> For the complete documentation index, see [llms.txt](https://docs.linuxguard.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.linuxguard.io/audit-and-comply/audit-comply/nist-csf.md). # NIST CSF 2.0 > **Note**: This page maps LinuxGuard against the **NIST Cybersecurity Framework 2.0** (effective 2024-02-26). Last verified against the framework on 2026-05-31. Canonical framework document: [NIST CSF 2.0 — NIST.CSWP.29](https://doi.org/10.6028/NIST.CSWP.29). For the vocabulary contract used here, see [Audit & Comply](/audit-and-comply/audit-comply.md). > **Important — CSF 2.0 vs CSF 1.1**: CSF 2.0 (published February 2024) added a sixth function — **GOVERN (GV)** — alongside the original five functions (IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER) from CSF 1.1. The GOVERN function consolidates organizational context, risk management strategy, roles and responsibilities, policy, and oversight content that was scattered across CSF 1.1's IDENTIFY function. Customers cross-referencing legacy CSF 1.1 documentation should treat 1.1 category IDs as deprecated; this mapping uses CSF 2.0 category and subcategory IDs only. The 1.1-to-2.0 mapping crosswalk is published separately by NIST at the [CSF 2.0 Reference Tool](https://csrc.nist.gov/Projects/cybersecurity-framework/Filters). ## Scope This page maps LinuxGuard's agent and console capabilities against NIST CSF 2.0. The mapping is scoped to subcategories in the PROTECT function (Identity Management, Authentication, and Access Control — PR.AA; Data Security — PR.DS; Platform Security — PR.PS), the DETECT function (Continuous Monitoring — DE.CM; Adverse Event Analysis — DE.AE), and the RESPOND function (Incident Management — RS.MA; Incident Analysis — RS.AN) that LinuxGuard's telemetry, baselines, drift detection, and audit features address. Subcategories in the GOVERN function (organizational governance, risk management strategy, roles and responsibilities, policy, oversight), most of the IDENTIFY function (asset management at the organizational level, business environment, risk assessment program administration), the RECOVER function (incident recovery plan execution, communications, improvements), and the customer-side program elements of every function are out of scope for this product and are listed in the mapping table as `Out of scope` rather than omitted. This mapping is informational and not a substitute for an independent audit by a qualified assessor. Customers remain responsible for the GOVERN function as a whole, the organizational-level risk assessment under ID.RA, the recovery planning and execution under the RC function, and the broader cybersecurity program that the technical subcategories support. ## Shared responsibility > LinuxGuard is a security monitoring agent and console. Compliance with any framework requires customer-side controls in addition to LinuxGuard's capabilities. This mapping is informational and not a substitute for an independent audit by a qualified assessor. The shared-responsibility framing for NIST CSF 2.0: * **LinuxGuard responsibility.** Produce continuous telemetry, configuration baselines, drift detection, authentication event capture, file integrity monitoring, behavioral signals, and audit trails on Linux systems that map to specific PROTECT, DETECT, and RESPOND subcategories. Maintain the framework version pin and per-subcategory evidence pointers. * **Customer responsibility.** Operate the GOVERN function (organizational context, risk management strategy, roles, policy, oversight), conduct the organizational-level risk assessment under ID.RA, administer the broader IDENTIFY function (asset management programs, business environment characterization, supply chain risk management program), operate the customer-side controls layered above LinuxGuard's telemetry (IAM platform, network policy, key management, training, physical security, vendor management, BCP), and execute the RECOVER function (recovery planning, communications, improvements). * **Out-of-scope domains for this framework.