NIST CSF 2.0 expanded the framework from 5 to 6 core functions, with vulnerability management spanning Identify, Protect, and the new Govern function. KENSAI maps directly to CSF subcategories to support federal agencies and private organizations aligning to NIST.
Map KENSAI to NIST CSF → See NIST DashboardReleased in February 2024, NIST CSF 2.0 adds a sixth function (Govern) and reorganizes subcategories. Vulnerability management touches multiple functions:
GV.RM-07: Strategic-level vulnerability risk management — ensuring vulnerability management is part of enterprise risk decisions and has executive visibility.
ID.RA-01: Asset vulnerabilities are identified and documented. ID.RA-02: Cyber threat intelligence is received from information sharing forums. ID.AM-02: Inventories of software, services, and systems. These are the foundation for any vulnerability management program.
PR.PS-02: Software is maintained to reduce exploitability. PR.PS-04: Log records are generated and made available. PR.MA-01/02: Maintenance and repairs performed, authorized, and logged.
DE.CM-01/02/09: Networks and systems are monitored to find anomalies and potential cybersecurity events. Continuous scanning supports continuous detection.
RS.MI-02: Incidents are mitigated. Vulnerability remediation workflows support rapid incident response when vulnerabilities are actively exploited.
| CSF Subcategory | Description | KENSAI Capability |
|---|---|---|
| ID.RA-01 | Asset vulnerabilities identified | Automated vulnerability scanning |
| ID.RA-02 | Threat intelligence received | CVE threat intel integration |
| ID.AM-02 | Software/service inventory | Asset discovery and inventory |
| PR.PS-02 | Software maintained | Patch compliance monitoring |
| DE.CM-01 | Networks monitored | Continuous network scanning |
| DE.CM-09 | Computing hardware monitored | Endpoint vulnerability assessment |
| RS.MI-02 | Incidents mitigated | Remediation workflow and tracking |
NIST CSF defines four Implementation Tiers that describe the degree of sophistication in cybersecurity practices:
Most organizations should target Tier 3. KENSAI's automation enables Tier 4 capabilities without the complexity typically associated with enterprise security programs.
Discover and continuously scan all assets to support ID.AM and ID.RA requirements for comprehensive inventory and vulnerability identification.
Integrates with threat feeds to prioritize vulnerabilities being actively exploited (ID.RA-02) — focus on what matters most.
CVSS + exploitability + asset criticality scoring enables the risk-informed decisions required at Tier 2 and above.
Visualize your security posture mapped to CSF functions. Track progress toward higher implementation tiers over time.
GV (Govern) function reporting gives leadership the vulnerability risk visibility required for strategic security decisions.
Track MTTR (Mean Time to Remediate) by severity and asset class — key metrics for demonstrating CSF tier progression.
For federal agencies and organizations following NIST SP 800-53, KENSAI maps to the RA (Risk Assessment) and SI (System and Information Integrity) control families:
KENSAI provides vulnerability scanning and management capabilities that directly implement NIST CSF 2.0 subcategories. Generate compliance reports mapped to the framework and demonstrate progress toward higher implementation tiers.
Start NIST CSF Assessment → Talk to a NIST Expert