NIST Cybersecurity Framework 2.0 introduced a sixth Function — GOVERN — and extended the framework's applicability from critical infrastructure to organisations of every sector and size. Across all six Functions, the endpoint is where the majority of outcomes are actually delivered. This guide maps CSF 2.0's Categories and Subcategories most directly enforced at the device level to Zecurit Endpoint Manager, so IT and security teams can turn the framework's language into operational, evidenced controls.
The NIST Cybersecurity Framework was first published in 2014 in response to Executive Order 13636, which directed NIST to develop a voluntary framework to reduce cyber risks to critical infrastructure. Over the following decade, the framework spread well beyond critical infrastructure: it became the default reference architecture for US federal agencies, a common language for vendor security assessments, and the baseline that many sector-specific regulations map to when organisations need to demonstrate cybersecurity programme maturity.
CSF 2.0, released in February 2024, is the framework's most substantial revision. It introduces a new sixth Function — GOVERN — acknowledges the role of supply chain risk and governance structures that earlier versions treated as secondary, and explicitly repositions the framework for any organisation regardless of sector, size, or geography. The 2.0 revision also introduces CSF Profiles and Tiers more formally, giving organisations structured tools to document their current cybersecurity posture and their target state.
This guide maps NIST CSF 2.0's most endpoint-relevant Categories and Subcategories across all six Functions to specific capabilities in Zecurit Endpoint Manager, giving IT and security teams a clear path from the framework's language to operational controls that can be demonstrated to auditors, leadership, and customers.
NIST CSF 2.0 uses a specific vocabulary that shapes how the framework is implemented and assessed:
The six top-level outcomes of the framework: GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER. Functions represent the highest level of abstraction in the framework's hierarchy.
A subdivision of a Function into groups of related cybersecurity outcomes, for example Asset Management within IDENTIFY or Protective Technology within PROTECT. CSF 2.0 contains 22 Categories across the six Functions.
Specific, technical outcomes within each Category. These are the most granular level in the framework's hierarchy and map closely to individual technical controls. CSF 2.0 contains 106 Subcategories.
A formal description of an organisation's current or target cybersecurity outcomes selected from the framework's Categories and Subcategories. Profiles allow gap analysis between current and desired state.
External standards, guidelines, or practices mapped to CSF Subcategories. CSF Subcategories map to NIST SP 800-53, CIS Controls, ISO/IEC 27001, and others, enabling cross-framework alignment.
A qualitative description of how an organisation's cybersecurity risk management practices align with CSF characteristics, from Tier 1 (Partial) to Tier 4 (Adaptive). Tiers describe programme maturity, not compliance level.
CSF 2.0's explicit expansion beyond critical infrastructure means adoption now spans virtually every sector. Common use cases include:
CSF 2.0's six Functions form a continuous cycle of cybersecurity risk management. GOVERN, the new addition in 2.0, underpins all five of the original Functions by providing the governance structures and organisational context within which cybersecurity activities take place.
Establishes and monitors the organisation's cybersecurity risk management strategy, expectations, and policy. New in CSF 2.0 and foundational to all other Functions.
Develops an organisational understanding of cybersecurity risk to systems, assets, data, and capabilities. Asset management is the primary Category enforced at the endpoint.
Implements appropriate safeguards to ensure delivery of critical services. Covers identity management, configuration management, data security, and protective technology across the endpoint fleet.
Identifies the occurrence of a cybersecurity event in a timely manner. Continuous monitoring, security event logging, and anomaly detection all originate at the endpoint.
Takes action regarding a detected cybersecurity incident. Effective response depends on the same endpoint visibility and remote action capabilities that underpin PROTECT and DETECT.
Maintains plans for resilience and restores capabilities impaired by a cybersecurity incident. Endpoint configuration consistency and audit trail availability are prerequisites for reliable recovery.
The addition of GOVERN as the sixth Function is the most structurally significant change in CSF 2.0. GOVERN places cybersecurity risk management firmly within the organisation's broader enterprise risk management context, requiring that cybersecurity policies, roles, responsibilities, and oversight structures be formally documented and maintained. For endpoint management specifically, this means that asset inventory processes, patch management policies, and configuration baselines need to be not just operational but formally governed, with ownership, review cycles, and audit evidence.
