Regulatory Toolkit

NIST Cybersecurity Framework 2.0
Tabletop Exercise Toolkit

Map every tabletop exercise to NIST CSF 2.0's six Functions — from GOVERN through RECOVER. Generate automated compliance evidence, track coverage gaps, and demonstrate continuous readiness to auditors and leadership.

Start Your First CSF Exercise → Download Buyer's Guide

⚠️ This toolkit is an educational resource for exercise program design. Skyhigh Cybersecurity does not provide formal NIST CSF assessment, audit, or attestation services. Organizations subject to CSF-referenced regulations should engage qualified assessors for official compliance determinations.

6
CSF 2.0 Functions Mapped
20+
CSF Categories Covered
Feb 2024
CSF 2.0 Released
All Sectors
Applicability
NIST CSF 2.0 — What Changed & Why It Matters
Released in February 2024, CSF 2.0 significantly expands the original framework. Here's what security teams need to know for exercise planning.
🏛️
GOVERN Function New in v2.0
CSF 2.0 adds a sixth function — GOVERN — covering organizational context, risk management strategy, supply chain risk, and accountability. Tabletop exercises now have a direct role in demonstrating governance (GV.RM, GV.SC). Exercises validate that risk tolerance, policies, and accountability structures actually work under pressure.
🌐
Broader Applicability
CSF 1.1 was primarily designed for critical infrastructure. CSF 2.0 is explicitly designed for all organizations regardless of sector or size. If you operate any technology that could be targeted — manufacturing, healthcare, logistics, finance, education — CSF 2.0 is now your baseline framework. Tabletop exercises are required evidence for most CSF profiles.
📊
Profiles & Tiers
CSF 2.0 introduces formal Organizational Profiles — current vs. target state — and four Implementation Tiers (Partial → Risk Informed → Repeatable → Adaptive). Tabletop exercises are critical evidence for Tier 3 (Repeatable) and Tier 4 (Adaptive). Regular, documented exercises demonstrate that response practices are ingrained and continuously improving.
CSF 2.0 Function Mapping
How Skyhigh tabletop exercises map to each of the six CSF 2.0 Functions and their key Categories.
CSF 2.0 Function Key Categories for Exercises Skyhigh Coverage Evidence Generated
GV GOVERN GV.RM — Risk Management Strategy
GV.SC — Supply Chain Risk
GV.RR — Roles & Responsibilities
GV.PO — Policy		 Supporting Exercise demonstrates role clarity (GV.RR); supply chain scenarios address GV.SC; policy gaps surface in AAR
ID IDENTIFY ID.RA — Risk Assessment
ID.IM — Improvement (lessons learned)
ID.AM — Asset Management		 Direct AAR gap analysis maps directly to ID.IM improvements; risk-based scenario selection validates ID.RA methodology
PR PROTECT PR.AT — Awareness & Training
PR.AA — Access Control
PR.PS — Platform Security
PR.IR — Infrastructure Resilience		 Direct Every completed exercise is a dated training event (PR.AT); access control and hardening gaps surface in scenarios
DE DETECT DE.CM — Continuous Monitoring
DE.AE — Adverse Event Analysis		 Direct MTTD metrics from exercises; detection step analysis; MITRE ATT&CK coverage gaps; sensor coverage validation
RS RESPOND RS.MA — Incident Management
RS.AN — Incident Analysis
RS.MI — Incident Mitigation
RS.CO — Communication		 Core Primary exercise output — response execution evidence, stakeholder communication log, MTTR metrics, AI-written AAR
RC RECOVER RC.RP — Recovery Plan Execution
RC.IM — Recovery Plan Improvements
RC.CO — Recovery Communication		 Direct BC/DR scenario evidence; recovery timeline validation; post-exercise improvement tracking; stakeholder communication exercise
How Skyhigh Supports CSF 2.0 Compliance
📋
