← All risk registers
NIST CSF 2.0 · 24 ROWS · 5×5 SCORING

NIST CSF 2.0 Risk Register — 24 Risks Across All 6 Functions

NIST CSF 2.0 added Govern (GV) as the 6th function, recognising that cybersecurity risk is enterprise risk. This 24-row register exercises all six functions (Govern, Identify, Protect, Detect, Respond, Recover) and references the specific category that each risk maps to. Use as a Tier 2/3 implementation example or NIST 800-30 risk-assessment input.

24
Risks identified
13
Critical inherent
0
Critical residual
NIST CSF 2.0
Framework
Who this is for
  • Federal contractors aligning with EO 14028 / OMB M-22-09
  • Critical infrastructure operators using CSF as voluntary baseline
  • Boards adopting CSF 2.0's Govern function as the entry point to enterprise cyber-risk oversight
Methodology

NIST 800-30 aligned: Likelihood × Impact (1–5 each). CSF 2.0 introduces explicit risk-tolerance setting under GV.RM-02; residual must align with the documented organisational tolerance.

Govern (GV)

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-01Risk-management strategy undefinedCyber-risk not on board agenda4×4=16Quarterly board cybersecurity review; risk-tolerance statement signed by CEO.2×3=6MitigateCEO / BoardGV.RM
R-02Cybersecurity roles undefinedNo CISO; security duties scattered3×4=12Documented org chart; CISO or equivalent designated; RACI to CSF categories.2×3=6MitigateCEOGV.RR
R-03Policies stale / inconsistentLast reviewed >12 months4×3=12Annual policy review w/ owner-tracked CRs; document-management system.2×2=4MitigateCISOGV.PO
R-04Supply-chain risk ignoredNo third-party programme4×5=20Tiered TPRM: SBOM for software, due-diligence questionnaire, contract clauses.2×4=8MitigateVendor MgmtGV.SC

Identify (ID)

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-05Asset inventory missingUnknown EC2 instances; shadow SaaS5×4=20CMDB + cloud-discovery + SaaS-discovery feeding unified inventory; weekly sync.2×3=6MitigateITID.AM
R-06Critical-business-impact analysis staleBIA last done years ago3×4=12Annual BIA; tier-rated services; RTO/RPO per tier.2×3=6MitigateBCMID.BE
R-07Risk assessment not conductedNo formal risk assessment4×5=20Annual NIST 800-30 risk assessment; quarterly risk-register update.2×4=8MitigateCISOID.RA
R-08Improvements not driven by lessonsPost-incident reviews don't feed roadmap3×3=9Lessons-learned tracker w/ owner + due date; reviewed at quarterly steering committee.2×2=4MitigateCISOID.IM

Protect (PR)

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-09Identity-mgmt weaknessShared accounts; no MFA5×5=25Unique IDs; FIDO2 MFA; SSO; least privilege; quarterly access reviews.2×4=8MitigateITPR.AA
R-10Awareness & training gapAnnual training only; no role-based content4×3=12Pre-access mandatory training; role-based content for engineers, finance, exec.2×2=4MitigateHR + SecurityPR.AT
R-11Data-security gapBackups in clear text3×5=15AES-256 at rest; TLS 1.2+ in transit; KMS-managed keys; encrypted backups.1×4=4MitigateSREPR.DS
R-12Platform security gapUnhardened production hosts4×4=16Hardening baseline (CIS); auto-remediation; image-build pipeline w/ CIS scan.2×3=6MitigateSREPR.PS
R-13Tech-infrastructure resilience gapSingle AZ deployment3×5=15Multi-AZ minimum; multi-region for tier-1; chaos testing.2×4=8MitigateSREPR.IR

Detect (DE)

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-14Anomaly detection missingNo SIEM; logs not centralised4×5=20Centralised SIEM; UEBA; alerting on high-risk patterns; 24/7 SOC.2×4=8MitigateSecOpsDE.AE
R-15Continuous monitoring gapCloud config not monitored4×4=16CSPM (e.g., Wiz, Prowler); critical-finding alerting; remediation SLA.2×3=6MitigateSecOpsDE.CM