** The GOVERN function in its entirety, organizational-level risk assessment, asset management program administration, business environment characterization, supply chain risk management program (beyond LinuxGuard as one supplier), recovery planning and execution, communications and stakeholder engagement, and the policy administration elements of every function. ## Control mapping The Tier column uses one of three labels and only those three: `Satisfies`, `Supports`, `Out of scope`. The Evidence column points to a row of the canonical [Evidence Location](/concepts/concepts/console/compliance-expansion.md#evidence-location) table or to a specific console page. See [Audit & Comply](/audit-and-comply/audit-comply.md) for the three-tier vocabulary contract. | Control ID | Description | Tier | Evidence | Notes | | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `GV.OC` | Organizational Context — the circumstances surrounding the organization's cybersecurity risk management decisions are understood | `Out of scope` | n/a | Organizational context characterization is a governance responsibility not addressed by LinuxGuard. | | `GV.RM` | Risk Management Strategy — the organization's priorities, constraints, risk tolerance, and risk appetite are established and used to support operational risk decisions | `Out of scope` | n/a | Risk management strategy is a governance responsibility not addressed by LinuxGuard. | | `GV.RR` | Roles, Responsibilities, and Authorities — cybersecurity roles, responsibilities, and authorities are established and communicated | `Out of scope` | n/a | Role and responsibility assignment is a governance responsibility not addressed by LinuxGuard. | | `ID.AM-01` | Inventories of hardware managed by the organization are maintained | `Supports` | Console Infrastructure → server inventory; Console Compliance Expansion → control detail | LinuxGuard surfaces the per-server inventory of enrolled hosts including hostname, architecture, distribution, and agent version. Customer responsible for the organizational hardware asset register beyond LinuxGuard-monitored hosts. | | `ID.AM-02` | Inventories of software, services, and systems managed by the organization are maintained | `Supports` | Console Infrastructure; Console Baselines → accounts and groups | LinuxGuard surfaces account and group inventories per host. Customer responsible for the application software inventory and the broader system inventory beyond OS-layer accounts. | | `PR.AA-01` | Identities and credentials for authorized users, services, and hardware are managed by the organization | `Supports` | Console Audit pillar → Authorizations audit; Console Baselines → accounts and groups; Agent log (raw events) with `loginUID` attribute | LinuxGuard observes account and group inventories, authorization changes, and authentication events with `loginUID` capture surviving sudo/su escalation. Customer responsible for the identity platform, credential issuance, and identity lifecycle workflow. | | `PR.AA-03` | Users, services, and hardware are authenticated | `Supports` | Agent log (raw events) with `auth.event` attribute; Console Identity Intelligence | LinuxGuard captures authentication events including user, source IP, method (password, publickey, keyboard-interactive), and outcome. Customer responsible for the authentication platform, MFA enforcement, and password policy administration. | | `PR.AA-05` | Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed | `Supports` | Console Audit pillar → Authorizations audit; Console Baselines → SUDO rules, SSH config, SSHD config; Console Zero Trust Enforcement → Config Drift | SUDO rule baselines, SSH/SSHD baselines, authorization audit, and config drift surface OS-layer entitlement evidence. Customer responsible for the access policy text, role definition, and access review workflow. | | `PR.DS-01` | The confidentiality, integrity, and availability of data-at-rest are protected | `Supports` | Agent log (raw events); Console Zero Trust Enforcement → Config Drift | File integrity monitoring on sensitive paths (sudoers, sshd\_config, passwd, shadow, authorized\_keys, operator-configured paths) contributes to integrity assurance for OS-layer data-at-rest. Customer responsible for application-layer data-at-rest controls and encryption-at-rest. | | `PR.PS-01` | Configuration management practices are established and applied | `Satisfies` | Console Baselines → SSH config, SSHD config, SUDO aliases, SUDO defaults, SUDO rules; Console Zero Trust Enforcement → Config Drift; Agent log (raw events) | Baselines capture the expected configuration state for SSH client, SSHD daemon, SUDO aliases, SUDO defaults, SUDO rules, accounts, and groups; drift detection surfaces deviations on each scan cycle. See [Baselines](/concepts/concepts/console/baselines.md). | | `PR.PS-04` | Log records are generated and made available for continuous monitoring | `Satisfies` | Agent log (raw events) at `/var/log/linuxguard/agent.log`; Support bundle | The LinuxGuard agent generates structured audit logs continuously on every enrolled host. Default retention: 50 MB per file, 14-day retention, 5 backups, gzip compression. See [Log