Skip to content

NIST Cybersecurity Framework 2.0 — SOC Mapping

Maps SOC operational processes to NIST CSF 2.0 Functions and Categories

Use this document to demonstrate alignment during audits and identify coverage gaps

1. Overview

The NIST Cybersecurity Framework (CSF) 2.0, released February 2024, organizes cybersecurity activities into 6 Functions and 22 Categories. This mapping shows how SOC SOPs address each function.

graph LR
    GV[🏛️ GOVERN] --> ID[🔍 IDENTIFY]
    ID --> PR[🛡️ PROTECT]
    PR --> DE[📡 DETECT]
    DE --> RS[🚨 RESPOND]
    RS --> RC[🔄 RECOVER]
    style GV fill:#6366f1,color:#fff
    style ID fill:#0ea5e9,color:#fff
    style PR fill:#22c55e,color:#fff
    style DE fill:#f59e0b,color:#fff
    style RS fill:#ef4444,color:#fff
    style RC fill:#8b5cf6,color:#fff
pie title SOC Coverage by CSF Function
    "Govern — Partial" : 3
    "Identify — Partial" : 3
    "Protect — Partial" : 4
    "Detect — Full" : 4
    "Respond — Full" : 5
    "Recover — Full" : 3

SOC directly covers 12/22 Categories with full or substantial alignment. 10 remaining categories are outside core SOC scope (HR, procurement, physical security, etc.)

2. GOVERN (GV) — Organizational Context

Category Description Coverage SOC Documents
GV.OC Organizational Context 🟡 Partial SOC 101
GV.RM Risk Management Strategy 🟡 Partial SOC Maturity Assessment
GV.RR Roles & Responsibilities ✅ Full SOC Team Structure, SOC Team Structure
GV.PO Policy ✅ Full Access Control, Data Governance
GV.SC Supply Chain Risk 🟡 Partial Third-Party Risk, PB-23 Supply Chain
GV.OV Oversight ✅ Full SOC Maturity Assessment, SOC Metrics

3. IDENTIFY (ID) — Asset & Risk Understanding

Category Description Coverage SOC Documents
ID.AM Asset Management 🟡 Partial Log Source Matrix
ID.RA Risk Assessment ✅ Full SOC Maturity Assessment, Compliance Gap Analysis
ID.IM Improvement ✅ Full Lessons Learned, SOC Maturity Assessment

4. PROTECT (PR) — Safeguards

Category Description Coverage SOC Documents
PR.AA Identity & Access ✅ Full Access Control, PB-05 Account Compromise, PB-27 MFA Bypass
PR.AT Awareness & Training ✅ Full Training Checklist, SOC Onboarding, Phishing Simulation
PR.DS Data Security 🟡 Partial Data Governance, PB-08 Data Exfiltration
PR.PS Platform Security 🟡 Partial Vulnerability Management
PR.IR Technology Infrastructure Resilience ✅ Full DR/BCP

5. DETECT (DE) — Detection & Analysis ⭐

This is the SOC's primary function — coverage is comprehensive

Category Description Coverage SOC Documents
DE.CM Continuous Monitoring ✅ Full Network Monitoring, Cloud Monitoring, SOC Checklists
DE.AE Adverse Event Analysis ✅ Full Alert Tuning, Detection Rule Testing, 54 Sigma Rules
DE.DP Detection Processes ✅ Full Tier 1/2/3 Runbooks, Log Source Onboarding

6. RESPOND (RS) — Incident Response ⭐

Core SOC mission — the most thoroughly covered function

Category Description Coverage SOC Documents
RS.MA Incident Management ✅ Full IR Framework, 50 Playbooks, Severity Matrix
RS.AN Incident Analysis ✅ Full Forensic Investigation, Evidence Collection, Threat Hunting
RS.CO Incident Communication ✅ Full Escalation Matrix, SOC Communication SOP
RS.RP Incident Response Reporting ✅ Full Incident Report Template, Monthly Report
RS.MI Incident Mitigation ✅ Full 50 Playbooks (containment + eradication sections)

7. RECOVER (RC) — Recovery

Category Description Coverage SOC Documents
RC.RP Recovery Planning ✅ Full DR/BCP
RC.CO Recovery Communication ✅ Full SOC Communication SOP, Escalation Matrix
RC.IM Recovery Improvements ✅ Full Lessons Learned, Lessons Learned (Post-Incident)

8. Coverage Summary

Function Categories SOC Covered Key Strength
Govern 6 3 full + 3 partial Team structure, policies, oversight
Identify 3 2 full + 1 partial Risk assessment, improvement cycle
Protect 5 3 full + 2 partial IAM, training, DR/BCP
Detect 3 3 full Monitoring, Sigma rules, runbooks
Respond 5 5 full IR framework, 50 playbooks, forensics
Recover 3 3 full DR/BCP, lessons learned, comms
Total 22 16 full + 6 partial

Gaps Requiring Attention 🟡

Gap Recommendation Priority
ID.AM Asset Management Integrate CMDB/asset inventory into Log Source Matrix Medium
PR.DS Data Security Expand DLP monitoring documentation Medium
PR.PS Platform Security Add SIEM/EDR hardening guide Low
GV.OC Organizational Context Reference enterprise risk appetite in SOC charter Low

References