NIST CSF 2.0 for MSPs: A Complete 15-Minute Cybersecurity Baseline

The NIST CSF 2.0 framework groups cybersecurity controls into six functions — Govern, Identify, Protect, Detect, Respond, Recover. A useful 15-minute baseline rates a prospect at one of four maturity levels (Partial, Risk-Informed, Repeatable, Adaptive) across all six. The output is the spine of every MSP cybersecurity sales conversation: where they're exposed, what to fix first, and how much each gap is worth in recurring services.

What Is NIST CSF 2.0 (and What Changed From 1.1)?

The National Institute of Standards and Technology published Cybersecurity Framework version 2.0 in February 2024. Version 1.1 had been the standard since 2018, and most MSPs selling cybersecurity assessments today are still running conversations anchored to that older model.

The core architecture — a tiered maturity model applied to a set of cybersecurity functions — did not change. What did change matters directly to MSPs selling into small and mid-market businesses.

The biggest structural addition is a sixth function: Govern. NIST recognized that most organizations fail at cybersecurity not because they lack tools, but because nobody owns the decisions. Governance covers the organizational policies, roles, and accountability structures that determine whether any security control actually gets used. For the vCIO or AE running a discovery call, that addition is a gift. It gives you a legitimate framework question to ask before you ever discuss a product.

The second major change is scope. NIST CSF 1.1 was written for critical infrastructure operators. Version 2.0 was explicitly broadened to apply to organizations of any size, sector, or level of cybersecurity maturity. That shift is why cyber insurers, regulators, and procurement teams at mid-market companies are increasingly referencing CSF 2.0 in their questionnaires. Your prospects are starting to hear about it before your first call.

The third change is the addition of implementation examples and quick-start guides for small businesses. NIST has acknowledged that a 50-employee manufacturing company cannot run the same assessment program as a federal contractor. That creates an opening for MSPs to position themselves as the interpreter — the expert who translates the framework into plain-language priorities.

The Six Functions Explained for MSP Buyers

The six functions are not a checklist. They describe what a mature cybersecurity program does, organized by purpose. When you walk a prospect through them, you are not delivering a lecture. You are running a structured diagnostic.

Govern

Govern is new in CSF 2.0 and covers the policies, roles, and risk management decisions that drive every other function. In practice, this means: Does the company have a documented cybersecurity policy? Does a named person own security decisions? Is cyber risk discussed at the executive or board level?

For most SMBs, the honest answer to all three is no. That is not a failure to point out. That is a vCIO conversation waiting to happen. MSPs who offer a virtual CISO or vCIO service can map the Govern function directly to that offering before the prospect has finished answering the question.

Identify

Identify covers asset management, risk assessment, and the basic question: do you know what you have and what you are responsible for protecting? This includes hardware inventory, software inventory, data classification, and supply chain risk.

A prospect who cannot tell you what endpoints are on their network — and many mid-market companies cannot — scores at Partial on Identify. That single answer opens conversations about endpoint management, asset discovery, and documentation.

Protect

Protect is the function most MSPs default to leading with, and for good reason. It covers access control, identity management, data security, training and awareness, and the hardening of infrastructure. This is where MFA, email security, patch management, and endpoint protection all live.

Protect tends to surface the highest number of billable gaps in a baseline assessment. The danger is treating it as a product list. Frame each Protect gap as a risk the business is carrying today, then connect it to the service that closes it.

Detect

Detect covers continuous monitoring, anomaly detection, and the organizational capability to recognize that something bad is happening. The key question is not whether they have a tool that does logging. The key question is whether anyone is reviewing the logs or acting on alerts.

Most SMBs have tools they are not using. An EDR that is installed but unmonitored is not a Detect capability. That distinction is the entry point for MDR or SOC conversations.

Respond

Respond covers what the organization actually does when an incident occurs: communication plans, analysis procedures, mitigation steps, and coordination with stakeholders. Most SMBs have no documented incident response plan. Many have no idea who to call.

A prospect who shrugs when you ask about their incident response plan is telling you they are one ransomware event away from a serious crisis. That is not fear-mongering — it is accurate. The Respond function creates a clean path to incident response retainer services.

Recover

Recover covers the ability to restore operations and communicate transparently after an incident. Backup and disaster recovery are the core services here, but so is the communication protocol for notifying customers, regulators, or cyber insurance carriers.

