Compliance Guide

NIST CSF 2.0 Compliance for Endpoints

A Practical Guide to the NIST Cybersecurity Framework 2.0's Endpoint Security Requirements

NIST Cybersecurity Framework 2.0 introduced a sixth Function — GOVERN — and extended the framework's applicability from critical infrastructure to organisations of every sector and size. Across all six Functions, the endpoint is where the majority of outcomes are actually delivered. This guide maps CSF 2.0's Categories and Subcategories most directly enforced at the device level to Zecurit Endpoint Manager, so IT and security teams can turn the framework's language into operational, evidenced controls.

Published byZecurit
CategoryCompliance & Regulation
AudienceIT Teams, Security Officers, Compliance Leads, CISOs

Why NIST CSF 2.0 Puts the Endpoint at the Centre of Every Function

At a Glance
  • What it is: The NIST Cybersecurity Framework is a voluntary, risk-based framework published by the National Institute of Standards and Technology. Version 2.0, released in February 2024, is the most significant revision since the original 2014 publication.
  • Who uses it: Originally developed for US critical infrastructure, CSF 2.0 explicitly broadens its scope to organisations of all sizes, sectors, and geographies, including commercial enterprises, SMBs, and non-US organisations aligning with US federal cybersecurity expectations.
  • Why endpoints dominate: The framework's Categories for asset management, configuration management, identity management, vulnerability management, protective technology, anomaly detection, and incident analysis all require data sourced from, and controls enforced at, the endpoint.
  • How Zecurit helps: Asset discovery, hardware and software inventory, patch and vulnerability management, configuration management, BitLocker encryption, device control, real-time monitoring and alerts, and audit-ready compliance reporting from a single agent and unified console.

The NIST Cybersecurity Framework was first published in 2014 in response to Executive Order 13636, which directed NIST to develop a voluntary framework to reduce cyber risks to critical infrastructure. Over the following decade, the framework spread well beyond critical infrastructure: it became the default reference architecture for US federal agencies, a common language for vendor security assessments, and the baseline that many sector-specific regulations map to when organisations need to demonstrate cybersecurity programme maturity.

CSF 2.0, released in February 2024, is the framework's most substantial revision. It introduces a new sixth Function — GOVERN — acknowledges the role of supply chain risk and governance structures that earlier versions treated as secondary, and explicitly repositions the framework for any organisation regardless of sector, size, or geography. The 2.0 revision also introduces CSF Profiles and Tiers more formally, giving organisations structured tools to document their current cybersecurity posture and their target state.

The Endpoint Concentration Problem: Every CSF 2.0 Function contains Categories that depend on endpoint-level data or enforcement. You cannot accurately maintain an asset inventory, enforce secure configurations, detect anomalous behaviour, contain a security incident, or recover from an attack without granular, real-time visibility into what is installed on, running on, and connecting to your managed devices. Policy documents and periodic scans are not enough — the framework explicitly expects continuous, automated controls.

This guide maps NIST CSF 2.0's most endpoint-relevant Categories and Subcategories across all six Functions to specific capabilities in Zecurit Endpoint Manager, giving IT and security teams a clear path from the framework's language to operational controls that can be demonstrated to auditors, leadership, and customers.

Key Terminology in NIST CSF 2.0

NIST CSF 2.0 uses a specific vocabulary that shapes how the framework is implemented and assessed:

  • Function

    The six top-level outcomes of the framework: GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER. Functions represent the highest level of abstraction in the framework's hierarchy.

  • Category

    A subdivision of a Function into groups of related cybersecurity outcomes, for example Asset Management within IDENTIFY or Protective Technology within PROTECT. CSF 2.0 contains 22 Categories across the six Functions.

  • Subcategory

    Specific, technical outcomes within each Category. These are the most granular level in the framework's hierarchy and map closely to individual technical controls. CSF 2.0 contains 106 Subcategories.

  • CSF Profile

    A formal description of an organisation's current or target cybersecurity outcomes selected from the framework's Categories and Subcategories. Profiles allow gap analysis between current and desired state.

  • Informative Reference

    External standards, guidelines, or practices mapped to CSF Subcategories. CSF Subcategories map to NIST SP 800-53, CIS Controls, ISO/IEC 27001, and others, enabling cross-framework alignment.