Automated CSF Evidence Packages
Generate a multi-page audit-ready evidence PDF aligned to NIST CSF 2.0 Functions — including exercise log, control coverage matrix, gap analysis, and remediation timeline. Demonstrates PR.AT training evidence and RS.MA response testing for auditors in minutes.
6-Page PDFControl MatrixGap AnalysisTimeline
📊
CSF Function Coverage Dashboard
The Compliance Dashboard shows your exercise coverage across all 6 CSF 2.0 Functions. Identify which Functions are well-tested (RS, DE) and which need attention (GV, RC). Track readiness score improvements over time to move from Tier 2 to Tier 3 in your CSF profile.
Readiness ScoreFunction HeatmapTier TrackingTrend Charts
⏱️
MTTD/MTTR Benchmarking
Capture per-step timestamps automatically during live exercises. Calculate real MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond) metrics aligned to CSF DE.CM and RS.MA categories. Compare against sector benchmarks to demonstrate measurable improvement in your CSF profile.
MTTD MetricsMTTR MetricsDE.CM EvidenceRS.MA Evidence
CSF 2.0 — Scenario Library
These exercises are specifically designed to generate evidence across multiple CSF 2.0 Functions in a single session.
RESPOND · RECOVER
Multi-Vector Ransomware Campaign
Ransomware encrypts IT/OT systems simultaneously. Tests incident management (RS.MA), analysis (RS.AN), recovery plan execution (RC.RP), and stakeholder communication (RS.CO).
RSRCDE
GOVERN · RESPOND
Supply Chain Software Compromise
Malicious update from a trusted OEM vendor pushes firmware to 40 PLCs. Tests supply chain risk governance (GV.SC), vendor notification procedures, and response escalation chains.
GVRSID
DETECT · RESPOND
OT Anomaly Detection Response
Unusual Modbus polling patterns trigger OT monitoring alerts. Tests detection capabilities (DE.CM), event analysis (DE.AE), and incident management speed — with MTTD metrics captured.
DERSPR
GOVERN · RESPOND
Executive Crisis Communication Drill
Simulates board and regulatory notification requirements during a material cybersecurity incident. Tests communication chains (RS.CO), executive roles (GV.RR), and disclosure obligations.
RSGVRC
PROTECT · IDENTIFY
Third-Party Contractor Access Abuse
A remote access credential belonging to an HVAC contractor is used to pivot into the OT network. Tests access control procedures (PR.AA), platform security (PR.PS), and risk reassessment (ID.RA).
PRIDDE
RECOVER · PROTECT
Control System Business Continuity
A cyberattack forces manual operations at a production facility for 72 hours. Tests recovery plan execution (RC.RP), infrastructure resilience (PR.IR), and continuous improvement documentation (RC.IM).
RCPRRS
Evidence Artifacts Generated
Every Skyhigh exercise produces documented artifacts that can be submitted directly as CSF 2.0 compliance evidence.
📄
After Action Report (AAR)
AI-generated, dated exercise summary with gap findings — PR.AT & RS.MA evidence
🗺️
CSF 2.0 Controls Matrix
Function-by-function coverage map showing tested vs. untested categories
⏱️
MTTD / MTTR Metrics
Timestamped detection and response metrics — DE.CM & RS.MA quantitative evidence
📈
Improvement Tracking Log
Remediation timeline and closed gaps — directly maps to ID.IM improvement category

Explore the Full Regulatory Toolkit Library

Skyhigh exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

🏛️ CISA CTEP ⚡ NERC CIP 🇪🇺 NIS2 Directive 🇺🇸 NIST CSF 2.0 ⚙️ IEC 62443 🏭 NIST SP 800-82 🏦 DORA ✈️ TSA Directives 🏥 HIPAA / HC3 🛡️ CMMC 2.0 🌐 ISO 27001 🔴 CISA CPG

Start Building Your NIST CSF 2.0 Exercise Program

Your first exercise takes less than an hour to launch. Free plan available — no credit card required.

Start Free Today → View Pricing Contact Sales