CSF 2.0 also substantially expands the framework's guidance on supply chain risk (now Category GV.SC within GOVERN), which carries direct implications for the software and firmware running on managed endpoints. The 2.0 revision sharpens the language around continuous monitoring: where earlier versions described monitoring as a goal, 2.0 treats it as an expected operational practice, with Subcategories that explicitly require automated alerting and defined detection baselines rather than periodic reviews. For endpoint teams, this is the clearest signal yet that real-time monitoring across the device fleet is no longer aspirational, it is the expected baseline.
GOVERN is CSF 2.0's foundational Function, ensuring cybersecurity risk management is embedded in the organisation's strategy, accountability structures, and oversight processes. For endpoint programmes, GOVERN requires that asset management procedures, patch policies, configuration baselines, and device control rules are formally documented, owned, and regularly reviewed, not just operationally active.
The GOVERN Function requires that the organisation's cybersecurity risk management strategy is established and communicated (GV.RM), that cybersecurity roles and responsibilities are understood and assigned (GV.OC), and that cybersecurity policy is established, communicated, and enforced (GV.PO). At the endpoint level, this means patch management timelines, configuration baseline approval processes, and device control rules must exist as formal, governed policies rather than informal practices.
Compliance and Reporting provides 100+ built-in report templates including pre-mapped templates for NIST CSF, enabling IT and security teams to produce documented evidence of policy implementation across the endpoint fleet. Configuration Management allows policies to be formally named, versioned, and deployed from a central console, giving GOVERN's policy requirements an operational home with an audit trail that governance reviewers can inspect.
IDENTIFY is the foundation on which every other Function rests. You cannot protect, detect, respond to, or recover from threats to assets you do not know exist. The Asset Management Category (ID.AM) is the most directly endpoint-relevant within IDENTIFY, requiring a maintained, accurate inventory of hardware assets, software assets, and their interconnections.
ID.AM-01 requires that inventories of hardware managed by the organisation are maintained. ID.AM-02 requires that inventories of software, services, and systems managed by the organisation are maintained. Both Subcategories expect the inventory to be current, accurate, and available for risk assessment rather than a periodic snapshot. Unmanaged or unknown endpoints are explicitly outside the protection boundary and constitute unaccepted risk under this Subcategory.
Asset Discovery continuously scans the environment to surface every managed and unmanaged device, while Hardware Inventory maintains a real-time record of each asset's make, model, OS version, hostname, IP address, and last-seen timestamp. Software Inventory tracks every installed application and service across the fleet with version data, directly satisfying ID.AM-02's software inventory requirement from the same agent and console.
ID.AM-08 requires that systems, hardware, software, services, and data are managed throughout their life cycles. ID.RA-01 requires that vulnerabilities in assets are identified, validated, and recorded. Together these Subcategories create the requirement for continuous, fleet-wide vulnerability intelligence that feeds the organisation's risk treatment decisions, not a quarterly scan.
Vulnerability Management continuously maps installed software across every managed endpoint against a live CVE database, surfacing severity-ranked vulnerabilities with CVSS scores and exploit status. Software Licence Management and Warranty Management track the lifecycle status of both software entitlements and hardware assets, supporting ID.AM-08's lifecycle management requirement across the full device population.
PROTECT is the largest endpoint-relevant Function in CSF 2.0, spanning identity management, access control, configuration management, data security, protective technology, and vulnerability management. The majority of day-to-day endpoint security work sits within PROTECT's Categories.
PR.AA-01 requires that identities and credentials for authorised users, services, and hardware are managed. PR.AA-05 requires that access permissions and authorisations are managed, incorporating the principles of least privilege and separation of duties. At the endpoint level, these Subcategories require that local user accounts, administrator privileges, and remote access permissions are actively governed rather than provisioned and forgotten.
Configuration Management's User and Group Management module enables IT administrators to create, modify, and disable local user accounts across the entire fleet from a single console, enforcing password complexity and expiry policies consistently. Role-based access controls within the Zecurit console enforce least privilege for IT staff, and User Logon Reports in the Monitoring and Alerts module record authentication events by account and device, providing the access history record PR.AA requires as evidence.
