NIST CSF 2.0
CSF 2.0 is voluntary and non-prescriptive. No certification scheme exists against it. It is not the US federal contractor requirement, and it never was.
Most vendors will not tell you the difference, because the difference is the part they cannot sell you. This page is that difference.
CQI/IRCA ISO/IEC 27001:2022 Lead Auditor trained · IRCA Associate Auditor - ISMS · CQI Practitioner Member - PCQI
The problem
A US buyer sends a questionnaire that says "NIST". What comes back from the market is a quote for "NIST CSF certification" and a warning that federal contractors need it. Both of those are wrong, and they are wrong in a way that costs you a programme you did not need.
The framework your buyer named is voluntary. Nobody certifies against it. The obligation that actually binds a defense supplier is a different document entirely - DFARS 252.204-7012, pulling in NIST SP 800-171 - and it applies for reasons that have nothing to do with what any questionnaire asks. Confusing the two is not a small technical slip. It sends you to build the wrong thing.
So this hub leads with what CSF is not. Not because the framework is weak - it is the most downloaded technical publication NIST has ever put out, and CSF 2.0 is a genuine improvement on 1.1. But because what it is not is the part that decides what you should spend.
What CSF 2.0 is
Four things orient you, and they are the four that changed the conversation when 2.0 landed.
Published 26 February 2024
The NIST Cybersecurity Framework 2.0, NIST CSWP 29, DOI 10.6028/NIST.CSWP.29. It is the most downloaded NIST technical publication, past 3 million views and downloads. No CSF 2.1 or successor has been announced. 2.0 is current.
A sixth function: GOVERN
CSF 2.0 added GOVERN (GV) to the five functions people already knew: Identify, Protect, Detect, Respond, Recover. Governance stopped being an implied wrapper around the framework and became part of it.
Scope widened past critical infrastructure
CSF 1.1 was aimed at critical infrastructure. 2.0 widened the scope to organisations of all sizes and sectors. This is why your US buyer can ask you about it whether or not you run a power grid.
More weight on supply chain
CSF 2.0 increased its emphasis on cybersecurity supply-chain risk management. If you sell software into a US enterprise, this is the part of the framework their questionnaire is built from.
The first thing to know
No scheme. No accreditation body. No NIST-issued certificate. NIST runs no certification program against the Cybersecurity Framework, and CSF 2.0 is voluntary and non-prescriptive by design - it describes outcomes, not a bar you clear and get a document for.
There is still a market, and it is worth knowing its shape. Vendors sell CSF assessments. They sell alignment attestations. They sell individual training certificates, which are real qualifications for a person. None of these certifies your organisation against CSF, and none of them carries NIST endorsement. If what you have been quoted for is "CSF certification", the deliverable at the end is a vendor's opinion in a PDF. That may still be useful to you. It is not a certificate, and a buyer who checks will find that out.
The contrast is the point. ISO 27001 is certifiable, through accredited certification bodies, and it produces something a buyer can verify against a public directory. If what your buyer wants is assurance they can check rather than a conversation they can follow, that is the standard to be talking about - and it is the one your CSF answers should be built on top of.
One piece of precision, so you can use this against a vendor. NIST does not say "there is no certification" anywhere - do not go looking for that sentence, and be suspicious of anyone who quotes it. The accurate statement is the one you can check: CSF is voluntary and non-prescriptive, and no certification scheme exists against it.
The second thing to know
The question comes up constantly: do US federal contractors need NIST CSF? The answer is no. For defense work the binding chain runs DFARS 252.204-7012 to NIST SP 800-171, where you handle Controlled Unclassified Information, with CMMC as the assessment and certification overlay on top. CSF is not in that chain as the requirement.
This matters because a site telling you "US federal contractors need NIST CSF" is not just imprecise, it is pointing you at the wrong document. You would build against a voluntary framework while the clause in your contract references a different one. The first question is never which framework to adopt. It is whether you handle CUI under a federal or defense contract - because if you do not, none of the DFARS chain reaches you, and the whole thing collapses back into a buyer conversation you can have this week.
As of this month
The sequence, plainly. The CMMC 48 CFR final rule was published in the Federal Register on 10 September 2025 and took effect on 10 November 2025, and the phased rollout began. Then the Department of War suspended Phase II: a memo dated 10 July 2026, announced on 13 July 2026, signed by DoW CIO Kirsten Davies. Phase II was to take effect on 10 November 2026. The Phase III and IV milestones are halted as well. There is a 60-day review, a CMMC Reform Task Force, and RFI responses due 14 August 2026. Contracts and solicitations carrying CMMC Level 2 or Level 3 assessment requirements are to be amended to remove them.
Read the next paragraph before you cancel anything. This is the distinction most vendors will get wrong this month, in both directions.
