antifragile/antifragile-consulting/reference/nist-csf-mapping.md

# NIST Cybersecurity Framework 2.0 Mapping

> *"The CSF is not a checklist. It is a language for talking about risk. We speak it fluently, but we never let it slow us down."*

This document maps the antifragile rapid modernisation approach to the NIST Cybersecurity Framework (CSF) 2.0 functions. It is designed for consultants who must bridge the gap between operational speed and regulatory or stakeholder expectations.

---

## The Six Functions

NIST CSF 2.0 organizes cybersecurity outcomes into six functions: **GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER**. The antifragile approach treats GOVERN as the missing keystone in most organizations and emphasizes continuous learning across all functions.

### GOVERN

**NIST Definition**: Establish and monitor the organization's cybersecurity risk management strategy, expectations, and policy.

**The Gap**: Most organizations have policies. Few have governance that is **alive**—updated by incidents, informed by stress, and capable of adaptation.

**Antifragile Expression**:

| Rapid Modernisation Phase | Action | Existing Tool Leverage |
|--------------------------|--------|------------------------|
| Hygiene (Days 0-30) | Establish kill chain risk register | Spreadsheet or existing GRC tool |
| Hygiene (Days 0-30) | Define T0 asset classification policy | Manual + existing asset management |
| Control (Days 30-60) | Integrate security into change management | Existing ITSM (ServiceNow, Jira, etc.) |
| Antifragility (Days 90-180) | Quarterly governance review tied to incident learning | Existing meeting cadence + decision log |

**Key Principle**: Governance is not a document. It is a **feedback loop** between risk, decision, action, and learning.

### IDENTIFY

**NIST Definition**: Understand the organization's current cybersecurity risks.

**The Gap**: Organizations often know their assets but not their **dependencies**. They know their vulnerabilities but not their **kill chain**.

**Antifragile Expression**:

| Rapid Modernisation Phase | Action | Existing Tool Leverage |
|--------------------------|--------|------------------------|
| Hygiene (Days 0-30) | Asset inventory with dependency mapping | Existing AD, EDR, cloud IAM |
| Hygiene (Days 0-30) | External attack surface enumeration | Open-source tools + existing vulnerability scanner |
| Control (Days 30-60) | Vendor and supplier dependency mapping | Existing procurement + IAM data |
| Sovereignty (Days 60-90) | AI usage and data flow discovery | Proxy logs + interviews |

**Key Principle**: Identification is not about completeness. It is about **finding the shortest path to failure and illuminating it**.

### PROTECT

**NIST Definition**: Use safeguards to prevent or reduce cybersecurity risk.

**The Gap**: Protection is often equated with purchasing. We equate it with **configuration, reduction, and ownership**.

**Antifragile Expression**:

| Rapid Modernisation Phase | Action | Existing Tool Leverage |
|--------------------------|--------|------------------------|
| Hygiene (Days 0-30) | Identity hardening: disable, rotate, enforce hygiene | Existing AD / IAM |
| Control (Days 30-60) | ASR, MFA, conditional access, PAWs | Microsoft Defender / Entra ID (often already owned) |
| Control (Days 30-60) | Network segmentation and DNS security | Existing firewall and DNS infrastructure |
| Sovereignty (Days 60-90) | Local AI deployment with T0 controls | Existing server hardware or sovereign cloud |
| Antifragility (Days 90-180) | Chaos engineering and graceful degradation | Existing infrastructure + open-source tools |

**Key Principle**: The best protection is not a thicker wall. It is **reducing the attack surface that the wall must defend**.

### DETECT

**NIST Definition**: Find and analyze possible cybersecurity attacks and compromises.

**The Gap**: Detection is often about alert volume. We focus on **signal quality** and the speed of conversion from anomaly to understanding.

**Antifragile Expression**:

| Rapid Modernisation Phase | Action | Existing Tool Leverage |
|--------------------------|--------|------------------------|
| Hygiene (Days 0-30) | Centralized logging for critical systems | Existing SIEM or syslog infrastructure |
| Control (Days 30-60) | EDR behavioural detection tuning | Existing EDR |
| Control (Days 30-60) | Network anomaly detection at boundaries | Existing IDS/IPS or Zeek/Suricata |
| Antifragility (Days 90-180) | AI-assisted log analysis and threat hunting | Local AI pilot on proprietary data |

**Key Principle**: Detection is not about seeing everything. It is about **seeing the thing that matters before it becomes the thing that kills you**.

