RiskXchange
NIST CSF 2.0 — Cybersecurity Framework

NIST CSF, mapped to your evidence.

Six functions. Twenty-two categories. Over a hundred subcategories. The de-facto meta-framework for cybersecurity — and the one most other frameworks already crosswalk to. The Agency keeps your CSF profile live across the whole portfolio, vendors included.

The reality of NIST CSF

The numbers your team already knows.

NIST CSF is voluntary on paper but load-bearing in practice — federal agencies require it, US suppliers expect it, and most other frameworks (ISO 27001, SOC 2, FFIEC, CMMC) explicitly map to it. Maintaining a current profile by hand is the problem.

6 functions
Govern, Identify, Protect, Detect, Respond, Recover
CSF 2.0 added Govern
100+
Subcategories to evidence across the framework
And growing
4 tiers
Partial → Risk-informed → Repeatable → Adaptive
CSF maturity model
The agents that matter most for NIST CSF

ARIA, TARA, VANCE — your living CSF profile.

Three of The Agency's leads keep CSF evidence current, the profile mapped against your target tier, and the audit-ready output composed from live data — not last quarter's snapshot.

ARIA avatar
ARIA
Evidence & Document Intelligence

Every subcategory, mapped to evidence. ARIA reads SOC 2 reports, ISO certs, policies and trust pages, and maps each artefact against the CSF subcategories and the 157 Universal Controls — your profile reflects what you actually have.

What you get
  • CSF 2.0 subcategory mapping kept current
  • Cross-framework crosswalks — ISO 27001, SOC 2, FFIEC, CMMC
  • Vendor evidence ingested and mapped automatically
TARA avatar
TARA
Tiering & Remediation

Your tier, watched continuously. TARA assesses every vendor's CSF profile against your target tier, flags drift, and opens SLA-bound remediation when controls fall short — so the maturity level you committed to actually holds.

What you get
  • Continuous tier assessment across the portfolio
  • Drift detection on subcategories that fall below target
  • Treatment plans with deadlines and SLA tracking
VANCE avatar
VANCE
Audit Composition

Profile reports composed from live data. VANCE generates current-state and target-state CSF profiles on demand — formatted for boards, auditors and federal agencies expecting CSF outputs (NIST 800-171, FedRAMP, CMMC).

What you get
  • Current-state and target-state CSF profiles on demand
  • Crosswalk reports to ISO 27001, SOC 2, CMMC and 800-171
  • Tamper-evident audit trail per output
What changes for NIST CSF

Four shifts you'll feel at the next profile review.

NIST CSF stops being a once-a-year mapping exercise and becomes a continuous evidence layer that reflects current vendor posture across all six functions.

Profile stays live across the portfolio

Subcategories map to evidence automatically. When a vendor changes posture or attestation, the profile updates the same week.

Crosswalks come for free

Once mapped to CSF, the same evidence answers ISO 27001, SOC 2, CMMC and 800-171 questions. The mapping has already been done.

Tier drift surfaces automatically

TARA flags vendors whose CSF tier drops below your target — you stop discovering it during the next review and start acting on it inside SLA.

Federal-grade outputs land on demand

When the agency or prime contractor asks for a CSF profile, VANCE composes it from current data — not from a report writer waiting for someone to update the spreadsheet.

We crosswalked our entire vendor portfolio to NIST CSF in two weeks. The CMMC and 800-171 work that used to take a quarter now ships from the same evidence pack.

JT
CISO
US federal contractor

See it on your vendors.

Book a 30-minute call and we'll have NOVA, ARIA and REX produce a complete posture report on one of your live vendors inside 24 hours.