DFARS 252.204-7012 and NIST SP 800-171 remain fully in effect. Nothing about the suspension touches them. CMMC Phase I self-assessment is unaffected too. What paused is the third-party certification and assessment layer, pending the review - and DoW has said it will enforce through self-assessments and government-led assessments using NIST standards in the meantime. False Claims Act exposure for misrepresented compliance does not go away either. If anything, a regime leaning harder on self-attestation is one where attesting to something you cannot evidence gets more dangerous, not less.
So the honest read: the certification appointment moved. The homework did not. If you were building toward 800-171 because a contract obligates you to, keep building - the assessment you were preparing for may now be your own signature on a self-assessment, which is a reason to be more careful about the evidence, not less. And if you were never in the DFARS chain to begin with, none of this was ever yours to worry about.
Certifiable, or not
Most comparison pages you will find get at least two of these rows wrong. Checked on 17 July 2026.
| Framework | Certifiable? | What it actually is |
|---|---|---|
| ISO 27001 | Yes | Accredited certification, through accreditation bodies and the certification bodies they accredit. A certificate exists, it names a scope, and a buyer can check it. |
| NIST CSF 2.0 | No | A voluntary, non-prescriptive framework. No certification scheme exists against it, no accreditation body, no NIST-issued certificate. NIST runs no certification program against CSF. |
| CMMC | Yes, but suspended | A genuine certification program - the only one in this table other than ISO 27001. The Department of War suspended Phase II on 10 July 2026, pending a 60-day review. |
| NIST SP 800-171 | No - contractual | Not a certification. A contractual obligation, pulled in by DFARS 252.204-7012 for Controlled Unclassified Information. Self-assessed or government-assessed today. Fully in effect. |
Want the one your buyer can actually verify? See ISO 27001 readiness - it is the only row here that produces a certificate you hold.
The mapping question
An ISO/IEC 27001:2022 to CSF v2.0 informative reference is published in the NIST OLIR catalog - reference 154, status Final, live in the CSF 2.0 Reference Tool. If you hold ISO 27001, that is genuinely good news, and it is the mechanism by which your existing evidence answers a CSF question.
Here is the part that gets dropped in the retelling. NIST's own page states that informative references are developed by NIST and non-NIST entities, that NIST does not conduct correctness testing on non-NIST submitted mappings, and that the listing for non-NIST mappings in the catalog does not imply NIST endorsement. NIST provides the program infrastructure and a 30-day public comment period. The submitter owns the content. So "NIST publishes an official crosswalk to ISO 27001" is a sentence you will read often and should never repeat.
One more property worth understanding before you lean on it: mappings are directional, and they are not one-to-one. A control that maps to an outcome is not the same as an outcome that is satisfied. Used honestly, the reference is a translation layer that saves you months. Used as proof of coverage, it is the first thing a careful buyer will pull apart.
Defensible phrasing, if you need to write this down. "A CSF 2.0 and ISO 27001:2022 informative reference is published in the NIST OLIR catalog." Cite the catalog, not an author - attribution for reference 154 is contested across sources, and the catalog entry is the thing anyone can check.
What Kellwick delivers
That is not a small thing - buyer questions are where deals stall. But it is a communication problem, not a compliance mandate. We map the evidence your ISMS already produces onto CSF outcomes so you can answer without running a second programme.
The translation: what your buyer is actually asking for
"Are you NIST CSF compliant?" is not a question with a yes. We work out what the person behind the questionnaire needs - an alignment summary, a control narrative, or a contractual position - and answer that instead of the words.
Your ISO 27001 evidence, mapped onto CSF outcomes
You already produce the evidence. We map it onto the six functions so you can answer a CSF questionnaire from the ISMS you run today, rather than standing up a second programme to satisfy a framework that certifies nobody.
An honest DFARS and 800-171 scoping call
Whether you touch Controlled Unclassified Information at all, and therefore whether DFARS 252.204-7012 and NIST SP 800-171 reach you. For most companies asked about "NIST" the answer is no, and that is worth establishing before you spend anything.
The GOVERN gap
GOVERN is what CSF 2.0 added, and it is where an ISMS built for the certificate tends to be thinnest: named accountability, risk appetite the board actually reviews, and supply-chain risk run as a programme.
A defensible reading of the ISO mapping
A CSF 2.0 and ISO 27001:2022 informative reference is published in the NIST OLIR catalog. We use it, and we tell you what it is and is not - because NIST does not correctness-test non-NIST submissions, and listing is not endorsement.
One programme, not two
CSF is a communication framework. It should cost you a mapping exercise and a conversation, not a parallel control set, a parallel evidence base and a parallel roadmap.
NIST self-check
Answer honestly. This is an indicative signal, not a formal gap analysis - but it will tell you quickly whether you have a buyer-communication problem or a contractual one. They are solved very differently, and only one of them is expensive.
Coming from the ISO side? Start with an ISO 27001 readiness assessment and answer CSF from the evidence it produces.