### RESPOND

**NIST Definition**: Take action regarding a detected cybersecurity incident.

**The Gap**: Response is often reactive and manual. We build **pre-positioned capability** that activates faster than human coordination.

**Antifragile Expression**:

| Rapid Modernisation Phase | Action | Existing Tool Leverage |
|--------------------------|--------|------------------------|
| Hygiene (Days 0-30) | IR contact matrix and escalation paths | Existing communication tools |
| Control (Days 30-60) | Automated containment for high-confidence alerts | Existing SOAR or scripted playbooks |
| Sovereignty (Days 60-90) | AI-specific incident response runbooks | Existing IR framework + local knowledge |
| Antifragility (Days 90-180) | Red team validation of response speed | Internal or external red team |

**Key Principle**: Response is not about heroics. It is about **the mean time between detection and containment approaching zero**.

### RECOVER

**NIST Definition | Restore assets and operations affected by cybersecurity incidents.

**The Gap**: Recovery is often theoretical. Backups exist but have never been tested. Runbooks exist but have never been executed.

**Antifragile Expression**:

| Rapid Modernisation Phase | Action | Existing Tool Leverage |
|--------------------------|--------|------------------------|
| Hygiene (Days 0-30) | Backup coverage inventory and gap analysis | Existing backup solution |
| Sovereignty (Days 60-90) | Live recovery drill: one critical system | Existing backup solution |
| Antifragility (Days 90-180) | Quarterly recovery drills with automation | Existing backup + orchestration scripts |
| Antifragility (Days 90-180) | Chaos engineering: simulate infrastructure failure | Existing infrastructure + open-source tools |

**Key Principle**: Recovery is not about having backups. It is about **knowing—provably—that you can rebuild faster than your adversary can destroy**.

---

## The Antifragile CSF Profile

A CSF Profile describes the organization's current and target state. The antifragile profile is distinctive:

| Function | Typical Organization | Antifragile Organization |
|----------|---------------------|-------------------------|
| **GOVERN** | Annual policy review | Continuous governance updated by every incident |
| **IDENTIFY** | Asset inventory updated quarterly | Real-time dependency mapping with kill chain focus |
| **PROTECT** | Layered defenses purchased annually | Reduced attack surface through ownership and decoupling |
| **DETECT** | SIEM with thousands of daily alerts | High-signal detection with AI-assisted analysis |
| **RESPOND** | Incident response plan in a binder | Automated containment with human oversight |
| **RECOVER** | Backups with annual test | Quarterly validated recovery with chaos engineering |

---

## Communicating to Auditors and Regulators

When auditors ask how the antifragile approach maps to "accepted frameworks":

> *"Our approach is fully aligned with NIST CSF 2.0. We emphasize GOVERN as the enabling function and integrate continuous learning across IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER. Our 180-day roadmap delivers measurable maturity improvement against every CSF function, with evidence produced at each phase gate."*

**Evidence Package per Phase**:

| Phase | CSF Functions Addressed | Evidence Produced |
|-------|------------------------|-------------------|
| Hygiene (0-30 days) | GOVERN, IDENTIFY | Asset inventory, risk register, kill chain analysis |
| Control (30-60 days) | PROTECT, DETECT | Configuration baselines, detection rule effectiveness, MFA coverage |
| Sovereignty (60-90 days) | PROTECT, GOVERN | Local AI deployment evidence, vendor risk assessments, recovery drill results |
| Antifragility (90-180 days) | All six | Chaos experiment reports, structural fix metrics, maturity assessment |

---

## Crosswalk: NIST CSF ↔ CIS Controls ↔ Antifragile Actions

| NIST CSF Function | CIS Controls v8 | Antifragile Action |
|-------------------|-----------------|-------------------|
| GOVERN | Control 1, 2 (governance integration) | Kill chain risk register, T0 classification |
| IDENTIFY | Control 1, 2, 7 | Asset census, dependency mapping, shadow AI discovery |
| PROTECT | Control 4, 5, 6, 9, 10, 11, 12, 15 | ASR, MFA, PAWs, local AI, backup validation |
| DETECT | Control 8, 13 | Centralized logging, EDR tuning, network sensors |
| RESPOND | Control 17 | Automated containment, IR runbooks, red team validation |
| RECOVER | Control 11, 18 | Recovery drills, chaos engineering, structural improvement |

---

*Previous: [CIS Controls Mapping](cis-controls-mapping.md)*