The Six-Function Framework for Cybersecurity Solutions
NIST's Cybersecurity Framework 2.0, released February 2024, sorts every cybersecurity solution into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Think of it as the periodic table of security. If a vendor cannot clearly map their product to at least one of these functions, that is not innovation. That is confusion. The framework applies to organizations of any size, and CISA's Cross-Sector Cybersecurity Performance Goals 2.0 (December 2025) now maps directly to all six functions with prioritized, actionable benchmarks.
| CSF 2.0 Function | What It Does | Solution Categories | Key Metric |
|---|---|---|---|
| Govern (GV) | Risk strategy, policy, oversight | GRC platforms, risk quantification | Board reporting cadence |
| Identify (ID) | Map assets and risk exposure | Asset discovery, vulnerability management, threat intelligence | Asset inventory coverage |
| Protect (PR) | Prevent or limit incidents | Endpoint, network, IAM, email, DLP, zero trust | Mean time to patch |
| Detect (DE) | Real-time event discovery | SIEM, NDR, EDR, monitoring | Mean time to detect |
| Respond (RS) | Contain and mitigate | SOAR, incident response, forensics | Mean time to respond |
| Recover (RC) | Restore operations | Backup/DR, managed services | Recovery time objective |
"Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad."
Kevin Stine Chief, Applied Cybersecurity Division, NIST, as quoted in NIST News Release
The Govern function is the headline addition in CSF 2.0. Previous versions treated governance as a background assumption. Version 2.0 promotes it to a core function, recognizing that leadership accountability, supply chain risk management, and policy oversight are not optional layers on top of security. They are the foundation beneath it.
Where the $212 Billion Goes
Worldwide end-user spending on information security is projected to total $212 billion in 2025, per Gartner's August 2024 forecast, a 15.1% jump from 2024. Security software leads the surge at $106 billion. The twin growth engines: a persistent cybersecurity talent shortage pushing organizations toward managed services, and the scramble to secure generative AI adoption across the enterprise. Gartner Senior Research Principal Shailendra Upadhyay attributed the surge to "the continued heightened threat environment, cloud movement and talent crunch" pressing CISOs to increase security spend. For a hands-on look at the solutions absorbing that budget, browse 84+ cybersecurity solutions by category.
| Segment | 2024 | 2025 (Projected) |
|---|---|---|
| Security Software | $95 billion | $106 billion |
| Network Security | $21.3 billion | $23.3 billion |
| All Segments | $212 billion projected (15.1% YoY growth) |
The Three-Layer Evaluation Test
Mapping a solution to a CSF function is step one. Deciding whether it delivers requires three layers of scrutiny that separate signal from the sales deck.
Coverage depth. Does the solution address one CSF function deeply or spread thin across several? A SIEM claiming to Govern, Detect, and Respond may do none well. Request the NIST CSF 2.0 subcategory mapping, not just the function label.
Integration surface. Security tools that cannot share telemetry are expensive wallpaper. Evaluate API completeness, native integrations, and whether the vendor feeds data into your zero trust architecture rather than operating as an isolated console.
Validation method. CISA's CPG 2.0 rates each goal by cost, impact, and implementation ease. A solution covering a high-impact goal with low deployment friction is worth more than a feature-loaded platform requiring six months of professional services.
Implementation Tiers: Context, Not a Ladder
NIST CSF 2.0 defines four implementation tiers but explicitly states they are not a maturity model to climb sequentially. Organizations select the tier matching their risk appetite. A Tier 2 (Risk-Informed) shop that properly configured its tools may be better defended than a Tier 4 (Adaptive) organization that overspent on platforms nobody tuned.
Solution Categories Mapped to CSF Functions
| CSF Function | Category | What It Covers | Example Vendors |
|---|---|---|---|
| Govern | GRC / Risk Quantification | Policy management, compliance tracking, risk scoring | ServiceNow GRC, LogicGate |
| Identify | Vulnerability Management | Continuous scanning, prioritization, remediation tracking | Tenable, Rapid7, Qualys |
| Identify | Threat Intelligence | Threat feeds, adversary profiling, IOC enrichment | Recorded Future, ThreatQuotient |
| Protect | Endpoint Security | EPP, EDR, device control | CrowdStrike, Microsoft Defender, Trellix |
| Protect | Network Security | Firewalls, SASE, network segmentation | Palo Alto, Fortinet, Cisco |
| Protect | Identity and Access Management | SSO, MFA, privileged access, lifecycle governance | CyberArk, SailPoint, OneLogin |
| Protect | Email Security | Phishing defense, DMARC, encryption | Proofpoint, Mimecast, Valimail |
| Protect | Data Loss Prevention | Content inspection, policy enforcement, exfiltration prevention | Varonis, Forcepoint |
| Protect | Zero Trust | Microsegmentation, continuous verification, least privilege | Cloudflare, Callsign, Transmit |
| Detect | SIEM | Log aggregation, correlation, alerting | Splunk, IBM QRadar, Secureworks |
| Detect | Network Monitoring | Traffic analysis, anomaly detection, deep observability | Gigamon, Infoblox |
| Respond | Security Orchestration | Automated playbooks, cross-tool coordination | Palo Alto XSOAR, Splunk SOAR |
| Respond | Digital Forensics | Evidence collection, root cause analysis, chain of custody | Digital Defense |
| Recover | Managed Security Services | 24/7 SOC, MDR, co-managed operations | eSentire, Trustwave, Optiv |
CISA CPG 2.0 Priority Goals by Function
CISA's Cross-Sector Cybersecurity Performance Goals 2.0, released December 2025, provides a prioritized checklist of essential practices mapped to NIST CSF 2.0. Each goal includes cost, impact, and ease-of-implementation ratings to help resource-constrained organizations invest where it counts most.
| CSF Function | Priority Goal | Impact | Ease |
|---|---|---|---|
| Govern | Assign cybersecurity leadership accountability | High | Moderate |
| Govern | Assess and manage MSP/third-party risk | High | Moderate |
| Identify | Maintain asset inventory (updated monthly minimum) | High | Moderate |
| Protect | Deploy phishing-resistant MFA on all remote access | High | High |
| Protect | Enforce least-privilege access controls | High | Moderate |
| Detect | Collect and analyze security-relevant logs | High | Moderate |
| Respond | Maintain and exercise incident response plans annually | High | High |
| Respond | Codify incident reporting procedures for external entities | High | High |
| Recover | Test backup and recovery procedures regularly | High | Moderate |
Frequently Asked Questions
About Cybersecurity Solutions Frameworks
- NIST Cybersecurity Framework — Official CSF 2.0 documentation, profiles, and implementation guides
- CISA CPG 2.0 — Cross-Sector Cybersecurity Performance Goals with prioritized practices
- Gartner Security Spending Forecast — Global information security spending projections
The NIST Cybersecurity Framework is maintained by the National Institute of Standards and Technology, a non-regulatory agency of the U.S. Department of Commerce. CSF 2.0 is free, voluntary, and designed for organizations of all sizes and sectors.
Sources: NIST CSF 2.0 Release, CISA CPG 2.0, Gartner Information Security Spending Forecast, NIST CSF 2.0 Full Document (PDF)
