NIST CSF (including 2.0)
Voluntary framework for managing cybersecurity risk.
Overview
What it is, in plain English.
The NIST Cybersecurity Framework is the most widely adopted voluntary framework in the world — used by Fortune 500 companies, federal agencies, and critical infrastructure operators to organize and mature their security programs. CSF 2.0 (published February 2024) added the Govern function, making board and executive accountability a first-class concern. Lyra uses CSF as the connective tissue between technical controls and executive risk reporting.
NIST CSF (including 2.0) assessment, profile development, and roadmap — aligned to Identify, Protect, Detect, Respond, Recover, and Govern functions.
Who needs it
Built for organizations that have to get this right.
Companies that want a flexible, risk-based program (not a checklist)
Boards and executives looking for a credible risk reporting framework
Critical infrastructure operators (energy, water, transportation, financial)
Organizations harmonizing multiple frameworks (SOC 2, ISO, HIPAA) under one umbrella
Our approach
How we get you audit-ready and keep you there.
We don't drop policy templates and disappear. We design controls, implement them in your environment, prepare every artifact, and walk with you through the audit — then operate the program after certification so you stay compliant year over year.
- 01
Current State Profile
We assess where you are today across all six CSF functions and 22 categories, scoring each on the four-tier maturity scale.
- 02
Target State Profile
Working with leadership, we define the right target maturity for each category — based on risk, regulatory, and business drivers.
- 03
Roadmap & Investment Plan
We build a multi-year roadmap with budgeted initiatives that close the gap between current and target state.
- 04
Operationalize & Report
We help you operationalize the program and produce executive-ready dashboards and board reporting.
Key controls
What's actually in scope.
Govern (GV) — organizational context, risk strategy, roles, policy, oversight
Identify (ID) — asset management, risk assessment, supply chain risk
Protect (PR) — identity, access, data security, awareness, platform security
Detect (DE) — continuous monitoring, adverse event analysis
Respond (RS) — incident management, analysis, mitigation, communication
Recover (RC) — incident recovery plan execution and communication
Deliverables
What you walk away with.
Current and Target State CSF profiles
Maturity scoring across all 22 categories
Multi-year roadmap with prioritized initiatives and budget guidance
Executive-ready risk dashboard
Crosswalk to other frameworks you operate (SOC 2, ISO 27001, HIPAA, etc.)
Timeline
Typical assessment and roadmap: 6–10 weeks. Ongoing program operation is continuous.
Questions we hear
Straight answers to the real questions.
- What's new in CSF 2.0?
- The Govern function is the headline change — it elevates risk strategy, oversight, and roles to a peer of the original five functions. There are also expanded supply chain risk guidance and new implementation examples.
- Is CSF a certification?
- No — CSF is voluntary and there is no certifying body. We use it as the management framework that organizes everything else (audited or not).
- Can CSF replace our other frameworks?
- It rarely replaces them, but it harmonizes them. CSF maps cleanly to ISO 27001, NIST 800-53, CIS Controls, and HIPAA — letting you do work once and report against many.
Other frameworks we support
SOC 2 (Type 1 and Type 2)
AICPA SOC 2
Learn moreISO 27001
ISO/IEC 27001 ISMS
Learn moreCMMC
Cybersecurity Maturity Model Certification
Learn moreNIST 800-171
Protecting CUI in non-federal systems
Learn moreHIPAA / HITRUST
Healthcare privacy and security
Learn morePCI DSS
Payment Card Industry Data Security Standard
Learn more
24 / 7 Recovery
When the worst day hits, every minute matters.
Our breach team is standing by — call, email, or submit a request and we respond within minutes.