The important nuance for MSPs: Recover is not just about having backups. It is about having tested, documented, time-bound recovery. A backup that has never been tested in a restore scenario is not a Recover capability. That distinction is the difference between a client who thinks they are covered and a client who actually is.

How to Run a 15-Minute CSF Assessment on a Prospect (Without Breaking In)

A credible NIST CSF baseline does not require network access, credentials, or a two-hour discovery workshop. It requires structured questions and a consistent scoring rubric.

The 15-minute version works like this. Assign one to two questions per function. Score each answer against the four maturity tiers. Total the function scores. You now have a six-axis baseline that shows exactly where the prospect is exposed and what to address first.

For Govern, ask whether there is a written cybersecurity policy and who owns cybersecurity decisions. For Identify, ask whether they maintain a hardware and software inventory and when it was last updated. For Protect, ask about MFA status on email and remote access, and whether endpoints run managed antivirus or EDR. For Detect, ask whether anyone reviews security logs or receives alerts. For Respond, ask whether there is a written incident response plan and who they would call today if they discovered a breach. For Recover, ask about backup frequency, offsite storage, and when they last tested a restore.

These six lines of questioning take less than 15 minutes in a discovery call. They produce a defensible, function-level maturity rating for each area. More importantly, they produce a conversation. A prospect answering these questions is already thinking about risk. Your job is to reflect that risk back clearly and connect it to services.

MSProspector automates this entire baseline as part of every prospect report. The NIST CSF 2.0 assessment is included automatically — you do not build the rubric, score the responses, or format the output manually. You get a completed, structured baseline alongside 22 other opportunity scans, a named buying committee, and a custom sales playbook, in 15 minutes.

The Four Maturity Levels — What Each Looks Like in Practice

NIST CSF 2.0 uses four implementation tiers. The framework calls them Tier 1 through Tier 4, but the descriptive labels are more useful in a sales conversation.

Partial (Tier 1) — Cybersecurity practices are informal, reactive, or undocumented. The company responds to incidents but does not anticipate or manage risk proactively. There is no regular review process. Most SMBs who have never worked with an MSP land here. The risk is high and the services conversation is broad.

Risk-Informed (Tier 2) — The company has some awareness of cybersecurity risk and has approved practices in some areas, but implementation is inconsistent. Some controls exist on paper but are not enforced or reviewed. This is the most common tier for SMBs who have had basic IT support but no structured security program. The conversation focuses on closing the gap between intent and execution.

Repeatable (Tier 3) — Policies are documented, implemented, and reviewed on a regular cycle. The company can demonstrate its security posture and updates practices as the threat landscape changes. This tier typically describes companies with a dedicated IT lead or an active MSP relationship. The conversation shifts toward optimization, coverage gaps, and compliance readiness.

Adaptive (Tier 4) — Cybersecurity is integrated into organizational decision-making. Risk management is dynamic, informed by threat intelligence, and actively updated. The company treats security as a business function, not a line item. Very few SMBs reach this tier without dedicated security resources or a mature MSP partnership.

In practice, most SMB prospects you will assess score Partial on two or three functions and Risk-Informed on the rest. The rare prospect at Repeatable across the board is either a competitor's client or a strong retention target who needs to understand the distance between where they are and Adaptive.

How to Present CSF Gaps to a Prospect (Without Scaring Them Off)

A long list of failures is not a sales tool. It is a reason for a prospect to freeze, delay, or bring in a second vendor for validation. The goal of presenting CSF findings is not to show how much is broken. It is to show that you understand their specific risk and have a plan to address it in priority order.

Lead with the two or three highest-severity gaps — the ones where a breach or failure would produce real business damage. Name the function, name the gap, name the consequence. "You are at Partial on Detect, which means that if someone is moving through your network today, you would not know until the damage is visible. That is the gap we would close first."

Then connect each priority gap to a specific service and a timeline. Prospects do not need to see every gap addressed in month one. They need to see a credible path forward with a knowledgeable guide. A phased remediation plan, mapped to CSF functions, turns an assessment into a roadmap — and a roadmap is easier to say yes to than a proposal full of products.

For the buying committee, tailor the framing. The IT Director wants to understand the technical gaps. The CFO wants to understand the financial exposure. The CEO or owner wants to understand what a breach would mean for the business and whether the company is meeting reasonable standards of care. The CSF maturity model gives you a credible third-party framework to anchor each of those conversations without becoming the one who made the problem sound either too small or too catastrophic.

