Frameworks · NIST Cybersecurity Framework 2.0
The framework your board
and your insurer both speak.
"Are we secure?" is unanswerable. "Here's our CSF 2.0 profile, our tier, and our progress since last quarter" is a board slide. NIST CSF 2.0 — with its new Govern function — is how mid-market companies structure security without a certification bureaucracy, and it's the framework insurance carriers and the FFIEC's successor guidance now point to. Lionfish builds yours in the Cyber Tackle Box™.
Voluntary framework. Involuntary consequences.
Sources: NIST CSWP 29; Fortra 2025 State of Cybersecurity Survey (vendor survey); insurance-industry questionnaire analyses. The FFIEC sunset its assessment tool in August 2025, pointing financial institutions toward CSF 2.0.
Who this is for
For leaders who need a program, not a plaque
Nobody fines you for skipping the CSF. Your insurer, your board, and your biggest customer just quietly price you accordingly.
- ✓Mid-market companies without a CISO — 50 to 5,000 people — where the CFO signs the insurance renewal and the IT director inherits the questionnaire.
- ✓Banks and credit unions migrating off the sunset FFIEC assessment tool onto CSF 2.0 — with examiners watching the transition.
- ✓MSPs productizing security — run CSF 2.0 programs for your whole client book from one multi-tenant console, and sell the assessment as a service.
Sound familiar?
The pain we hear on every first call
- !Outcomes, not instructions. The CSF tells you what good looks like, not how to get there — mapping subcategories to real controls is the work, and it's exactly what the platform automates.
- !The renewal scramble. Every insurance renewal becomes an archaeology dig for evidence. Carriers reward documented programs with better premiums and terms.
- !Board translation. The new Govern function means directors now ask pointed questions. A maturity tier and a trend line answer them; a shrug does not.
The platform
How the Cyber Tackle Box™ runs your CSF 2.0 program
One CSF 2.0 backbone that maps down to CIS, 800-53, and ISO controls — and up to the board slide and the insurance application.
Policy Templates
The governance, risk, and operational policies the Govern function expects — pre-built, mapped to subcategories, tailored to your reality.
Current & Target Profiles
Your live CSF profile with tiers, owners, and a target state — progress you can show the board quarter over quarter.
Gap-to-Action POA&Ms
Every gap becomes an assigned, dated action — a roadmap, not a rating.
Evidence & the Intel Hub
Insurance-questionnaire-ready evidence in one system of record, plus threat intel feeding your Identify and Detect functions.
Assessment Playbooks
Repeatable runbooks for annual self-assessment, insurer questionnaires, and customer security reviews — answer once, reuse everywhere.
Awareness Training
PR.AT, handled: 52 training modules including music-based awareness people actually finish — tracked per person for the evidence trail.
Why Lionfish
A platform with humans attached
Practitioners, not just software
Checkbox tools leave you alone with the checklist. Our compliance advisors — the same team that trains certified CMMC assessors — work your program by, with, and through your people.
One system of record
Controls, policies, tasks, evidence, POA&Ms, and your workforce training in one platform — mapped across frameworks so one piece of evidence satisfies many requirements at once.
Veteran-owned & battle-tested
SDVOSB founded by a Green Beret, 4 IEEE-published papers, Purdue CERIAS partner, and multi-tenant for MSPs — trusted where security actually matters.
Straight answers
CSF 2.0 questions we answer every week
What changed in NIST CSF 2.0?
Released February 26, 2024, CSF 2.0 added a sixth function — Govern — covering leadership accountability, strategy, and supply-chain risk, and expanded the framework's scope from critical infrastructure to organizations of any size or sector. The structure is now 6 functions, 22 categories, and 106 subcategories, with official Community Profiles and quick-start guides for smaller organizations.
Is NIST CSF mandatory?
No — it's voluntary. But the pressure around it isn't: cyber insurance carriers anchor 80+ question applications to it, boards ask for it by name since the SEC's cyber disclosure rules, financial regulators point to it after the FFIEC tool sunset, and enterprise customers embed it in vendor reviews. 'Voluntary' in 2026 means the penalty is priced in premiums and lost deals instead of fines.
How does CSF relate to CIS Controls or ISO 27001?
The CSF is the organizing structure; CIS Controls, NIST 800-53, and ISO 27001 supply the concrete controls underneath. The Cyber Tackle Box maps them: implement a control once and it satisfies its CSF subcategory, its CIS safeguard, and its ISO Annex A entry simultaneously. That's how a CSF program becomes a springboard to certification later instead of a dead end.
Will this actually help our insurance renewal?
A documented, evidenced CSF program answers most of a modern cyber application directly — MFA, EDR, backups, training, incident response — and carriers reward demonstrated maturity with better premiums, terms, and fewer sublimits. We can't promise your quote (nobody honestly can), but we can promise you'll walk into renewal with evidence instead of assertions.
Get in touch
Build a program you can show the board
Tell us what's driving it — insurance renewal, board pressure, a customer review — and where your security program stands today. Straight answer within one business day.
- 1We reply within one business day — usually faster.
- 2A 30-minute call with someone who can actually answer your questions.
- 3A straight recommendation — even if it's that you don't need us yet.
Prefer to skip the form? Book a time directly or call 1-877-732-6772.