NIST CSF 2.0 for MSPs: How to Build a Cybersecurity Framework Service Line

Most MSPs are already delivering the controls that NIST CSF 2.0 describes. Patch management, backup, MFA, endpoint protection, incident response — these are the core of a managed services contract. The problem is that none of it is documented in a way that satisfies an insurer, an enterprise procurement team, or a board that just got a cyber insurance renewal notice with a 40% premium increase.

NIST CSF 2.0 is the documentation layer. And building it as a service line is one of the highest-margin moves available to an MSP right now.

What Changed in NIST CSF 2.0

NIST released version 2.0 in February 2024 — the first major revision since the framework launched in 2014. The headline change is a new function: GOVERN.

The original five functions (Identify, Protect, Detect, Respond, Recover) are operational. They describe what a security programme does. GOVERN sits above all of them and describes how decisions get made. It covers:

• Organisational context — what are we protecting and why
• Risk management strategy — how much risk is acceptable
• Cybersecurity supply chain risk — who are our vendors and what’s their risk posture
• Roles and responsibilities — who owns what
• Policies, processes, and procedures — how we operate
• Oversight — how leadership monitors and adjusts

For most SMB clients, GOVERN is entirely absent. They have technical controls managed by their MSP, but they have no written risk tolerance, no policy library, no vendor risk process, and no mechanism for leadership to understand their security posture. That gap is where your service line lives.

The other major change is scope. CSF 1.1 was framed around critical infrastructure. CSF 2.0 explicitly applies to organisations of any size, sector, and cybersecurity maturity level. NIST included specific implementation examples for small businesses. This isn’t subtle — NIST is saying that CSF is the baseline expectation for any organisation with a security programme.

Why Your Clients Are Hearing About It

Your clients don’t read NIST publications. But they’re hearing about CSF anyway, from three directions:

Cyber insurers. The underwriting questions on renewal applications have gotten longer and more specific. Insurers want to know about multi-factor authentication, endpoint detection, backup testing, incident response procedures, and privileged access management. This is CSF mapped to insurance risk. When a client doesn’t know how to answer those questions, they call their MSP — which is the moment you either quote them a compliance engagement or let them guess.

Enterprise clients and procurement. If any of your clients sell into enterprise, they’re seeing supplier security questionnaires. The NIST CSF tier and function language shows up regularly in these assessments. A Tier 1 (Partial) rating on a supplier questionnaire is a risk flag. Moving to Tier 3 (Repeatable) is often the difference between winning and losing a contract.

Boards and leadership. Post-breach coverage, rising premiums, and board-level ESG discussions have pushed cybersecurity into the boardroom. A CEO who doesn’t understand security controls understands framework tiers. “We’re targeting Tier 3 on the NIST framework over the next 18 months” is a sentence that lands in a board meeting. Most MSPs can’t make that sentence yet because they don’t have a governance layer.

The Assessment

A NIST CSF 2.0 current-state assessment is a structured exercise that maps what a client is actually doing against the framework’s six functions and 22 categories. The output has two parts:

Current Profile — the client’s present security posture, rated by category (Not Implemented / Partial / Largely Implemented / Fully Implemented).

Target Profile — the posture the client should be targeting based on their risk context, sector, and stakeholder expectations.

The gap between those two profiles is your statement of work.

For an MSP, most of the evidence you need to build the Current Profile already exists in your RMM and documentation:

• Patch compliance reports → Protect: Vulnerability Management
• MFA enforcement records → Protect: Identity Management
• Backup job logs and test records → Recover: Incident Recovery Plan Execution
• EDR alert summaries → Detect: Adverse Event Analysis
• Helpdesk incident tickets → Respond: Incident Management

What you won’t have — what almost no SMB client has — is the GOVERN layer:

• A written cybersecurity risk management policy
• A documented risk tolerance statement
• A vendor/supplier risk register with security reviews
• Defined cybersecurity roles and responsibilities
• An executive risk reporting cadence

This is where the billable work is. The Current Profile heat map makes the gap visible. The Target Profile gives the client a destination. The remediation roadmap is the project.