PR.PS-01 requires that the configuration and integrity of hardware, software, and firmware are maintained. PR.PS-02 requires that software is maintained to reduce exploitability, including patch management. These Subcategories capture the full lifecycle of keeping endpoint devices in a known, secure, and current state. Configuration drift between review cycles is one of the most common sources of undetected exposure in otherwise well-managed environments.
Configuration Management allows IT teams to define named profiles bundling firewall rules, Windows Update settings, and security hardening parameters, then deploy and continuously enforce them across device groups. Hardware and Software Change Alerts in the Monitoring and Alerts module detect configuration drift the moment it occurs. Patch Management addresses PR.PS-02 directly, with automated scanning and deployment of missing OS and third-party patches ranked by CVSS severity.
PR.DS-01 requires that data at rest is protected. PR.DS-02 requires that data in transit is protected. At the endpoint level, PR.DS-01 is the primary driver for full-disk encryption on managed devices, ensuring that data on a lost, stolen, or decommissioned machine remains inaccessible without the correct credentials or recovery key. The Category also covers removable media: data saved to unencrypted USB drives or external storage creates an uncontrolled data-at-rest exposure outside the managed environment.
BitLocker Management enforces full-disk encryption across every managed Windows endpoint, with TPM-only, TPM+PIN, and passphrase authentication modes, automatic recovery key backup, and BitLocker Compliance Reports that surface any unprotected device instantly. Device Control governs removable media connections with allow, block, or trusted-device-only policies, preventing unencrypted data from leaving the managed environment through USB or external storage.
PR.PS-05 requires that installation and execution of unauthorised software is prevented. PR.DS-10 requires that the integrity of data is protected. Removable media represents one of the simplest and most consistently overlooked data exfiltration channels: a user copying sensitive files to an unmanaged USB drive, or plugging in a device loaded with malicious software, bypasses most network-layer controls entirely. CSF 2.0 treats both scenarios as within scope for PROTECT.
Device Control enforces granular allow, block, or trusted-device-only policies for USB storage, Bluetooth peripherals, optical drives, and wireless adapters across every managed endpoint. BadUSB keystroke injection prevention protects against weaponised USB devices, and policies remain in force even when endpoints are offline, closing the gap that unmanaged remote or travelling devices create. Every connection attempt and policy enforcement event is logged with timestamp, device ID, and user account.
PR.PS-06 requires that only trustworthy software and firmware are installed and executed. PR.IR-01 requires that networks and environments are protected from unauthorised logical access and usage. Patch management is the primary operational mechanism for satisfying both: unpatched software is the single most common initial access vector exploited by ransomware and targeted attack groups, and CSF 2.0 expects patch management to be continuous and risk-prioritised rather than calendar-driven.
Patch Management continuously scans every managed endpoint for missing OS and third-party application patches, ranks them by CVSS score and active exploit intelligence, and deploys them during configured maintenance windows without requiring manual intervention. Vulnerability Management maps installed software against the live CVE database fleet-wide, and Patch Compliance Reports document that remediation was completed with timestamped evidence for each device.
DETECT requires that cybersecurity events are identified in a timely manner. CSF 2.0 sharpens the language around continuous monitoring significantly compared to CSF 1.1, treating automated, real-time alerting as the expected baseline rather than an advanced capability. Endpoints generate the most operationally relevant security event data in most environments.
DE.CM-01 requires that networks and network services are monitored to find potentially adverse events. DE.CM-03 requires that personnel activity and technology usage are monitored to find potentially adverse events. DE.CM-09 requires that computing hardware and software are monitored to find potentially adverse events. Together these Subcategories require that the full range of endpoint activity, device connections, user logon events, software changes, and security state changes, is captured and surfaced in real time.
The Monitoring and Alerts module logs security, hardware, software, and user access events in real time across every managed endpoint. Security Alerts notify IT teams immediately when antivirus protection is disabled, firewall rules are changed, or any configured security threshold is breached on any device. IT Asset Monitoring and Alerts extends this coverage to hardware changes, providing the fleet-wide, real-time monitoring footprint DE.CM demands across all three Subcategories.