  • Tier

    A qualitative description of how an organisation's cybersecurity risk management practices align with CSF characteristics, from Tier 1 (Partial) to Tier 4 (Adaptive). Tiers describe programme maturity, not compliance level.

Who Uses the NIST Cybersecurity Framework?

CSF 2.0's explicit expansion beyond critical infrastructure means adoption now spans virtually every sector. Common use cases include:

  • US federal agencies required to align with FISMA and OMB Circular A-130
  • US Department of Defense contractors subject to CMMC, which maps to NIST SP 800-171 and CSF
  • Critical infrastructure operators in energy, water, healthcare, and financial services
  • Enterprise and mid-market organisations using CSF as a common language for security programme governance
  • SaaS and technology vendors demonstrating cybersecurity maturity to enterprise and government customers
  • Managed service providers building CSF-aligned security programmes for client environments
  • Healthcare organisations aligning HIPAA Security Rule requirements with CSF Categories
  • International organisations voluntarily adopting CSF for its cross-standard alignment and US market access benefits
Regulatory Convergence: NIST CSF 2.0 is explicitly mapped to NIST SP 800-53 Rev 5, CIS Controls v8, ISO/IEC 27001:2022, and PCI DSS v4.0.1 through NIST's published informative references. Organisations implementing CSF 2.0 comprehensively at the endpoint level frequently find that the same technical controls satisfy requirements across multiple frameworks simultaneously, substantially reducing the cost of maintaining parallel compliance programmes.

The Six CSF 2.0 Functions

CSF 2.0's six Functions form a continuous cycle of cybersecurity risk management. GOVERN, the new addition in 2.0, underpins all five of the original Functions by providing the governance structures and organisational context within which cybersecurity activities take place.

GV · GOVERN

Organisational Context & Risk Management

Establishes and monitors the organisation's cybersecurity risk management strategy, expectations, and policy. New in CSF 2.0 and foundational to all other Functions.

ID · IDENTIFY

Asset & Risk Understanding

Develops an organisational understanding of cybersecurity risk to systems, assets, data, and capabilities. Asset management is the primary Category enforced at the endpoint.

PR · PROTECT

Safeguards & Access Control

Implements appropriate safeguards to ensure delivery of critical services. Covers identity management, configuration management, data security, and protective technology across the endpoint fleet.

DE · DETECT

Anomalies & Events

Identifies the occurrence of a cybersecurity event in a timely manner. Continuous monitoring, security event logging, and anomaly detection all originate at the endpoint.

RS · RESPOND

Incident Response

Takes action regarding a detected cybersecurity incident. Effective response depends on the same endpoint visibility and remote action capabilities that underpin PROTECT and DETECT.

RC · RECOVER

Recovery Planning

Maintains plans for resilience and restores capabilities impaired by a cybersecurity incident. Endpoint configuration consistency and audit trail availability are prerequisites for reliable recovery.

Endpoint Coverage Across All Six Functions: Unlike frameworks that concentrate technical controls in a single theme, CSF 2.0 distributes endpoint-relevant requirements across all six Functions. Asset management, software inventory, and vulnerability data (IDENTIFY) feed the configuration and patching controls in PROTECT, which generate the security events that DETECT monitors, which RESPOND acts on, and which RECOVER uses to restore a known-good state. Endpoint management is the connective tissue across the entire framework.

What Changed in CSF 2.0 and Why It Matters for Endpoints

Current Version: NIST Cybersecurity Framework 2.0 was published on 26 February 2024. It supersedes CSF 1.1 (2018). While the framework remains voluntary for most organisations, US federal agencies are expected to align with NIST guidance, and numerous sector regulations now reference CSF 2.0 by name. CSF 1.1 profiles remain valid for organisations mid-transition, but all new CSF-alignment work should reference 2.0.

The addition of GOVERN as the sixth Function is the most structurally significant change in CSF 2.0. GOVERN places cybersecurity risk management firmly within the organisation's broader enterprise risk management context, requiring that cybersecurity policies, roles, responsibilities, and oversight structures be formally documented and maintained. For endpoint management specifically, this means that asset inventory processes, patch management policies, and configuration baselines need to be not just operational but formally governed, with ownership, review cycles, and audit evidence.

