Overview
This article explains how to assess cybersecurity maturity in the Cye Exposure Management Platform using NIST CSF 2.0. You'll learn how to switch frameworks, understand scoring requirements, and take advantage of new features in CSF 2.0.
To follow along, you'll need administrator access if you plan to change the primary maturity framework.
Completing a Maturity Assessment with NIST CSF 2.0
Check your current framework
If you're new to the Cye platform or have migrated from NIST CSF 1.1, NIST CSF 2.0 will appear by default:
If NIST CSF 2.0 isn't set as the primary framework, you’ll see a message indicating this.Set NIST CSF 2.0 as your primary framework (admin only)
Go to Settings > Maturity
Select NIST CSF 2.0 as the Primary Framework
the Cye platform will use the primary framework for risk dashboards, findings, assets, mitigation plans, and risk quantification:
Start your maturity assessment
Navigate to the Maturity tab
Confirm that NIST CSF 2.0 is active
Begin entering maturity scores across the six NIST functions: Identify, Protect, Detect, Respond, Recover, and Govern
A full organization maturity score requires at least four of the six functions to be scored
Explore mapping and guidance
In the Standards tab, explore mappings between NIST CSF 2.0 and other standards like ISO27001:2022 and NIST CSF 1.1:
Use the Findings page to filter by mapping information:
On the Assets page, use the Unmapped framework filter to spot unmapped technology or process assets
Review benchmarks and targets
Your maturity benchmark score is based on anonymized data from similar organizations using CSF 2.0:
Targets must be defined separately for CSF 2.0 — setting a target in 1.1 does not apply to 2.0:
the Cye platform uses benchmark data enriched with insights from hundreds of earlier assessments, including those done pre-CSF 2.0
Important notes
CSF 1.1 and CSF 2.0 are standalone frameworks in the Cye platform. Updates in one do not carry over to the other.
Only the primary framework is used in broader the Cye platform calculations. The non-primary framework applies only within the maturity assessment screen.
Practical implementation examples for each subcategory are included in CSF 2.0 to help you evaluate real-world applicability:
NIST CSF 2.0: What's New
Govern Function Added: CSF 2.0 introduces a sixth function, Govern, to emphasize oversight and strategic risk management.
Broader Scope: CSF 2.0 applies to all organizations — not just critical infrastructure sectors.
Supply Chain Risk Guidance: Expanded subcategory guidance now covers complex, interconnected supply chains.
Implementation Examples: Practical reference points now included per subcategory to guide success and planning.
Wrap-up / Next Steps
That’s how you complete a maturity assessment using NIST CSF 2.0 in the Cye platform. Feel free to explore the mappings, compare your maturity trends, or set distinct targets to better align with your organization’s needs.