Hi Community,
I have installed the NIST CSF Use Case Accelerator on my ServiceNow IRM instance and noticed the following behavior:
- ✅ I can see NIST CSF v2.0 Authority Document
- ✅ I can see NIST CSF v2.0 Control Objectives
- ✅ Existing NIST CSF Risk Statements are available
- ❌ However, I do not see any Risk Statements specifically marked or delivered for NIST CSF v2.0
It appears that:
- Control objectives have been updated or added for CSF v2.0, but
- Risk statements still seem to be the same ones that were originally aligned to CSF v1.x and are not versioned as v2.0.
Is there any roadmap to release dedicated NIST CSF v2.0 risk statements, or is the recommended approach to manually create/map risks to v2.0 control objectives?
Would appreciate guidance from anyone who has implemented CSF v2.0 successfully.
Thanks in advance!