The Remediation Roadmap

NIST CSF 2.0 uses four Tiers to describe organisational maturity. Most SMB clients land at Tier 1 (Partial) — controls exist but are informal and reactive. Some are at Tier 2 (Risk Informed) — some risk awareness exists but practices aren’t consistent.

Tier 3 (Repeatable) is the practical target: controls are documented, applied consistently, reviewed periodically, and updated as risk changes. This is the minimum viable posture for a serious cyber insurance renewal or enterprise supplier questionnaire.

A 12–18 month roadmap to Tier 3 runs in three phases:

Foundation (months 1–4): Policy library build (acceptable use, access management, incident response, business continuity, vendor management), asset inventory formalisation, risk register initialisation, GOVERN roles assignment, executive risk reporting structure. This is documentation work, not infrastructure. Most of it sits in hours, not hardware budget.

Operations (months 5–10): Close the control gaps identified in the Current Profile. For most SMB clients this means formalising what’s already being done — patching processes get written procedures, backup jobs get documented test cadences, MFA enforcement gets a written policy to match the technical enforcement. New controls might include privileged access management, network segmentation documentation, and a formal vendor onboarding checklist.

Optimisation (months 11–18): Move the client toward continuous improvement practices. Quarterly risk reviews, security metrics reporting to leadership, supply chain risk reviews for new vendors, and annual full reassessments. By the end of this phase, the client has a documented, repeatable security programme — and you have a defensible record of it.

The Recurring Revenue Model

The one-time assessment (£1,500–£3,000) gets you in the door. The recurring model is where this becomes a service line.

Monthly managed compliance for a CSF-aligned programme covers:

• Policy maintenance — updating the policy library when regulations change or client circumstances change
• Quarterly profile reviews — are controls still in place, has anything drifted, have new gaps opened
• Executive risk reporting — a monthly or quarterly summary that translates security posture into business language
• Vendor risk reviews — security review checklist for new suppliers and cloud services
• Annual reassessment — full Current Profile refresh to measure progress and reset the Target Profile

Layer in security awareness training and phishing simulation and you have a complete managed security programme that satisfies CSF 2.0’s GOVERN requirements end to end.

Pricing for SMBs (20–200 seats): £400–£800/month depending on size and complexity. Add vCISO hours for GOVERN-level engagement (board presentations, risk tolerance workshops, supply chain governance) and you’re looking at £900–£2,300/month for the full programme.

Compared to the operational MSP margin on infrastructure management, a compliance retainer is high-margin, low-churn, and gets stickier over time as you build up client documentation.

Connecting CSF 2.0 to the vCISO Practice

NIST CSF 2.0 is the most natural anchor for a vCISO retainer because the GOVERN function requires exactly what a vCISO does — leadership-level engagement with cybersecurity risk. Your engineering team can deliver the operational functions (Identify through Recover). The vCISO layer delivers GOVERN: risk tolerance decisions, board reporting, supply chain oversight, strategic programme direction.

This split creates a clear service structure. MSP contract handles technical controls. vCISO retainer handles governance. The combination is a complete security programme, documented to a recognised framework, with a human who can explain it to the board.

For MSPs that want to move upstream — from reactive break-fix to strategic security partner — CSF 2.0 is the language that bridges technical delivery and executive decision-making. The clients who engage at this level churn at a fraction of the rate of pure infrastructure clients, and they expand over time as their compliance obligations grow.

Starting the Conversation

The easiest entry point is the cyber insurance conversation. When a client calls about a renewal increase or an underwriter questionnaire they don’t know how to answer, that’s a CSF 2.0 assessment sale. “Let us run a current-state assessment — we’ll map where you stand, identify the gaps, and produce a roadmap. That roadmap becomes your answer to the insurer and your budget conversation for the next 12 months.”

Clients who haven’t had that conversation yet are still worth approaching. Pull your top 20 by revenue and ask: “Have you had any security questions from customers, insurers, or partners in the last 12 months?” The ones who say yes are ready. The ones who say no are usually 6–18 months away from having the conversation forced on them.

Either way, you want to be the MSP who already has the programme built — not the one scrambling to reverse-engineer compliance after a breach.

Ready to build your CSF 2.0 service line with automation behind it? See how GetCybr can help.