Quiz Entry - updated: 2026.07.14
In NIST CSF v2.0, how many Categories and Sub-categories does the Core contain?
22 Categories, 106 Sub-categories — spread across the 6 Functions.
A typical Sub-category entry looks like:
| Field | Example |
|---|---|
| Category | GV.SC: Cybersecurity Supply Chain Risk Management |
| Sub-category | GV.SC-01: A cybersecurity supply chain risk management program is established |
| Implementation Examples | Ex1–Ex4 (e.g., "Establish a strategy that expresses the objectives of the program") |
| Informative References | CIS Controls v8.0: 15.2; CRI Profile v2.0: GV.SC-01; SP 800-221A: GV.PO-1; CSF v1.1: ID.SC-1 |
The numbers shifted between versions:
- CSF v1.1: 5 functions, 23 categories, 108 sub-categories.
- CSF v2.0: 6 functions (added Govern), 22 categories, 106 sub-categories.
Tip: The Sub-categories are the smallest unit of "what to do" — a programme audit walks each Sub-category and asks "is this outcome achieved?" That's how a CSF profile turns from abstract framework into actionable assessment.
Go deeper:
The NIST CSF 2.0 (CSWP 29) — the source of the v2.0 counts (6 Functions, 22 Categories, 106 Sub-categories).
NIST Cybersecurity Framework (Wikipedia) — confirms the v2.0 totals and contrasts them with v1.1's 5/23/108.