Compyl
Framework · NIST CSF

Turn the NIST CSF from a maturity spreadsheet into a live posture you can show the board.

The CSF is voluntary, which is exactly why it drifts, a self-scored spreadsheet that's stale by the next board meeting. Compyl makes CSF 2.0 operational: all six functions mapped to live evidence, Tiers and Profiles tracked continuously, and posture you can defend in real time.

6 CSF functions
125+ integrations
Continuous posture
Home › Frameworks › NIST CSF CSF 2.0 AUDIT READINESS 96% audit-ready 6 FUNCTIONS · LIVE CSF 2.0 FUNCTIONS Govern CORE Identify MAPPED Protect COVERED Detect 1 GAP EVIDENCE COLLECTED · AUTOMATIC ● live AWS · CloudTrail access logs 2m ago Current Okta · MFA enforcement export 5m ago Current GitHub · change-management records 18m ago Current 1,284 evidence items current 0 manual screenshots · next refresh in 4 min Export pack
NIST CSF Readiness On track Evidence current 96% Controls passing 92% Functions 5 / 6 Monitored continuously · updated live
What is NIST CSF, and how does Compyl help?

The NIST Cybersecurity Framework (CSF) 2.0 is a voluntary framework from NIST, organized into six functions, Govern (new in 2.0), Identify, Protect, Detect, Respond, and Recover. It isn't a certification; organizations express where they stand and where they're headed using Implementation Tiers and Current and Target Profiles, then close the gap between them.

Compyl makes the CSF operational. It connects to your systems, maps every function and subcategory to live evidence, monitors controls continuously, tracks your Tier and Profile over time, and flags drift, so your cybersecurity posture is something you can show the board on any day, not a spreadsheet you rescore once a year.

The problem

A self-scored framework drifts the moment you close the file

The CSF's flexibility is its trap: with no auditor and no certificate, your Profile is only as current as the last person who updated the spreadsheet, and the board can't tell the difference.

The maturity score goes stale

A Profile scored in a workshop is out of date within a quarter as systems and controls change, but it keeps getting reported as if it were live.

Govern is new and unevenly adopted

CSF 2.0 added the Govern function. Many programs bolted it on without the evidence to back it, leaving the most board-relevant function the weakest.

Tiers become opinions, not evidence

Without continuous proof, your Implementation Tier is a self-assessment. That’s a hard thing to defend to a board, an insurer, or a customer.

How it works

One continuous loop, from connected systems to audit-ready

Compyl runs your CSF program as an always-on cycle, functions, evidence, and Profile stay in sync automatically.

01

Connect

Integrate cloud, identity, code, endpoint, and HR systems.

02

Collect evidence

Pull audit evidence automatically, in real time.

03

Map to functions

Link every artifact to its CSF function and subcategory.

04

Monitor

Watch controls continuously and flag drift early.

05

Stay audit-ready

Hand auditors a current evidence pack on demand.

Automated evidence

Stop assembling CSF evidence by hand

A CSF Profile is only credible if it's backed by evidence. Compyl collects that proof continuously from the systems you already run and maps it to every function and subcategory.

  • Pull evidence automatically from cloud, identity, code, and endpoint tools
  • Every artifact mapped to the CSF function and subcategory it supports
  • No more screenshots, spreadsheets, or last-minute requests
  • Export a complete, auditor-ready evidence pack on demand
Evidence Studio · NIST CSF ● auto-collecting EVIDENCE CURRENT 1,284 items mapped to controls MANUAL EFFORT 0 screenshots this cycle SOURCE EVIDENCE CSF ID STATUS AWS Access logs PR.AA-01 Current Okta MFA enforcement PR.AA-03 Current GitHub Change management PR.PS-06 Current CrowdStrike Endpoint protection DE.CM-09 Current Datadog Uptime monitoring DE.CM-01 Current 125+ integrations feeding evidence, refreshed automatically
Evidence Health · New in 26.2

Know your evidence is audit-ready, automatically

Collecting evidence is only half the battle; stale or incomplete proof is where audits go sideways. New in Compyl 26.2, Evidence Health continuously scores every artifact the moment it changes, so weak evidence surfaces weeks before an audit, not during it.

  • Every artifact scored on relevance, freshness, and completeness
  • An AI summary spells out exactly what's missing and why
  • Re-scores automatically whenever the underlying evidence changes
  • Continuous control monitoring done right, gaps surface with time to fix
Evidence Health · Q2 Access Review New · 26.2 OVERALL HEALTH 84 / 100 Q2 ACCESS REVIEW SCORED ON THREE DIMENSIONS Relevance Healthy · 95 Freshness Aging · 58 Completeness Healthy · 88 AI SUMMARY Evidence is relevant and complete, but aging. Last refreshed 41 days ago; access reviews expected within 90. Auto-refresh scheduled, gap clears ~3 weeks before audit. Re-pull Scored automatically the moment evidence changes · continuous control monitoring
Continuous monitoring

Catch control drift before the auditor does

A board doesn't want last quarter's maturity score. Compyl monitors every function continuously, scores your posture in real time, and turns the moment a control slips into a tracked task.

  • Live posture across all six CSF functions
  • Automatic alerts the moment a control drifts out of compliance
  • Remediation tasks auto-assigned with owners and deadlines
  • A defensible, time-stamped trail behind every Tier and Profile claim
Control Monitoring · NIST CSF all functions · live 92% passing OUTCOMES MET CONTROL STATUS PR.AA-01 · Access control Passing DE.CM-01 · Network monitoring Passing PR.AA-05 · Access removal Drifting RC.RP-01 · Recovery plan Passing Drift detected. PR.AA-05 deprovision SLA exceeded 2 accounts not revoked after role change Detected 6 min ago · before any audit sample Remediation task #CSF-412 auto-created Assigned to IT Ops · due in 24h · evidence re-checks on close
Collect once, reuse everywhere

Your NIST CSF work becomes a head start on every other framework

The CSF maps cleanly onto SOC 2, ISO 27001, and NIST 800-53, they largely describe the same controls. Compyl cross-maps each one so a single piece of evidence satisfies every framework it touches.

