I get why it exists but it turns companies into box checking machines. I haven't read this new version so my skepticism may be unwarranted but hackers are not going to refrain from attacking because that'd go against NIST. A lot of the things that are best practice in the industry as a result of adapting to newer attacker techniques and capabilities are not covered by NIST. The problem then is anyone working on those countermeasures is working on stuff that has no value to execs who just want to know how compliant you are with NIST.<p>The CSF like ATT&CK is just a tool, it can be abused or used properly and if you are a small company with no idea where to start with security or measure your posture it's a good tool. But as a measuring stick of checkboxes, I can't say I'm a big fan.
GRC non-sense like this is really the cornerstone of cybersecurity. It seems like dumb boxchecking but these domains are the tools that we use to define, measure and most importantly sell security to management / main IT / users. The technical side is more sexy but then you discover that wack-a-moling the hot sploit of the week didn't really build your posture beyond the low hanging fruit.