CSF 2.0 also substantially expands the framework's guidance on supply chain risk (now Category GV.SC within GOVERN), which carries direct implications for the software and firmware running on managed endpoints. The 2.0 revision sharpens the language around continuous monitoring: where earlier versions described monitoring as a goal, 2.0 treats it as an expected operational practice, with Subcategories that explicitly require automated alerting and defined detection baselines rather than periodic reviews. For endpoint teams, this is the clearest signal yet that real-time monitoring across the device fleet is no longer aspirational, it is the expected baseline.

GOVERN: Policy, Roles, and Cybersecurity Risk Management

GOVERN is CSF 2.0's foundational Function, ensuring cybersecurity risk management is embedded in the organisation's strategy, accountability structures, and oversight processes. For endpoint programmes, GOVERN requires that asset management procedures, patch policies, configuration baselines, and device control rules are formally documented, owned, and regularly reviewed, not just operationally active.

GV.OC / GV.RM / GV.PO

Cybersecurity Policy, Roles, and Oversight

GOVERN — Organisational Context (GV.OC), Risk Management Strategy (GV.RM), Policy (GV.PO)

The GOVERN Function requires that the organisation's cybersecurity risk management strategy is established and communicated (GV.RM), that cybersecurity roles and responsibilities are understood and assigned (GV.OC), and that cybersecurity policy is established, communicated, and enforced (GV.PO). At the endpoint level, this means patch management timelines, configuration baseline approval processes, and device control rules must exist as formal, governed policies rather than informal practices.

Zecurit Endpoint Manager

Compliance and Reporting provides 100+ built-in report templates including pre-mapped templates for NIST CSF, enabling IT and security teams to produce documented evidence of policy implementation across the endpoint fleet. Configuration Management allows policies to be formally named, versioned, and deployed from a central console, giving GOVERN's policy requirements an operational home with an audit trail that governance reviewers can inspect.

NIST CSF Report Templates Compliance and Reporting Configuration Management Scheduled Report Delivery

IDENTIFY: Asset Management and Risk Assessment

IDENTIFY is the foundation on which every other Function rests. You cannot protect, detect, respond to, or recover from threats to assets you do not know exist. The Asset Management Category (ID.AM) is the most directly endpoint-relevant within IDENTIFY, requiring a maintained, accurate inventory of hardware assets, software assets, and their interconnections.

ID.AM-01 / ID.AM-02

Hardware and Software Asset Inventory

IDENTIFY — Asset Management (ID.AM)

ID.AM-01 requires that inventories of hardware managed by the organisation are maintained. ID.AM-02 requires that inventories of software, services, and systems managed by the organisation are maintained. Both Subcategories expect the inventory to be current, accurate, and available for risk assessment rather than a periodic snapshot. Unmanaged or unknown endpoints are explicitly outside the protection boundary and constitute unaccepted risk under this Subcategory.

Zecurit Endpoint Manager

Asset Discovery continuously scans the environment to surface every managed and unmanaged device, while Hardware Inventory maintains a real-time record of each asset's make, model, OS version, hostname, IP address, and last-seen timestamp. Software Inventory tracks every installed application and service across the fleet with version data, directly satisfying ID.AM-02's software inventory requirement from the same agent and console.

Asset Discovery Hardware Inventory Software Inventory Real-Time Asset Data
ID.AM-08 / ID.RA-01

Software Vulnerability Identification and Risk Assessment

IDENTIFY — Asset Management (ID.AM-08), Risk Assessment (ID.RA-01)

ID.AM-08 requires that systems, hardware, software, services, and data are managed throughout their life cycles. ID.RA-01 requires that vulnerabilities in assets are identified, validated, and recorded. Together these Subcategories create the requirement for continuous, fleet-wide vulnerability intelligence that feeds the organisation's risk treatment decisions, not a quarterly scan.

Zecurit Endpoint Manager

Vulnerability Management continuously maps installed software across every managed endpoint against a live CVE database, surfacing severity-ranked vulnerabilities with CVSS scores and exploit status. Software Licence Management and Warranty Management track the lifecycle status of both software entitlements and hardware assets, supporting ID.AM-08's lifecycle management requirement across the full device population.

