What Changed in CSF 2.0

The original NIST Cybersecurity Framework (CSF 1.1) had five functions: Identify, Protect, Detect, Respond, Recover. CSF 2.0, published in February 2024, added a sixth: GOVERN. This is not a cosmetic change — it reflects a decade of practitioner feedback that cybersecurity programmes failed not because of missing technical controls but because of missing governance structures.

GOVERN sits above and around the other five functions. It covers: organisational context, risk management strategy, supply chain risk, roles and responsibilities, policies, and oversight. For a CISO presenting to a board, GOVERN is what converts technical posture into board-intelligible risk language.

Why GOVERN Matters for SEBI CSCRF SEBI CSCRF explicitly requires a Cybersecurity Governance Framework at the board level. GOVERN (GV) in NIST CSF 2.0 maps almost directly to this requirement — making CSF 2.0 the most natural framework for SEBI-regulated entities to anchor their self-assessment to.

The Four Maturity Tiers

CSF 2.0 defines four implementation tiers. Unlike CMM-style maturity models, tiers in CSF 2.0 are not meant to be climbed mechanically — they describe the degree to which cybersecurity risk management is integrated into organisational culture and business processes. A Tier 4 organisation does not just follow a process; it treats cybersecurity risk as a first-class business input.

Tier 1
Partial
Risk management is ad hoc and reactive. Limited awareness of cybersecurity risk. No formalised processes. Organisation-wide sharing of cybersecurity information is absent.
Tier 2
Risk Informed
Risk practices exist but are not organisation-wide policy. Awareness of risk at senior management level but inconsistent application. Supply chain risk receives partial attention.
Tier 3
Repeatable
Formally approved risk management practices, consistently implemented. Organisation-wide approach to managing risk. Supply chain risk managed. Regular updates to practices based on new intelligence.
Tier 4
Adaptive
Continuous improvement based on lessons learned. Actively shares information with peers. Cybersecurity risk is integrated into business strategy, budgeting, and culture. Real-time adaptation to threat landscape.

Mapping CSF 2.0 to SEBI CSCRF

SEBI CSCRF (effective April 2025) requires a Cybersecurity Posture Self-Assessment. The framework does not mandate a specific methodology, which means regulated entities can use NIST CSF 2.0 as the underlying maturity model and present the self-assessment in CSF language. The mapping below shows how CSF 2.0 functions align to CSCRF pillars:

NIST CSF 2.0 FunctionSEBI CSCRF PillarKey Control Areas
GV — GOVERNGovernance & Risk ManagementBoard oversight, risk appetite, policy lifecycle, CISO role
ID — IDENTIFYAsset Management & Risk AssessmentAsset inventory, vulnerability management, risk assessment cadence
PR — PROTECTIdentity & Access, Data Security, ResilienceIAM, encryption, secure configuration, awareness training
DE — DETECTContinuous MonitoringSOC operations, anomaly detection, log management
RS — RESPONDIncident ManagementCERT-In 6-hr reporting, incident classification, forensics
RC — RECOVERBCP/DR & ResilienceRTO/RPO, cyber drill, recovery plan testing
CSCRF Self-Assessment Tip SEBI expects the CSCRF self-assessment to be presented at the board level annually. Framing your Tier 3 or Tier 4 evidence in CSF 2.0 language makes it board-readable and regulator-auditable without translation. Use the GV function outputs as your board paper backbone.

How the RiskSage CISO Dashboard Tracks CSF 2.0

The RiskSage CISO Command Dashboard includes a NIST CSF 2.0 radar that plots your organisation’s current tier score across all six functions in real time. The radar is driven by live data from control evidence, compliance task completion, and incident metrics — not by a manual spreadsheet assessment.

How the Radar Works

Each CSF function maps to a set of UCL controls in RiskSage. As controls are evidenced, tasks completed, and incidents logged, the system computes a weighted function score on a 0.0–4.0 scale (corresponding to Tier 1–4). The radar updates automatically — a new VAPT finding that goes unremediated will reduce the ID score; a completed cyber drill evidence upload will boost the RC score.

Board-Ready Reporting

The CISO dashboard generates a one-click board report that shows the CSF 2.0 radar alongside the four key questions boards ask: (1) What is our current maturity tier per function? (2) Which functions have regressed since last quarter? (3) What are the top three risks driving the regression? (4) What is the remediation timeline and budget implication?

For SEBI-regulated entities, the report maps the CSF radar scores directly to the CSCRF self-assessment dimensions, so the same data set serves both the internal board report and the external SEBI submission.

Drift Alerts

The RiskSage Regulatory Watch Feed monitors for changes to SEBI CSCRF and NIST framework updates. When a new control is added or an existing one is updated, the system flags the affected UCL controls and quantifies the tier impact — so CISOs know immediately whether a regulatory change moves them from Tier 3 to Tier 2 on a specific function.

See the NIST CSF 2.0 Radar on the RiskSage CISO Dashboard

Real-time maturity tier tracking across all six CSF functions, driven by live control evidence — not spreadsheets. One-click board report with SEBI CSCRF cross-mapping.

Explore RiskSage CISO Dashboard →