Learn more about how MSProspector builds the full prospect picture — including the buying committee, technical baseline, and sales playbook — before your first call.

Common Gaps That Map to MSP Services

A CSF baseline is only useful if you can act on it. These are the four gaps that appear most frequently in SMB assessments and the service conversations they open.

MFA Gaps — Identity Protection Services

MFA adoption in SMBs remains low, particularly for legacy applications, remote desktop access, and shared service accounts. A Partial score on Protect almost always includes an MFA gap. The service conversation here includes identity protection, single sign-on, privileged access management, and conditional access policies. This is recurring MRR with a clear risk justification and a short implementation timeline.

Backup Gaps — BDR

A prospect who backs up to a local drive, backs up weekly, or has never tested a restore is carrying a Recover gap that could cost them the business in a ransomware event. The BDR conversation is most effective when you quantify the recovery time objective the current backup would produce — and contrast it with what they can actually afford to lose. Backup and disaster recovery is one of the highest-confidence MSP service attachments in any cybersecurity baseline.

Detection Gaps — MDR/SOC

Prospects at Partial on Detect typically have endpoint tools that are generating data nobody is reviewing. The MDR or co-managed SOC conversation does not start with a product name. It starts with a question: "If an attacker got into your network on a Friday afternoon, how long before you would know?" The honest answer for most SMBs is days or never. That answer is the opening.

Recovery Gaps — IR Retainer

A prospect who cannot name their incident response process, their legal counsel for breach notification, or their cyber insurance contact is not prepared to recover from an incident. An IR retainer gives them a named resource, a documented playbook, and a response team on call. This is a relatively low-friction add to any managed security proposal because the alternative — figuring it out mid-crisis — is clearly worse.

FAQ

Is NIST CSF mandatory?

No. NIST CSF is a voluntary framework. No federal regulation currently requires private-sector companies to achieve a specific CSF tier. However, cyber insurers increasingly use CSF-aligned questionnaires during underwriting, and some federal contractors and state agencies reference CSF 2.0 in procurement requirements. Even without a mandate, the framework is useful as a credible, third-party structure for assessing and communicating cybersecurity posture to a buying committee.

How is NIST CSF different from CIS Controls?

The CIS Controls (currently v8) are a prescriptive, numbered list of specific security actions organized by implementation group. NIST CSF is a higher-level maturity framework organized by function and outcome. In practice, they complement each other. CSF tells you what a mature security program does. CIS Controls tell you the specific steps to get there. Many MSPs use CSF to frame the maturity conversation and CIS Controls to build the remediation roadmap. If a prospect asks which one matters more, the honest answer is that CSF is more commonly referenced in governance and insurance conversations, while CIS Controls are more actionable at the implementation level.

What is the right cadence for re-running an assessment?

Annually at minimum, and after any significant change to the environment — a merger or acquisition, a move to a new cloud platform, a ransomware event at a peer company in the same industry, or a change in cyber insurance requirements. For clients in regulated industries or those approaching contract renewals that include security questionnaires, semi-annual assessments give you a continuous engagement reason and a documented improvement trajectory to show auditors or insurers.

How long does a real CSF assessment take?

A formal, evidence-based NIST CSF assessment performed by a certified assessor typically takes one to four weeks depending on organization size and scope. That is not the right tool for a first sales conversation. A structured 15-minute baseline using a consistent question rubric — the kind that MSProspector generates automatically as part of every report — gives you a credible, function-level snapshot that is appropriate for discovery and proposal conversations. The formal assessment becomes relevant when a client is preparing for cyber insurance renewal, responding to a compliance audit, or maturing their program to a point where documentation and evidence trails matter.

Can a prospect's cyber insurance carrier ask for an NIST CSF score?

Yes, and this is happening more often. Cyber insurers have tightened underwriting standards significantly since 2021, and many now include CSF-aligned questions as part of their applications. Some carriers specifically ask about maturity across the CSF functions or require documentation of specific controls that map to Protect and Detect. A prospect who is facing renewal or applying for coverage for the first time may find that an MSP who can help them document and improve their CSF posture is directly valuable to their bottom line — not just their security posture. That is a strong framing in a proposal conversation with a CFO or business owner who does not naturally think in cybersecurity terms.

---

MSProspector is built by Marketopia, the channel's leading growth and marketing firm. See what's inside every report or run your first prospect baseline free.