NIST CSF 2.0: Building a Quantified Cyber Risk Assessment

The NIST Cybersecurity Framework (CSF) has long been the most widely adopted voluntary, sector-agnostic framework for managing cybersecurity risk. With the release of CSF 2.0 in 2024, NIST expanded the framework's scope and reoriented it around governance — a change that has meaningful implications for how organizations assess and communicate cyber risk. At NOXMON, we use CSF 2.0 not as a checklist, but as the backbone of a quantified cyber risk assessment that translates security posture into financial exposure executives can act on.

What Changed in CSF 2.0

The headline change in CSF 2.0 is the addition of a sixth core function. Where CSF 1.1 organized cybersecurity activities around five functions, CSF 2.0 introduces GOVERN as a new, central function that frames the other five.

The six functions of CSF 2.0 are:

• GOVERN: Establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy. This is the new function in 2.0 and sits at the center of the framework, informing how the other five functions are implemented.
• IDENTIFY: Develops an understanding of assets, suppliers, and the related cybersecurity risks to systems, people, and data.
• PROTECT: Implements safeguards to manage and reduce cybersecurity risks to assets and services.
• DETECT: Finds and analyzes possible cybersecurity attacks and compromises.
• RESPOND: Takes action regarding a detected cybersecurity incident.
• RECOVER: Restores assets and operations affected by a cybersecurity incident.

The elevation of GOVERN reflects a broader reality: cybersecurity is an enterprise risk management problem, not just a technical one. Boards and executives are now explicitly accountable for setting risk appetite, defining roles and responsibilities, and overseeing the cybersecurity program. CSF 2.0 also broadened its intended audience beyond critical infrastructure to organizations of all sizes and sectors, and it strengthened guidance on cybersecurity supply chain risk management.

Tiers and Profiles

Two concepts make CSF 2.0 useful for measuring progress: Tiers and Profiles.

Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework. They range from Tier 1 (Partial) through Tier 2 (Risk Informed) and Tier 3 (Repeatable) to Tier 4 (Adaptive). Tiers are not maturity grades to be maximized at any cost — they help an organization understand whether its practices are rigorous enough for the risks it faces.

Profiles describe the organization's current and desired cybersecurity posture by selecting and prioritizing the framework's outcomes. A Current Profile captures what the organization is achieving today; a Target Profile captures what it needs to achieve given its mission, risk appetite, and threat environment. The distance between the two — the gap — is exactly what a meaningful assessment should measure and prioritize.

How NOXMON Runs a CSF 2.0 Assessment

Our assessment methodology turns the framework into a disciplined, repeatable engagement:

Step 1: Scope and Govern

We begin with the GOVERN function. We work with leadership to document the organization's mission, risk appetite, regulatory obligations, and the roles responsible for cybersecurity decisions. This establishes the criteria against which the rest of the assessment is judged and ensures the Target Profile reflects genuine business priorities rather than generic best practice.

Step 2: Establish the Current Profile

We gather evidence across all six functions — interviewing stakeholders, reviewing documentation, and examining technical configurations — to build an accurate Current Profile. Rather than relying on self-attestation, we validate claims against artifacts so the baseline is defensible.

Step 3: Define the Target Profile

Working from the organization's risk appetite and external requirements, we define a Target Profile that is appropriate, not aspirational for its own sake. For a mid-market manufacturer, the target for some outcomes may be deliberately modest; for others — such as those protecting safety-critical operations — it will be demanding.

Step 4: Quantify the Gap

This is where most assessments stop and ours continues. We feed the gap between Current and Target Profiles into RISKMON, NOXMON's proprietary cyber risk quantification platform. Using FAIR-based modeling, RISKMON expresses each gap not as a red, amber, or green dot, but as financial exposure in dollar terms — the probable loss associated with the weakness and the loss reduction expected from closing it.

Quantifying the gap changes the conversation. Instead of debating whether a control is "important," leadership can compare the expected annual loss tied to a deficiency against the cost of remediation and decide where the next dollar of security investment produces the greatest reduction in risk.

Step 5: Prioritize and Monitor

RISKMON converts the quantified gaps into a prioritized remediation roadmap, tracks findings and POA&M items to closure, and continues monitoring controls 24x7. A CSF 2.0 assessment is therefore not a point-in-time snapshot that ages out — it becomes a living view of risk, with executive and board dashboards that show how financial exposure trends as remediation progresses. NOXMON itself uses RISKMON to monitor its own clients.

Why Quantification Matters

A traditional CSF assessment produces a heat map. A quantified CSF 2.0 assessment produces a business case. When the board asks "how much risk are we carrying, and is it going down?", a qualitative scorecard cannot answer. By anchoring the assessment in financial terms, NOXMON gives leadership a defensible, repeatable measure of cyber risk that aligns directly with enterprise risk management and the GOVERN function CSF 2.0 now puts front and center.

Use Cases

Mid-Market Manufacturer Aligning the Board on Risk Appetite

A regional manufacturer with growing exposure to operational technology engaged NOXMON to establish its first formal CSF 2.0 program. The Current Profile revealed a Tier 1-to-2 posture with significant gaps in DETECT and RESPOND. Rather than presenting a list of technical findings, we used RISKMON to show the board that two unaddressed gaps accounted for the majority of the organization's probable annual loss. Leadership funded a focused remediation plan targeting those gaps first.

"For the first time, our board could see cyber risk in the same language they use for every other risk — dollars. The quantified gap analysis settled debates we'd been having for years and got our remediation budget approved in a single meeting."

— VP of IT, mid-market manufacturer

Multi-Site Services Firm Setting a Realistic Target Profile

A services organization with operations across several states had been told it needed to "do everything" in the framework. NOXMON's assessment defined a Target Profile calibrated to its actual risk appetite and regulatory obligations, then quantified the gap with RISKMON. The result was a smaller, sharper set of priorities and continuous monitoring that kept the Current Profile from drifting between annual reviews.

"We stopped chasing a perfect score and started managing real exposure. The continuous monitoring means our profile reflects reality every day, not just at audit time."

— Director of Information Security, multi-site services firm

Getting Started

NIST CSF 2.0 gives organizations a common language for cybersecurity, and its new GOVERN function rightly puts leadership accountability at the center. But a framework only delivers value when an assessment turns it into prioritized, measurable action. NOXMON's quantified approach — pairing a rigorous CSF 2.0 assessment with the financial modeling and continuous monitoring of RISKMON — closes the gap between knowing where you stand and knowing what to do about it.

To learn how a quantified CSF 2.0 assessment can clarify your risk posture and focus your investment, explore our NIST CSF 2.0 Assessment service.