DE.AE-02 requires that potentially adverse events are analysed to better understand associated activities. DE.AE-06 requires that information on adverse events is provided to authorised staff and tools. The ability to analyse endpoint events depends entirely on the quality, completeness, and timeliness of the log data those endpoints generate. Sparse or delayed logging translates directly into slow or missed detection.
The Monitoring and Alerts module captures security, hardware, access, and device connection events with full metadata across all managed endpoints, building the detailed activity record that adverse event analysis requires. User Logon Reports and Audit Device Logs record access patterns and peripheral connection history, giving security teams the forensic baseline needed to distinguish routine behaviour from anomalous activity during an investigation.
RESPOND requires that actions are taken following the detection of a cybersecurity incident. The speed and precision of the response depend heavily on the same endpoint visibility that DETECT provides, combined with the ability to take immediate, targeted action on affected devices without requiring physical access or waiting for a helpdesk queue.
RS.MA-01 requires that the incident response plan is executed in coordination with relevant third parties once an incident is declared. RS.MA-03 requires that incidents are categorised and prioritised. At the endpoint level, effective response means the ability to act on affected devices quickly: isolating a compromised machine, deploying a remediation script, locking out an account, or pushing a configuration change without raising a ticket and waiting for a technician to reach the device.
Remote Script Execution allows IT and security teams to deploy remediation scripts to any managed endpoint instantly, with execution logs confirming completion. Remote Actions provide additional direct device management capabilities for immediate incident response. Configuration Management can push updated policies to device groups the moment a threat pattern is identified, and Device Control policy changes take effect immediately on managed endpoints, including those that are currently offline when the policy is updated.
RS.AN-03 requires that the root cause of the incident is identified and the causes investigated. RS.AN-06 requires that actions performed during an investigation are recorded and that evidence is preserved. The quality of forensic analysis after an endpoint incident depends on the granularity and integrity of the logs that were collected before and during the event. After-the-fact log reconstruction is unreliable; pre-existing, comprehensive endpoint logging is the only evidence base that holds up to scrutiny.
The Monitoring and Alerts module maintains a continuous, timestamped record of security events, hardware changes, software installations, user logon activity, and device connections across all managed endpoints. Device Control audit logs capture every peripheral connection event with device ID, user account, and timestamp, providing the evidence trail RS.AN-06 expects to see in a post-incident investigation or regulatory enquiry.
RECOVER addresses restoring systems and services impaired by a cybersecurity incident to normal operation. At the endpoint level, RECOVER depends on two things that must already be in place before an incident occurs: a documented, enforced configuration baseline to restore devices to, and the operational ability to rapidly redeploy that baseline across the affected device population.
RC.RP-03 requires that the integrity of backups and other restoration assets is verified before using them for restoration. RC.RP-05 requires that the integrity and security of the recovered environment is verified post-restoration. For endpoints, recovery means being able to confirm that a restored or rebuilt device matches the approved security baseline, not just that the operating system boots. A device rebuilt from an unverified image and missing critical security patches or configuration settings is still an exposure.
Configuration Management profiles serve as the documented security baseline that recovered endpoints can be measured against and remediated to, ensuring restored devices re-enter the environment meeting the same security posture as the rest of the fleet. Patch Management immediately identifies and remediates any missing patches on a recovered endpoint, and Compliance and Reporting confirms the restored device's compliance status against all active policies before it is returned to full operation.
CSF 2.0 Profiles require organisations to document their current cybersecurity outcomes and their target state, creating an expectation of ongoing evidence that the selected Subcategories are operational, not just documented in a policy. Whether producing evidence for an internal board review, a customer security questionnaire, a CMMC assessment, or a federal audit, IT teams need to retrieve current, accurate, fleet-wide compliance data on demand rather than assembling it reactively from disconnected sources.
Compliance and Reporting provides 100+ built-in report templates including pre-mapped templates for NIST CSF, ISO 27001, PCI-DSS, CIS Controls, HIPAA, and GDPR. Security Reports surface BitLocker gaps, firewall status, antivirus health, patch compliance, and software inventory data across all managed endpoints in a single view. Scheduled Report Delivery automates evidence generation on a recurring basis, giving security teams current, accurate CSF alignment data ahead of any assessment or review cycle.
