone of a single, unified control set.
Is NIST CSF available in an air-gapped deployment?
Yes. The full NIST CSF capability runs in the fully air-gapped, on-premise deployment — no external egress, entitlements from a locally-verified signed license — so your profiles, control set and evidence stay entirely within your jurisdiction.