Vulnerability Management CVSS Prioritisation Software Licence Management Warranty Management

PROTECT: Safeguards, Configuration, and Data Security

PROTECT is the largest endpoint-relevant Function in CSF 2.0, spanning identity management, access control, configuration management, data security, protective technology, and vulnerability management. The majority of day-to-day endpoint security work sits within PROTECT's Categories.

PR.AA-01 / PR.AA-05

Identity Management and Access Control

PROTECT — Identity Management, Authentication, and Access Control (PR.AA)

PR.AA-01 requires that identities and credentials for authorised users, services, and hardware are managed. PR.AA-05 requires that access permissions and authorisations are managed, incorporating the principles of least privilege and separation of duties. At the endpoint level, these Subcategories require that local user accounts, administrator privileges, and remote access permissions are actively governed rather than provisioned and forgotten.

Zecurit Endpoint Manager

Configuration Management's User and Group Management module enables IT administrators to create, modify, and disable local user accounts across the entire fleet from a single console, enforcing password complexity and expiry policies consistently. Role-based access controls within the Zecurit console enforce least privilege for IT staff, and User Logon Reports in the Monitoring and Alerts module record authentication events by account and device, providing the access history record PR.AA requires as evidence.

User and Group Management Password Policy Enforcement Role-Based Access User Logon Reports
PR.PS-01 / PR.PS-02

Configuration Management and Secure Baseline Maintenance

PROTECT — Platform Security (PR.PS)

PR.PS-01 requires that the configuration and integrity of hardware, software, and firmware are maintained. PR.PS-02 requires that software is maintained to reduce exploitability, including patch management. These Subcategories capture the full lifecycle of keeping endpoint devices in a known, secure, and current state. Configuration drift between review cycles is one of the most common sources of undetected exposure in otherwise well-managed environments.

Zecurit Endpoint Manager

Configuration Management allows IT teams to define named profiles bundling firewall rules, Windows Update settings, and security hardening parameters, then deploy and continuously enforce them across device groups. Hardware and Software Change Alerts in the Monitoring and Alerts module detect configuration drift the moment it occurs. Patch Management addresses PR.PS-02 directly, with automated scanning and deployment of missing OS and third-party patches ranked by CVSS severity.

Configuration Management Centralised Profile Management Firewall Policy Management Patch Management Hardware/Software Change Alerts
PR.DS-01 / PR.DS-02

Data Security: Encryption and Data at Rest

PROTECT — Data Security (PR.DS)

PR.DS-01 requires that data at rest is protected. PR.DS-02 requires that data in transit is protected. At the endpoint level, PR.DS-01 is the primary driver for full-disk encryption on managed devices, ensuring that data on a lost, stolen, or decommissioned machine remains inaccessible without the correct credentials or recovery key. The Category also covers removable media: data saved to unencrypted USB drives or external storage creates an uncontrolled data-at-rest exposure outside the managed environment.

Zecurit Endpoint Manager

BitLocker Management enforces full-disk encryption across every managed Windows endpoint, with TPM-only, TPM+PIN, and passphrase authentication modes, automatic recovery key backup, and BitLocker Compliance Reports that surface any unprotected device instantly. Device Control governs removable media connections with allow, block, or trusted-device-only policies, preventing unencrypted data from leaving the managed environment through USB or external storage.

BitLocker Management TPM Policy Management BitLocker Compliance Reports Device Control USB/Removable Storage Policies
PR.PS-05 / PR.DS-10

Removable Media and Data Exfiltration Prevention

PROTECT — Platform Security (PR.PS-05), Data Security (PR.DS-10)

PR.PS-05 requires that installation and execution of unauthorised software is prevented. PR.DS-10 requires that the integrity of data is protected. Removable media represents one of the simplest and most consistently overlooked data exfiltration channels: a user copying sensitive files to an unmanaged USB drive, or plugging in a device loaded with malicious software, bypasses most network-layer controls entirely. CSF 2.0 treats both scenarios as within scope for PROTECT.

Zecurit Endpoint Manager

Device Control enforces granular allow, block, or trusted-device-only policies for USB storage, Bluetooth peripherals, optical drives, and wireless adapters across every managed endpoint. BadUSB keystroke injection prevention protects against weaponised USB devices, and policies remain in force even when endpoints are offline, closing the gap that unmanaged remote or travelling devices create. Every connection attempt and policy enforcement event is logged with timestamp, device ID, and user account.

Device Control USB/Removable Storage Policies BadUSB Protection Offline Policy Enforcement Audit Device Logs
PR.PS-06 / PR.IR-01

Vulnerability Remediation and Patch Management

PROTECT — Platform Security (PR.PS-06), Infrastructure Resilience (PR.IR-01)

PR.PS-06 requires that only trustworthy software and firmware are installed and executed. PR.IR-01 requires that networks and environments are protected from unauthorised logical access and usage. Patch management is the primary operational mechanism for satisfying both: unpatched software is the single most common initial access vector exploited by ransomware and targeted attack groups, and CSF 2.0 expects patch management to be continuous and risk-prioritised rather than calendar-driven.

Zecurit Endpoint Manager

Patch Management continuously scans every managed endpoint for missing OS and third-party application patches, ranks them by CVSS score and active exploit intelligence, and deploys them during configured maintenance windows without requiring manual intervention. Vulnerability Management maps installed software against the live CVE database fleet-wide, and Patch Compliance Reports document that remediation was completed with timestamped evidence for each device.

Patch Management Vulnerability Management CVSS Prioritisation Patch Compliance Reports Automated Patch Deployment

DETECT: Continuous Monitoring and Anomaly Detection

DETECT requires that cybersecurity events are identified in a timely manner. CSF 2.0 sharpens the language around continuous monitoring significantly compared to CSF 1.1, treating automated, real-time alerting as the expected baseline rather than an advanced capability. Endpoints generate the most operationally relevant security event data in most environments.

DE.CM-01 / DE.CM-03 / DE.CM-09

Continuous Monitoring of Assets, Users, and Software

DETECT — Continuous Monitoring (DE.CM)

DE.CM-01 requires that networks and network services are monitored to find potentially adverse events. DE.CM-03 requires that personnel activity and technology usage are monitored to find potentially adverse events. DE.CM-09 requires that computing hardware and software are monitored to find potentially adverse events. Together these Subcategories require that the full range of endpoint activity, device connections, user logon events, software changes, and security state changes, is captured and surfaced in real time.

Zecurit Endpoint Manager

The Monitoring and Alerts module logs security, hardware, software, and user access events in real time across every managed endpoint. Security Alerts notify IT teams immediately when antivirus protection is disabled, firewall rules are changed, or any configured security threshold is breached on any device. IT Asset Monitoring and Alerts extends this coverage to hardware changes, providing the fleet-wide, real-time monitoring footprint DE.CM demands across all three Subcategories.

Real-Time Monitoring and Alerts Security Alerts IT Asset Monitoring and Alerts Hardware/Software Change Alerts
DE.AE-02 / DE.AE-06

Adverse Event Analysis and Incident Identification

DETECT — Adverse Event Analysis (DE.AE)

DE.AE-02 requires that potentially adverse events are analysed to better understand associated activities. DE.AE-06 requires that information on adverse events is provided to authorised staff and tools. The ability to analyse endpoint events depends entirely on the quality, completeness, and timeliness of the log data those endpoints generate. Sparse or delayed logging translates directly into slow or missed detection.

Zecurit Endpoint Manager

The Monitoring and Alerts module captures security, hardware, access, and device connection events with full metadata across all managed endpoints, building the detailed activity record that adverse event analysis requires. User Logon Reports and Audit Device Logs record access patterns and peripheral connection history, giving security teams the forensic baseline needed to distinguish routine behaviour from anomalous activity during an investigation.

Security Event Logging User Logon Reports Audit Device Logs Real-Time Monitoring and Alerts

RESPOND: Incident Containment and Remote Action

RESPOND requires that actions are taken following the detection of a cybersecurity incident. The speed and precision of the response depend heavily on the same endpoint visibility that DETECT provides, combined with the ability to take immediate, targeted action on affected devices without requiring physical access or waiting for a helpdesk queue.

