When a security company says it "aligns to NIST CSF 2.0," it can sound like compliance theater. It isn't. Strip the acronyms away and the framework is just a sensible way to organize the one question every owner is actually asking: am I covered, and where are the gaps?
NIST CSF 2.0 breaks that into six functions. Here's what each one means when you're running an actual business instead of a security operations center.
Govern
The newest function, and the one most small businesses skip. Govern is simply: who decides what risk you accept, and is it written down anywhere? You don't need a committee. You need a short, honest policy that says what data matters, who's responsible, and which vendors can touch it.
Identify
You can't protect what you don't know you have. Identify is the inventory step: the laptops, the cloud accounts, the one critical app the whole company runs on, the data that would actually hurt if it leaked. Most gaps we find live here, in the systems nobody remembered were still running.
Protect
The safeguards. Multi-factor authentication, least-privilege access, email filtering, patched systems, backups. Protect is where the day-to-day controls live, and it's where a small budget goes furthest. Most of the highest-impact controls are configuration, not new purchases.
Detect
If something gets through, how fast do you know? Detect is monitoring: endpoint detection, sign-in alerting, watching for the unusual. The difference between a contained incident and a catastrophe is usually measured in how long the attacker went unnoticed.
Respond
When the alert fires, what happens next? Respond is having a plan that doesn't start with "panic": who to call, how to contain, how to communicate. A one-page incident plan that everyone has actually read beats a 40-page binder nobody opens.
Recover
Getting back to normal. Recover is your backups (tested, not just running), your restoration steps, and the lessons that feed back into the other five functions so the same gap doesn't reopen.
Where to start
You don't implement all six at once. We start with Identify and Protect, because that's where the largest risk reduction per dollar lives, then layer in detection and response as the foundation gets solid. The framework gives us a shared map so you can see, in writing, exactly what's covered and what's next, instead of taking a vendor's word for it.
If you want to see where your business actually stands against this map — in writing, not as a guess — that's exactly what an assessment is for.