NIST CSF 2.0 · Identity Lens

NIST CSF 2.0

NIST CSF 2.0 is the framework most other frameworks reference. For identity, it is where the Govern, Identify, Protect, and Respond functions land most heavily.

Back to Thinking

Full name: NIST Cybersecurity Framework 2.0
Region: International (originated US, widely adopted globally)
Applies to: Organisations of any size or sector seeking a structured way to manage cybersecurity risk. The 2.0 revision added the Govern function and broadened the framework beyond critical infrastructure to enterprises and SMEs.

NIST released Cybersecurity Framework 2.0 in February 2024. The new Govern function joined Identify, Protect, Detect, Respond, and Recover. CSF is voluntary in the US but referenced as a baseline by many regulators worldwide. Identity controls are spread across PR.AA (Identity Management, Authentication and Access Control), PR.DS (Data Security), DE.CM (Continuous Monitoring), and the GV cluster — meaning a CSF programme that does not name identity loses coherence quickly.

What it asks for

The Identity Lens

The clauses that bite when identity architecture is weak, rewritten in plain English. Authoritative text is linked below.

PR.AA — Identity Management, Authentication and Access Control

The CSF 2.0 category that explicitly covers identities and credentials being issued, managed, verified, revoked, and audited. PR.AA-01 through PR.AA-06 walk through the identity lifecycle as a control area in its own right.

GV.RR — Roles, Responsibilities, and Authorities

The Govern function added in CSF 2.0 makes identity ownership a board-level expectation. Identity governance, named architects, and escalation paths now appear as explicit governance controls.

DE.CM-01 / DE.CM-03 — Continuous monitoring of personnel and access

Anomalous access, deviation from established baselines, and identity-driven behavioural signals are explicitly named under the Detect function.

RS.MA / RC.RP — Identity in response and recovery

Incident-response and recovery planning include the identity surface — credential rotation, federation containment, and the recovery path for the identity service itself. CSF 2.0 frames these as testable capabilities.

Where teams miss it

Common Misses

Patterns we see again and again — usually because the identity programme runs in parallel to the compliance programme rather than inside it.

Treating CSF as a control inventory without naming an identity owner. The Govern function in 2.0 is precisely about closing that gap; auditors will look for the named role.

PR.AA controls implemented per system rather than per identity, producing inconsistent lifecycle and recertification across the estate.

Detection and response programmes that consume endpoint and network telemetry but not identity telemetry — leaving the most-used adversary path under-monitored.

Recovery plans that assume identity will be available when other systems are recovering, with no test of the scenario where the IdP is itself impaired.

What works

Where Design Pays Off

Patterns we have seen survive supervisory review, audit, and the next change.

Identity treated as one of the named subjects of the Govern function, with measurable outcomes that flow into the risk-management programme.

PR.AA and GV.RR mapped to a single identity-architecture document, so the auditor follows one thread through the assessment.

Detection and recovery functions tested against identity-specific scenarios at least annually, with the test outputs feeding the Continual Improvement loop.

Authoritative sources

Read the source

Every claim above is checkable. Start here.

NIST

NIST Cybersecurity Framework 2.0 (CSWP 29)

NIST

NIST CSF 2.0 — full reference document

Related Services

Need a NIST CSF 2.0-ready identity baseline?

We start with an assessment that maps your identity controls to NIST CSF 2.0 requirements, then design and operate the gaps.

Book a Conversation