RS.MA-01 / RS.MA-03

Incident Management and Containment at the Endpoint

RESPOND — Incident Management (RS.MA)

RS.MA-01 requires that the incident response plan is executed in coordination with relevant third parties once an incident is declared. RS.MA-03 requires that incidents are categorised and prioritised. At the endpoint level, effective response means the ability to act on affected devices quickly: isolating a compromised machine, deploying a remediation script, locking out an account, or pushing a configuration change without raising a ticket and waiting for a technician to reach the device.

Zecurit Endpoint Manager

Remote Script Execution allows IT and security teams to deploy remediation scripts to any managed endpoint instantly, with execution logs confirming completion. Remote Actions provide additional direct device management capabilities for immediate incident response. Configuration Management can push updated policies to device groups the moment a threat pattern is identified, and Device Control policy changes take effect immediately on managed endpoints, including those that are currently offline when the policy is updated.

Remote Script Execution Remote Actions Configuration Management Device Control Offline Policy Enforcement
RS.AN-03 / RS.AN-06

Forensic Analysis and Evidence Collection

RESPOND — Incident Analysis (RS.AN)

RS.AN-03 requires that the root cause of the incident is identified and the causes investigated. RS.AN-06 requires that actions performed during an investigation are recorded and that evidence is preserved. The quality of forensic analysis after an endpoint incident depends on the granularity and integrity of the logs that were collected before and during the event. After-the-fact log reconstruction is unreliable; pre-existing, comprehensive endpoint logging is the only evidence base that holds up to scrutiny.

Zecurit Endpoint Manager

The Monitoring and Alerts module maintains a continuous, timestamped record of security events, hardware changes, software installations, user logon activity, and device connections across all managed endpoints. Device Control audit logs capture every peripheral connection event with device ID, user account, and timestamp, providing the evidence trail RS.AN-06 expects to see in a post-incident investigation or regulatory enquiry.

Security Event Logging Audit Device Logs User Logon Reports Hardware/Software Change Logs

RECOVER: Restoring Endpoint Environments to a Known-Good State

RECOVER addresses restoring systems and services impaired by a cybersecurity incident to normal operation. At the endpoint level, RECOVER depends on two things that must already be in place before an incident occurs: a documented, enforced configuration baseline to restore devices to, and the operational ability to rapidly redeploy that baseline across the affected device population.

RC.RP-03 / RC.RP-05

Recovery Execution and Configuration Restoration

RECOVER — Incident Recovery Plan Execution (RC.RP)

RC.RP-03 requires that the integrity of backups and other restoration assets is verified before using them for restoration. RC.RP-05 requires that the integrity and security of the recovered environment is verified post-restoration. For endpoints, recovery means being able to confirm that a restored or rebuilt device matches the approved security baseline, not just that the operating system boots. A device rebuilt from an unverified image and missing critical security patches or configuration settings is still an exposure.

Zecurit Endpoint Manager

Configuration Management profiles serve as the documented security baseline that recovered endpoints can be measured against and remediated to, ensuring restored devices re-enter the environment meeting the same security posture as the rest of the fleet. Patch Management immediately identifies and remediates any missing patches on a recovered endpoint, and Compliance and Reporting confirms the restored device's compliance status against all active policies before it is returned to full operation.

Configuration Management Patch Management Compliance and Reporting Security Dashboard
Cross-Function

Audit-Ready Evidence Across All Six CSF Functions

Supports GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER

CSF 2.0 Profiles require organisations to document their current cybersecurity outcomes and their target state, creating an expectation of ongoing evidence that the selected Subcategories are operational, not just documented in a policy. Whether producing evidence for an internal board review, a customer security questionnaire, a CMMC assessment, or a federal audit, IT teams need to retrieve current, accurate, fleet-wide compliance data on demand rather than assembling it reactively from disconnected sources.

Zecurit Endpoint Manager

Compliance and Reporting provides 100+ built-in report templates including pre-mapped templates for NIST CSF, ISO 27001, PCI-DSS, CIS Controls, HIPAA, and GDPR. Security Reports surface BitLocker gaps, firewall status, antivirus health, patch compliance, and software inventory data across all managed endpoints in a single view. Scheduled Report Delivery automates evidence generation on a recurring basis, giving security teams current, accurate CSF alignment data ahead of any assessment or review cycle.