Respond (RS)

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-16Response plan untestedPlan exists but no tabletop4×5=20Annual tabletop covering top-3 scenarios; documented after-action report.2×4=8MitigateCISORS.MA
R-17Analysis weakness during incidentNo defined triage roles3×4=12Documented severity matrix; incident-commander rotation; on-call rota.2×3=6MitigateSecOpsRS.AN
R-18Incident communication gapCustomers learn of breach via media3×4=12Communications plan w/ customer / regulator / media playbooks; pre-approved templates.2×3=6MitigateComms / LegalRS.CO
R-19Incident mitigation failureContainment delayed > 24h3×5=15Pre-approved isolation playbooks; emergency-change process; SOC authority to isolate.2×4=8MitigateSecOpsRS.MI

Recover (RC)

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-20Recovery plan untestedDR plan exists; never restored3×5=15Quarterly test-restore (data) + annual full-DR drill; documented RPO/RTO.1×4=4MitigateSRERC.RP
R-21Recovery comms gapCustomers / regulators receive inconsistent post-incident updates2×3=6Recovery-comms playbook; designated spokesperson; status-page integration.1×2=2MitigateCommsRC.CO

Govern (GV)

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-22Audit trail of governance decisions missingRisk acceptances not documented3×3=9Risk-acceptance form requiring named approver, justification, expiry/review.1×2=2MitigateGRCGV.OV

Identify (ID)

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-23Improvements not measuredNo security metrics3×3=9Metric set (MFA coverage %, patch SLA %, time-to-detect, time-to-respond) on dashboard.1×2=2MitigateCISOID.IM-04

Protect (PR)

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-24Insider threat unmonitoredNo UEBA; high-trust roles unmonitored3×4=12UEBA on privileged accounts; data-exfil DLP; periodic insider-risk review.2×3=6MitigateSecOpsPR.AA-05
Email me the editable CSV
Spreadsheet-ready CSV — open in Excel, Google Sheets, or your GRC tool. One delivery email and one follow-up with the framework audit. No drip spam.
We'll never share your email. Unsubscribe with one click.

Common pitfalls auditors flag

FAQ

Is CSF 2.0 mandatory for federal contractors?

CSF itself is voluntary, but downstream regulations (FTC Safeguards, NYDFS 23 NYCRR 500, federal acquisition regulations) cite NIST guidance, and EO 14028 effectively requires CSF alignment for federal sales.

How does CSF map to NIST 800-53?

CSF describes outcomes; 800-53 provides the controls. CSF Implementation Examples reference 800-53 controls. For full FedRAMP / FISMA alignment use 800-53 directly.

What's the difference between Govern and Identify?

Govern (GV) covers cyber-risk strategy, governance, roles, supply chain. Identify (ID) covers asset/risk/threat understanding. GV is the new 2.0 function ensuring strategy ties cyber to enterprise risk.

Tier 1 vs Tier 4?

Tier 1 (Partial) = ad-hoc, reactive. Tier 4 (Adaptive) = continuous, integrated. Tiers are NOT maturity targets — pick a Tier appropriate to your threat environment.

Now run a free NIST CSF 2.0 audit on your existing policy

Drop your current policy or describe your environment — ComplianceIQ scores every clause against the framework and tells you which register rows are actually mitigated.

Start free NIST CSF 2.0 audit

Other framework registers

ISO 27001:2022
ISO 27001:2022 Risk Register (Annex A mapped)
30 pre-populated rows
SOC 2
SOC 2 Risk Register (TSC CC1–CC9 mapped)
28 pre-populated rows
HIPAA
HIPAA Risk Analysis Register (§164.308(a)(1)(ii)(A))
25 pre-populated rows
GDPR
GDPR Risk Register & DPIA Source
26 pre-populated rows