Dashboard Academy Control templates NIST CSF 2.0
Public Beta. Reference implementation only — not a compliance certification, attestation, or audit outcome. Read the full beta disclaimer →

Control template: NIST Cybersecurity Framework 2.0

Status: Public Beta · Version: nist-csf-2/v0.1.0-beta

A bundle of CALM control snippets covering the architecturally enforceable subset of the NIST Cybersecurity Framework 2.0 (NIST CSWP 29, February 2024). You copy these into your *.calm.json files on the nodes that are in scope for your firm's cybersecurity program.

Who NIST CSF applies to

CSF is voluntary but widely adopted by: - US federal agencies (mandated for FCEB agencies under OMB) - US federal contractors (often required via FAR / DFARS clauses) - Critical-infrastructure operators (energy, water, healthcare, finance) - State + local governments adopting it as a baseline - Enterprises using CSF as their primary cybersecurity framework (often instead of ISO 27001 in US-heavy markets) - Smaller firms using CSF as a "common language" with auditors, insurers, and customers

CSF 2.0 (Feb 2024) replaced CSF 1.1 and added the new Govern (GV) function alongside the existing Identify / Protect / Detect / Respond / Recover.

What this template covers

CSF 2.0 has 6 Functions, each broken into Categories and Subcategories. The architectural surface is concentrated in Protect (PR) and Detect (DE), with some Identify and Recover overlap.

CSF 2.0 Function Architectural surface Control alias
GV — Govern Cybersecurity supply chain risk mgmt csf-supply-chain-risk
ID — Identify Asset management (inventory) csf-asset-inventory
ID — Identify Risk assessment artifacts csf-risk-assessment
PR — Protect Identity management + authentication csf-identity-and-auth
PR — Protect Access control (RBAC) csf-access-control
PR — Protect Data security (encryption at rest + in transit) csf-data-security
PR — Protect Platform security baseline csf-platform-security
DE — Detect Continuous monitoring csf-continuous-monitoring
DE — Detect Anomaly + event detection csf-anomaly-detection
RS — Respond Incident response procedure csf-incident-response
RC — Recover Recovery planning + RPO/RTO csf-recovery-planning

11 architectural controls covering the most-tested CSF surfaces. Governance subcategories (organizational context, risk strategy, roles + responsibilities) live in your CSF program documentation, not your CALM.

The "CSF-in-scope" pattern

A node is CSF-in-scope if it participates in your firm's cybersecurity program. Most production-touching nodes qualify. Tag those nodes:

{
  "unique-id": "core-platform",
  "node-type": "service",
  "name": "Core Platform",
  "metadata": {
    "csf-in-scope": true,
    "csf-tier": "tier-3-repeatable",
    "data-classification": "internal"
  }
}

CSF Tier (1 Partial → 2 Risk Informed → 3 Repeatable → 4 Adaptive) indicates the maturity level the firm has selected. This template's defaults assume Tier 2/3.

Control snippets

Copy each block under the controls key of the node it applies to.

GV — Supply chain risk (csf-supply-chain-risk)

Per-relationship. Attach to edges representing third-party / vendor dependencies.

"controls": {
  "csf-supply-chain-risk": {
    "description": "NIST CSF 2.0 GV.SC — third-party / supplier dependency identified, risk-assessed, and monitored.",
    "requirements": [
      {
        "requirement-url": "https://archrails.io/catalog/req/nist-csf-2/supply-chain-risk",
        "config": {
          "control-id": "csf-supply-chain-risk",
          "supplier-name": "Acme Cloud Services",
          "supplier-tier": "critical",
          "risk-assessment-date": "2025-01-15",
          "risk-assessment-url": "https://internal.example.com/csf/supplier-risk/acme",
          "soc2-or-iso27001-attestation-reviewed": true,
          "contract-references-csf": true
        }
      }
    ]
  }
}

ID — Asset inventory (csf-asset-inventory)

Graph-level.

"metadata": {
  "controls": {
    "csf-asset-inventory": {
      "description": "NIST CSF 2.0 ID.AM — software platforms and applications within the organization are inventoried and authorized.",
      "requirements": [
        {
          "requirement-url": "https://archrails.io/catalog/req/nist-csf-2/asset-inventory",
          "config": {
            "control-id": "csf-asset-inventory",
            "inventory-source": "calm-graph-plus-cmdb",
            "review-frequency": "quarterly",
            "responsible-role": "asset-owner",
            "authorized-status-tracked": true
          }
        }
      ]
    }
  }
}

ID — Risk assessment (csf-risk-assessment)

Graph-level.

"metadata": {
  "controls": {
    "csf-risk-assessment": {
      "description": "NIST CSF 2.0 ID.RA — risk assessments performed for the organization's assets, threats, and vulnerabilities.",
      "requirements": [
        {
          "requirement-url": "https://archrails.io/catalog/req/nist-csf-2/risk-assessment",
          "config": {
            "control-id": "csf-risk-assessment",
            "assessment-document-url": "https://internal.example.com/csf/risk-assessment",
            "frequency": "annual-and-on-significant-change",
            "methodology": "nist-sp-800-30-or-iso-27005",
            "risk-register-url": "https://internal.example.com/csf/risk-register"
          }
        }
      ]
    }
  }
}

PR — Identity and authentication (csf-identity-and-auth)

Per-node.