100+ Compliance Reports NIST CSF Report Templates Scheduled Report Delivery Security Dashboard Inventory Reports

NIST CSF 2.0 Subcategories and Zecurit Endpoint Manager Capabilities

A consolidated reference mapping each endpoint-relevant CSF 2.0 Subcategory to the relevant Zecurit features, useful for CSF Profile documentation and alignment assessments.

CSF 2.0 Subcategory Function Zecurit Endpoint Manager Capability
Policy and Governance (GV.OC / GV.RM / GV.PO) GOVERN NIST CSF Report TemplatesConfiguration ManagementScheduled Report Delivery
Hardware Asset Inventory (ID.AM-01) IDENTIFY Asset DiscoveryHardware InventoryHardware Change Alerts
Software Asset Inventory (ID.AM-02) IDENTIFY Software InventorySoftware AlertsSoftware Licence Management
Vulnerability Identification (ID.AM-08 / ID.RA-01) IDENTIFY Vulnerability ManagementCVSS PrioritisationWarranty Management
Identity and Access Control (PR.AA-01 / PR.AA-05) PROTECT User and Group ManagementRole-Based AccessUser Logon Reports
Configuration Management (PR.PS-01 / PR.PS-02) PROTECT Configuration ManagementFirewall Policy ManagementChange Alerts
Data at Rest Encryption (PR.DS-01) PROTECT BitLocker ManagementTPM Policy ManagementBitLocker Compliance Reports
Removable Media Controls (PR.PS-05 / PR.DS-10) PROTECT Device ControlUSB/Removable Storage PoliciesBadUSB Protection
Patch and Vulnerability Remediation (PR.PS-06) PROTECT Patch ManagementVulnerability ManagementPatch Compliance Reports
Continuous Monitoring (DE.CM-01 / DE.CM-03 / DE.CM-09) DETECT Real-Time Monitoring and AlertsSecurity AlertsIT Asset Monitoring
Adverse Event Analysis (DE.AE-02 / DE.AE-06) DETECT Security Event LoggingUser Logon ReportsAudit Device Logs
Incident Containment (RS.MA-01 / RS.MA-03) RESPOND Remote Script ExecutionRemote ActionsDevice Control
Forensic Evidence (RS.AN-03 / RS.AN-06) RESPOND Audit Device LogsUser Logon ReportsChange Logs
Recovery Verification (RC.RP-03 / RC.RP-05) RECOVER Configuration ManagementPatch ManagementCompliance and Reporting
Cross-Function Compliance Evidence All 100+ Compliance ReportsNIST CSF TemplatesScheduled Report Delivery

CSF 2.0 Outcomes Are Delivered at the Endpoint, Then Evidenced in the Report

NIST CSF 2.0 is deliberately outcome-focused rather than prescriptive about specific technologies. What the framework does make clear, particularly with the CSF 2.0 revisions around continuous monitoring and governance, is that the evidence of those outcomes needs to be current, accurate, and available on demand, not assembled once a year ahead of a review cycle.

Across all six Functions, the endpoint is where the majority of CSF outcomes are actually delivered: assets are inventoried here, configurations are enforced here, vulnerabilities are patched here, security events originate here, incidents are contained here, and recovery baselines are applied here. A cybersecurity programme that has strong policy documents but weak endpoint visibility will consistently fail to demonstrate the operational outcomes CSF 2.0 expects.

Zecurit Endpoint Manager addresses NIST CSF 2.0's core endpoint-relevant Subcategories across all six Functions from a single lightweight agent and unified console, giving IT and security teams the asset visibility, configuration enforcement, patch management, device control, real-time monitoring, and audit-ready reporting that a CSF Profile assessment, federal audit, or customer security review expects to see in place and operating continuously.

About Zecurit

Zecurit develops cloud-based IT management solutions designed for modern IT teams. The Zecurit platform helps organisations manage endpoints, track assets, enforce security policies, and securely support distributed workforces through centralised, easy-to-use tools.

To learn more about Zecurit Endpoint Manager and how it supports your NIST CSF 2.0 alignment programme, start a free 14-day trial or contact the Zecurit team.

Contact Zecurit