CSF 2.0 organizes cybersecurity outcomes into six functions and their categories. Here is which of those categories Alvor delivers, supports, or documents across your program.
Every function, mapped across all 22 categories.
An honest map of where Alvor materially contributes. Control ownership stays with you.
About NIST CSF
Who it is for
Security leaders who use CSF as the reporting layer above their controls, and who need to show the board where the program is mature and where it is thin.
The NIST Cybersecurity Framework gives organizations a common language for understanding and managing cybersecurity risk. Version 2.0 added the Govern function, tying technical controls to business context, strategy, and oversight.
Outcomes are organized into six functions (Govern, Identify, Protect, Detect, Respond, Recover), then into categories and subcategories. The map below works at the category level so it stays scannable while still covering every function.
Control alignment
Every function, mapped at the category level. Govern and Identify are where Alvor contributes most directly; Detect and parts of Respond stay in your monitoring stack with Alvor holding the design and evidence.
Alvor performs the control or produces the evidence.
Alvor helps you manage, track, and document it.
You implement it operationally; Alvor stores the control and evidence.
Capture mission, stakeholders, and requirements that frame the cybersecurity program.
ProgramDefine risk appetite, scoring, and treatment workflow with a living risk register.
RiskAssign program roles and ownership across modules with accountability tracking.
ProgramAuthor, approve, and version the cybersecurity policy set with attestations.
PolicyReal-time dashboards give leadership and the board a current view of posture and maturity.
ComplianceInventory suppliers, assess them, and requeue reassessments on a risk-tiered cadence.
TPRMPull assets, software, and dependencies in from your cloud and security tooling and imports into one register.
AssetsIdentify, score, and track risks with linkage to the assets and controls they touch.
RiskCapture findings from assessments, audits, and incidents into an improvement backlog.
ProgramMaintain access policy and review cadence; enforcement runs in your IdP.
PolicyYou run awareness and training; Alvor holds the control and its evidence.
ProgramClassify data and record its retention and encryption status; encryption runs in your stack.
Data GovernanceDefine hardening baselines and secure-configuration standards and track drift.
Secure by DesignDocument resilience requirements, recovery plans, and restore testing.
Business ContinuityIngest vulnerability and cloud-posture findings from connected tools, and run scheduled assurance checks for live control status.
RiskHold the detection control and evidence; analysis runs in your SIEM and SOC.
ProgramYou run incident response; Alvor holds the control and its evidence.
ProgramIncident analysis runs in your IR process; Alvor holds the control and evidence.
ProgramCapture communication plans and notification evidence.
ProgramMitigation runs in your IR process; Alvor holds the control and evidence.
ProgramMaintain business continuity and recovery plans with RTO/RPO and review dates, per asset.
Business ContinuityDocument recovery communications and stakeholder updates.
Business ContinuityThis mapping shows where Alvor materially contributes to each control. It is a guide for scoping, not an attestation or certification: responsibility for implementing and operating every control remains with your organization. Ratings reflect Alvor's product capabilities and may differ from your audited scope.
Get started
Whether you lead security, run IT, manage compliance, or sit in the C-suite - we'll show you your view.