NIST questions, answered
No. There is no certification scheme against the NIST Cybersecurity Framework, no accreditation body behind one, and no NIST-issued certificate. NIST runs no certification program against CSF - the framework is voluntary and non-prescriptive by design. What does exist is a market: vendors sell CSF assessments, alignment attestations and individual training certificates. None of those certifies your organisation against CSF, and none carries NIST endorsement. If someone is quoting you for "NIST CSF certification", they are selling you something that does not exist. The contrast worth holding onto is ISO 27001, which genuinely is certifiable through accredited certification bodies. If your buyer wants a certificate they can check, that is the one to talk about.
Almost always: a structured, credible account of how you manage cybersecurity risk, in vocabulary they recognise. CSF is a communication framework - six functions (Govern, Identify, Protect, Detect, Respond, Recover) that give two organisations a shared way to talk about the same thing. It is not a mandate you can fail, and there is nothing for you to hold up at the end of it. So the productive move is to ask what they need it for. If it is vendor due diligence, your existing ISO 27001 evidence mapped onto the CSF functions answers them completely. If it is a contract term, read the term, because the framework named in a questionnaire and the obligation written into a contract are frequently not the same document.
No. This is the single most common error in the market, and it misdirects buyers. CSF is not the contractual hook. For defense work the binding chain is DFARS 252.204-7012, which pulls in NIST SP 800-171 where you handle Controlled Unclassified Information, with CMMC sitting on top as the assessment and certification overlay. CSF appears nowhere in that chain as the requirement. If a site tells you US federal contractors need NIST CSF, it is wrong, and you should treat the rest of its advice accordingly. The first question is not "how do we do CSF". It is whether you handle CUI under a federal or defense contract at all - because if you do not, none of this reaches you.
No, and this is the distinction most vendors will get wrong this month. What was suspended is the third-party certification and assessment layer, not the underlying obligation. The Department of War suspended CMMC Phase II in a memo dated 10 July 2026, announced 13 July 2026 and signed by DoW CIO Kirsten Davies. Phase II was to take effect on 10 November 2026; the Phase III and IV milestones are halted too. There is a 60-day review, a CMMC Reform Task Force, and RFI responses due 14 August 2026. Contracts and solicitations carrying CMMC Level 2 or Level 3 assessment requirements are to be amended to remove them. Now the part that matters: DFARS 252.204-7012 and NIST SP 800-171 remain fully in effect. CMMC Phase I self-assessment is unaffected. DoW has said it will enforce through self-assessments and government-led assessments using NIST standards. And False Claims Act exposure for misrepresenting your compliance does not go away - if anything, self-attestation is exactly where that exposure lives. The certification appointment moved. The obligation did not.
It covers most of the ground, and it gives you the evidence to answer for the rest - but read the mapping carefully. An ISO/IEC 27001:2022 to CSF v2.0 informative reference is published in the NIST OLIR catalog, reference 154, status Final, and it is live in the CSF 2.0 Reference Tool. That is real and useful. What it is not is an official NIST crosswalk. NIST's own page states that informative references are developed by NIST and non-NIST entities, that NIST does not conduct correctness testing on non-NIST submitted mappings, and that listing a non-NIST mapping in the catalog does not imply NIST endorsement. NIST provides the infrastructure and a 30-day public comment period; the submitter owns the content. Mappings are also directional and not one-to-one, so a mapped control is not a satisfied outcome. Used honestly, the reference lets you answer a CSF questionnaire from evidence you already hold. Used as proof of coverage, it will not survive a buyer who reads it.
When a US buyer asks. That is the honest answer, and it is a real answer - buyer questions are how deals stall. CSF matters as a shared vocabulary for describing your security posture to someone who thinks in those six functions, and GOVERN is a genuinely useful lens on whether cybersecurity risk has an owner at your board. What it is not is a compliance mandate. Nobody enforces it, nobody certifies against it, and no contract binds you to it by naming it. Treat it as a communication layer over the programme you already run, and it costs you a mapping exercise. Treat it as a second compliance programme, and you will spend a year producing something no one can check.
Scoped on a short call. It depends on whether you already run an ISO 27001 ISMS the mapping can reuse, whether CUI and the DFARS chain are genuinely in play for you, and whether this is one buyer's questionnaire or a pattern across your pipeline. Often the call itself settles the question, because the answer for most companies asked about "NIST" is smaller than they feared.
A CSF mapping built on the evidence your ISMS already produces, an honest answer on whether DFARS and 800-171 reach you at all, and the GOVERN gap named. One programme, not two. Scoped on a short call.
Certification is issued by accredited certification bodies; DORA supervision is performed by regulators. Kellwick prepares you for these processes; it does not perform them and cannot guarantee their outcome. No certification scheme exists against the NIST Cybersecurity Framework, and Kellwick does not offer or imply one. Kellwick provides advisory and management-system support, not legal advice.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.