Management](/operate/operate/log-management.md). | | `PR.PS-05` | Installation and execution of unauthorized software are prevented | `Out of scope` | n/a | Application allow-listing and execution prevention are not addressed by LinuxGuard. LinuxGuard observes and reports but does not enforce execution policy. | | `DE.CM-01` | Networks and network services are monitored to find potentially adverse events | `Supports` | Agent log (raw events); Console Zero Trust Enforcement → Signals | Behavioral telemetry surfaces network-related signals (e.g., suspicious connection attempts visible at the kernel layer). Customer responsible for network-layer monitoring (NDR, IDS/IPS, flow logs) beyond OS-layer observability. | | `DE.CM-03` | Personnel activity and technology usage are monitored to find potentially adverse events | `Satisfies` | Agent log (raw events) with `loginUID` attribute; Console Audit pillar → SUDO execution audit; Console Identity Intelligence | Authentication event capture, SUDO execution audit, and `loginUID` propagation across privilege escalation produce continuous personnel-activity monitoring on enrolled hosts. | | `DE.CM-09` | Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events | `Satisfies` | Agent log (raw events); Console Zero Trust Enforcement → Config Drift; Console Zero Trust Enforcement → Signals | eBPF-based behavioral telemetry, file integrity monitoring on critical paths, configuration drift on baselines, and signal records constitute continuous monitoring of the runtime environment. See [Security Architecture](/concepts/concepts/security-architecture.md). | | `DE.AE-02` | Potentially adverse events are analyzed to better understand associated activities | `Supports` | Console Zero Trust Enforcement → Signals; Agent log (raw events); Support bundle | Signal records, agent logs, and support bundles supply the source material for adverse event analysis. Customer responsible for the analyst workflow, triage process, and decision criteria. | | `DE.AE-03` | Information is correlated from multiple sources | `Supports` | Console Zero Trust Enforcement → Signals; Console Audit pillar; Console Baselines | Console surfaces correlate authentication events, drift events, SUDO execution audit, and behavioral signals per server and per identity. Customer responsible for cross-source correlation with non-LinuxGuard telemetry (network logs, application logs, identity provider logs). | | `DE.AE-06` | Information on adverse events is provided to authorized staff and tools | `Supports` | Console Notifications; Console Compliance Expansion → Reports | Console notifications and reports route adverse-event information to operators. Customer responsible for the notification routing configuration, on-call rotation, and integration with the broader operations stack. | | `RS.MA-01` | The incident response plan is executed in coordination with relevant third parties once an incident is declared | `Supports` | Agent log (raw events); Console Zero Trust Enforcement → Signals; Support bundle | LinuxGuard supplies telemetry-driven evidence supporting incident response plan execution. Customer responsible for the incident response plan, declaration criteria, and coordination with third parties. | | `RS.MA-03` | Incidents are categorized and prioritized | `Supports` | Console Zero Trust Enforcement → Signals (severity); Console Notifications | Signal severity tagging informs the customer's categorization and prioritization workflow. Customer responsible for the incident categorization scheme and prioritization criteria. | | `RS.AN-03` | Analysis is performed to establish what has taken place during an incident and the root cause of the incident | `Supports` | Agent log (raw events); Console Zero Trust Enforcement → Signals; Console Audit pillar → SUDO execution audit; Support bundle | Agent logs, signal timelines, SUDO execution audit, and support bundles provide forensic source material. Customer responsible for the analyst workflow, root cause analysis, and incident reconstruction narrative. | | `RS.AN-06` | Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved | `Supports` | Console Compliance Expansion → History annotations; Support bundle BUNDLE-MANIFEST.json with SHA-256 verification | Compliance history annotations and bundle manifest integrity verification support investigation recordkeeping. Customer responsible for the investigation workflow, case management, and chain of custody. | | `RC.RP-01` | The recovery portion of the incident response plan is executed once initiated from the incident response process | `Out of scope` | n/a | Recovery plan execution is a customer process not addressed