NIST CSF 2.0 is the global standard for aligning cybersecurity investments to business risk. ThreeShield delivers maturity assessments, remediation roadmaps, and continuous Lavawall® monitoring across all six CSF functions.
CSF 2.0 added Govern as a sixth function, recognizing that cybersecurity governance is foundational to all other functions.
Establish and monitor cybersecurity strategy, expectations, and policy. Board oversight, risk tolerance definition, and organizational context. New in CSF 2.0.
Understand assets, risks, and vulnerabilities. Asset management, risk assessment, supply chain risk, and business environment analysis.
Safeguards to prevent or limit cybersecurity impact. Access control, awareness training, data security, platform security, and technology resilience.
Identify cybersecurity events. Continuous monitoring, anomaly detection, and adverse event analysis.
Take action regarding a detected incident. Incident management, analysis, mitigation, and communication.
Restore capabilities after an incident. Incident recovery, communications, and restoration of services.
NIST CSF defines four tiers: Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3), and Adaptive (Tier 4). Most SMBs assess at Tier 1-2. Cyber insurers and enterprise clients increasingly expect Tier 2-3. ThreeShield's assessment includes explicit tier scoring per function with a roadmap to your target tier.
NIST CSF is voluntary in most contexts, but it's referenced by US federal agencies, Canadian government procurement requirements, and many enterprise client security questionnaires. It's also the most common governance framework for organizations that need to demonstrate security maturity without a specific regulatory obligation.
NIST CSF is a governance meta-framework that maps to specific frameworks. Lavawall® can show your CSF compliance alongside CIS Controls, HIPAA, SOC 2, and ISO 27001 simultaneously - because many controls are shared across frameworks.
NIST CSF is a US-originated framework but has global adoption. Canadian critical infrastructure operators increasingly reference it. For US-facing businesses, enterprise clients, or government contractors, NIST CSF alignment is often expected. It also maps well to Canadian frameworks like the CCS (Canadian Centre for Cyber Security) baseline controls.
ThreeShield delivers explicit tier scoring across all six CSF functions with a prioritized roadmap to your target maturity level. Lavawall® keeps your score current year-round.
Book a Scoping CallDIY · Supported · Done-for-You · All engagement models available
Whether you have a strong internal team or need everything handled end-to-end, ThreeShield meets you where you are.
For lean IT teams and cost-conscious organizations with internal security capacity
For MSPs, IT teams with some security resources, and organizations that need expert guidance but retain internal capacity
For organizations that want full compliance delivery without managing the process internally