"csf-identity-and-auth": {
  "description": "NIST CSF 2.0 PR.AA — identities and credentials issued, managed, verified, revoked, and audited. Maps to SP 800-53 IA-2 + AC-2.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/nist-csf-2/identity-and-auth",
      "config": {
        "control-id": "csf-identity-and-auth",
        "identity-provider": "okta",
        "authentication-mechanism": "saml-sso-plus-mfa",
        "factor-count": 2,
        "factor-types": ["password", "totp-or-webauthn"],
        "jml-process-url": "https://internal.example.com/csf/jml"
      }
    }
  ]
}

PR — Access control (csf-access-control)

Per-node.

"csf-access-control": {
  "description": "NIST CSF 2.0 PR.AA-05 — access permissions, entitlements, and authorizations defined in a policy, managed, enforced, and reviewed.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/nist-csf-2/access-control",
      "config": {
        "control-id": "csf-access-control",
        "principle": "least-privilege",
        "allowed-roles": ["read-only", "operator", "admin"],
        "review-frequency": "quarterly",
        "privileged-access-jit-or-pam": true
      }
    }
  ]
}

PR — Data security (csf-data-security)

Per-node.

"csf-data-security": {
  "description": "NIST CSF 2.0 PR.DS — data-at-rest and data-in-transit protected. Maps to SP 800-53 SC-13 + SC-28.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/nist-csf-2/data-security",
      "config": {
        "control-id": "csf-data-security",
        "at-rest-algorithm": "AES-256-GCM",
        "in-transit-minimum-tls": ["1.2", "1.3"],
        "key-management": "hsm-or-kms-cmk",
        "key-rotation-days": 365
      }
    }
  ]
}

PR — Platform security baseline (csf-platform-security)

Per-node.

"csf-platform-security": {
  "description": "NIST CSF 2.0 PR.PS — platforms are configured to provide security as part of designed and deployed function. Maps to SP 800-53 CM-6 + SI-2.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/nist-csf-2/platform-security",
      "config": {
        "control-id": "csf-platform-security",
        "baseline-source": "cis-benchmarks-level-1",
        "patch-management-policy-url": "https://internal.example.com/csf/patch-policy",
        "critical-patch-deadline-days": 14,
        "config-drift-monitoring": true
      }
    }
  ]
}

DE — Continuous monitoring (csf-continuous-monitoring)

Per-node.

"csf-continuous-monitoring": {
  "description": "NIST CSF 2.0 DE.CM — assets monitored to find anomalies, indicators of compromise, and other potentially adverse events. Maps to SP 800-53 CA-7 + SI-4.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/nist-csf-2/continuous-monitoring",
      "config": {
        "control-id": "csf-continuous-monitoring",
        "metrics": ["auth-failure-rate", "anomalous-egress", "config-drift", "vuln-scan-results"],
        "destination": "centralized-siem",
        "alerting-target": "security-soc@example.com"
      }
    }
  ]
}

DE — Anomaly detection (csf-anomaly-detection)

Graph-level.

"metadata": {
  "controls": {
    "csf-anomaly-detection": {
      "description": "NIST CSF 2.0 DE.AE — anomalies and adverse events analyzed to understand attack targets, methods, and impacts.",
      "requirements": [
        {
          "requirement-url": "https://archrails.io/catalog/req/nist-csf-2/anomaly-detection",
          "config": {
            "control-id": "csf-anomaly-detection",
            "analysis-platform": "siem-plus-soar",
            "playbook-library-url": "https://internal.example.com/csf/playbooks",
            "review-frequency": "weekly",
            "metrics-dashboard-url": "https://internal.example.com/csf/anomaly-dashboard"
          }
        }
      ]
    }
  }
}

RS — Incident response (csf-incident-response)

Graph-level.

"metadata": {
  "controls": {
    "csf-incident-response": {
      "description": "NIST CSF 2.0 RS.MA + RS.AN — incident response plan executed, incidents analyzed, communications coordinated.",
      "requirements": [
        {
          "requirement-url": "https://archrails.io/catalog/req/nist-csf-2/incident-response",
          "config": {
            "control-id": "csf-incident-response",
            "plan-document-url": "https://internal.example.com/csf/ir-plan",
            "tested-frequency": "annual",
            "last-test-date": "2025-03-22",
            "escalation-roster-url": "https://internal.example.com/csf/oncall"
          }
        }
      ]
    }
  }
}

RC — Recovery planning (csf-recovery-planning)

Per-node.

"csf-recovery-planning": {
  "description": "NIST CSF 2.0 RC.RP — recovery activities executed to restore systems and assets affected by cybersecurity incidents. RPO/RTO documented.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/nist-csf-2/recovery-planning",
      "config": {
        "control-id": "csf-recovery-planning",
        "rpo-minutes": 60,
        "rto-minutes": 240,
        "backup-frequency": "daily",
        "restoration-test-frequency": "semi-annual",
        "last-restoration-test-date": "2025-04-10",
        "communications-plan-url": "https://internal.example.com/csf/comms-plan"
      }
    }
  ]
}

What the engine enforces

Same constraint engine. Per-rule behavior:

All deterministic — pure function over your CALM JSON.

Auto-include during bootstrap (coming)

Future bootstrap will offer CSF as the default cross-industry framework option for repos that don't fit a more specific framework.

Versioning

This is nist-csf-2/v0.1.0-beta. Pre-1.0 = beta. Bumps to v1.0.0 per the GA criteria above. When NIST publishes CSF 2.1 or 3.0, we ship a new template path; pinned customers keep their version.

Out of scope for this template

For those surfaces, pair this template with your CSF program documentation.