A consolidated reference mapping each endpoint-relevant CSF 2.0 Subcategory to the relevant Zecurit features, useful for CSF Profile documentation and alignment assessments.
| CSF 2.0 Subcategory | Function | Zecurit Endpoint Manager Capability |
|---|---|---|
| Policy and Governance (GV.OC / GV.RM / GV.PO) | GOVERN | NIST CSF Report TemplatesConfiguration ManagementScheduled Report Delivery |
| Hardware Asset Inventory (ID.AM-01) | IDENTIFY | Asset DiscoveryHardware InventoryHardware Change Alerts |
| Software Asset Inventory (ID.AM-02) | IDENTIFY | Software InventorySoftware AlertsSoftware Licence Management |
| Vulnerability Identification (ID.AM-08 / ID.RA-01) | IDENTIFY | Vulnerability ManagementCVSS PrioritisationWarranty Management |
| Identity and Access Control (PR.AA-01 / PR.AA-05) | PROTECT | User and Group ManagementRole-Based AccessUser Logon Reports |
| Configuration Management (PR.PS-01 / PR.PS-02) | PROTECT | Configuration ManagementFirewall Policy ManagementChange Alerts |
| Data at Rest Encryption (PR.DS-01) | PROTECT | BitLocker ManagementTPM Policy ManagementBitLocker Compliance Reports |
| Removable Media Controls (PR.PS-05 / PR.DS-10) | PROTECT | Device ControlUSB/Removable Storage PoliciesBadUSB Protection |
| Patch and Vulnerability Remediation (PR.PS-06) | PROTECT | Patch ManagementVulnerability ManagementPatch Compliance Reports |
| Continuous Monitoring (DE.CM-01 / DE.CM-03 / DE.CM-09) | DETECT | Real-Time Monitoring and AlertsSecurity AlertsIT Asset Monitoring |
| Adverse Event Analysis (DE.AE-02 / DE.AE-06) | DETECT | Security Event LoggingUser Logon ReportsAudit Device Logs |
| Incident Containment (RS.MA-01 / RS.MA-03) | RESPOND | Remote Script ExecutionRemote ActionsDevice Control |
| Forensic Evidence (RS.AN-03 / RS.AN-06) | RESPOND | Audit Device LogsUser Logon ReportsChange Logs |
| Recovery Verification (RC.RP-03 / RC.RP-05) | RECOVER | Configuration ManagementPatch ManagementCompliance and Reporting |
| Cross-Function Compliance Evidence | All | 100+ Compliance ReportsNIST CSF TemplatesScheduled Report Delivery |
NIST CSF 2.0 is deliberately outcome-focused rather than prescriptive about specific technologies. What the framework does make clear, particularly with the CSF 2.0 revisions around continuous monitoring and governance, is that the evidence of those outcomes needs to be current, accurate, and available on demand, not assembled once a year ahead of a review cycle.
Across all six Functions, the endpoint is where the majority of CSF outcomes are actually delivered: assets are inventoried here, configurations are enforced here, vulnerabilities are patched here, security events originate here, incidents are contained here, and recovery baselines are applied here. A cybersecurity programme that has strong policy documents but weak endpoint visibility will consistently fail to demonstrate the operational outcomes CSF 2.0 expects.
Zecurit Endpoint Manager addresses NIST CSF 2.0's core endpoint-relevant Subcategories across all six Functions from a single lightweight agent and unified console, giving IT and security teams the asset visibility, configuration enforcement, patch management, device control, real-time monitoring, and audit-ready reporting that a CSF Profile assessment, federal audit, or customer security review expects to see in place and operating continuously.
Zecurit develops cloud-based IT management solutions designed for modern IT teams. The Zecurit platform helps organisations manage endpoints, track assets, enforce security policies, and securely support distributed workforces through centralised, easy-to-use tools.
To learn more about Zecurit Endpoint Manager and how it supports your NIST CSF 2.0 alignment programme, start a free 14-day trial or contact the Zecurit team.
Contact Zecurit