by LinuxGuard. LinuxGuard is a security monitoring agent, not a recovery or restoration product. | | `RC.CO-03` | Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders | `Out of scope` | n/a | Recovery communications are an organizational responsibility not addressed by LinuxGuard. | > **Important**: Every Satisfies claim cites a specific agent feature and a specific evidence pointer. Every Supports claim states what the customer must implement to achieve full satisfaction. Every Out-of-scope row carries a one-line note explaining why — silence is interpreted as an implicit Satisfies claim. ## Function-level coverage summary CSF 2.0 organizes subcategories under six functions. The summary below restates which functions LinuxGuard addresses materially and which are left to the customer's broader program. | Function | LinuxGuard coverage | | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | GOVERN (GV) | Out of scope — governance, risk strategy, roles, policy, and oversight are organizational responsibilities. | | IDENTIFY (ID) | Partial Supports — asset inventory (ID.AM) at the per-host level only; broader IDENTIFY subcategories (risk assessment, supply chain) are out of scope. | | PROTECT (PR) | Partial — configuration management (PR.PS-01) and log generation (PR.PS-04) are Satisfies; identity management (PR.AA) and data security (PR.DS) are Supports. | | DETECT (DE) | Substantial — personnel and technology monitoring (DE.CM-03) and runtime environment monitoring (DE.CM-09) are Satisfies; event analysis subcategories are Supports. | | RESPOND (RS) | Supports across incident management (RS.MA) and incident analysis (RS.AN); response execution remains customer-side. | | RECOVER (RC) | Out of scope — recovery planning, execution, and communications are customer-side. | The function-level summary is descriptive; the per-subcategory mapping table above is the authoritative content. ## How to share with auditor Three export paths are available, depending on the auditor's evidence preference: * **Console Compliance Expansion reports.** Console pillar → Compliance Expansion → Reports produces dated, signed, auditor-shareable evidence packages (PDF / CSV / JSON) per [Compliance Expansion](/concepts/concepts/console/compliance-expansion.md#reports). Each report includes the framework version (NIST CSF 2.0), last-verified date, per-subcategory coverage, per-server pass / fail breakdown, suppressions in effect, and a manifest with SHA-256 verification. * **Support bundles for host-level evidence.** `support-bundle collect` on each host produces a tar.zst archive with agent logs, redacted configuration, and a bundle manifest — see [Support Bundles](/operate/operate/support-bundles.md). Bundles are useful when the auditor wants raw host-level telemetry rather than a console-rendered report. * **Console CSV / JSON export per subcategory.** Compliance Expansion → NIST CSF 2.0 → subcategory detail → Evidence tab exports per-subcategory evidence in machine-readable form for auditors who want to ingest evidence into their own GRC tooling. > **Security Note**: Support bundles include the raw `agent.log` and rotated segments. Attribute-key redaction (api\_key / \*\_token / \*\_secret) is applied; PII (hostnames, IPs, usernames, paths, command args) is NOT additionally redacted. Review every evidence package before sharing externally. See [Support Bundles](/operate/operate/support-bundles.md) for the per-file redaction status table. ## Cross-references * [**Audit & Comply**](/audit-and-comply/audit-comply.md) — vocabulary contract, framework version pin reference, forbidden-words list, scope statement template. * [**Compliance Expansion**](/concepts/concepts/console/compliance-expansion.md) — console pillar; canonical Evidence Location pointer set. * [**Audit**](/concepts/concepts/console/audit.md) — authorizations and SUDO execution audit feeding compliance evidence. * [**Baselines**](/concepts/concepts/console/baselines.md) — configuration baselines and drift detection that PR.PS-01 satisfies. * [**Support Bundles**](/operate/operate/support-bundles.md) — per-file redaction status table; pre-share PII warning. * [**Log Management**](/operate/operate/log-management.md) — log retention and rotation relevant to PR.PS-04 audit log evidence. * [**Glossary**](/reference/reference/glossary.md) — framework acronyms and compliance vocabulary definitions. *** *Last reviewed: 2026-05-31 against NIST CSF 2.0 published 2024-02-26.* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.linuxguard.io/audit-and-comply/audit-comply/nist-csf.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.