  • One control mapped to its equivalent across 70+ frameworks
  • Collect evidence once and reuse it across every report
  • See instantly how CSF readiness translates to SOC 2 or ISO 27001
  • Add the next framework without starting the program over
Cross Mapped Controls · PR.AA-01 44 mapped PR.AA-01 Access control 800-53 14 ISO 27001 12 SOC 2 8 PCI DSS 6 HIPAA 4 Evidence collected once · automatically satisfies 44 controls
The framework

Six functions, one operating model

CSF 2.0 organizes cybersecurity outcomes into six functions. Compyl maps live evidence to each, so your Profile is backed by proof.

New in 2.0

Govern

Set and monitor cybersecurity strategy, roles, policy, and oversight, the board-facing function.

ID

Identify

Understand your assets, data, suppliers, and risks so you know what you’re protecting.

PR

Protect

Access control, awareness, data security, and the safeguards that limit impact.

DE

Detect

Continuous monitoring that finds anomalies and events as they happen.

RS / RC

Respond & Recover

Contain and manage incidents, then restore operations and learn from them.

How you measure it

Tiers and Profiles, not pass/fail

The CSF isn’t certified, you express posture through Implementation Tiers and Profiles. Compyl keeps both backed by evidence.

TIERS

How rigorous your program is

Tiers 1–4 (Partial to Adaptive) describe how repeatable and risk-informed your practices are.

Tier 1–2: partial / risk-informed practices
Tier 3–4: repeatable / adaptive practices
Where Compyl helps: evidence to substantiate the Tier you claim
PROFILES

Where you are vs where you’re going

A Current Profile describes today; a Target Profile sets the goal. The gap between them is your roadmap.

Current Profile: your posture today, evidence-backed
Target Profile: the outcomes you’re driving toward
Where Compyl shines: live gap tracking between the two
Why Compyl for NIST CSF

Not a checkbox tool, a continuous compliance engine

Plenty of tools hold a CSF spreadsheet. Compyl keeps your posture true every day, evidence-backed Tiers and Profiles you can put in front of a board.

01

Continuous, not point-in-time

Functions, evidence, and Profile stay live year-round, so your posture is defensible on any day.

02

One connected system

Controls, evidence, risks, and policies in one platform, not a stack of disconnected tools.

03

125+ integrations

Pulls live data from the stack you already run, so posture reflects reality, not snapshots.

04

Agentic AI

AI maps controls, drafts remediations, and offloads busywork, your team stays in control.

05

Multi-framework by design

CSF evidence carries over to SOC 2, ISO 27001, and NIST 800-53 without redoing the work.

6
CSF 2.0 functions mapped to live evidence
125+
Native integrations feeding evidence automatically
Real-time
Evidence collection, no manual screenshots
Year-round
Audit readiness instead of a pre-audit scramble
It has brought a sense of relief to my life because, for the first time, we have a real solution in place that is proactively keeping us protected.
JS
Jon Senior CTO · via G2
Recognized by users on G2

Rated a leader by the teams who use it

G2 High Performer, Mid-Market
G2 Momentum Leader
G2 Fastest Implementation, Go-Live Time
G2 Best Support, Quality of Support
G2 Best Meets Requirements, Mid-Market
Beyond NIST CSF

Map the CSF once, extend to every framework that follows

Compyl cross-maps controls so the work you do for NIST CSF carries straight into the next framework on your roadmap.

FAQ

NIST CSF questions, answered

The NIST Cybersecurity Framework 2.0 is a voluntary framework organized into six functions, Govern, Identify, Protect, Detect, Respond, and Recover. Govern was added in version 2.0. It is not a certification; organizations use Implementation Tiers and Current and Target Profiles to describe and improve their cybersecurity posture.

The biggest change is the new Govern function, which elevates cybersecurity governance, strategy, roles, and oversight to a top-level outcome. CSF 2.0 also broadened the framework's scope beyond critical infrastructure to organizations of all sizes and sectors.

Implementation Tiers (1–4, Partial to Adaptive) describe how rigorous and risk-informed your practices are. Profiles describe your posture: a Current Profile is where you are today, and a Target Profile is where you want to be. The gap between them is your improvement roadmap.

Compyl connects to your stack, maps every function and subcategory to live evidence, monitors controls continuously, tracks your Tier and Profile over time, and flags drift, so your posture is board-ready on any day instead of a spreadsheet you rescore once a year.

Compyl 26.2 introduced Evidence Health, which continuously scores every piece of evidence on relevance, freshness, and completeness, with an AI summary of gaps, so your Profile stays backed by current proof.

Yes. Compyl cross-maps each control so a single control and its evidence can satisfy NIST CSF alongside SOC 2, ISO 27001, NIST 800-53, and 70+ other frameworks. Collect once, reuse everywhere it applies.

Security leaders and GRC teams, CISOs and risk officers, who use the CSF to communicate posture to boards, insurers, and customers, and need that posture backed by continuous evidence.

GRC YOUR WAY

Give your board a cybersecurity posture, not a spreadsheet

See how Compyl maps every CSF function to live evidence, tracks your Tier and Profile, and keeps your posture board-ready year-round.

Request a Demo →
By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies