NIST Cybersecurity Framework
Overview
The NIST Cybersecurity Framework (CSF) is a voluntary framework developed by the U.S. National Institute of Standards and Technology to help organizations manage and reduce cybersecurity risk. First published in 2014, it has become the de facto standard for cybersecurity risk management globally, used by critical infrastructure operators and enterprises across industries.
The framework provides a common language between technical teams and executive leadership, translating cybersecurity activities into business outcomes.
Core Functions
The framework is organized around 5 core functions (often called the “5 Cs”):
| Function | Description |
|---|---|
| Identify | Understand the organizational context, assets, and cybersecurity risks |
| Protect | Implement safeguards to ensure critical services are delivered |
| Detect | Develop and implement activities to identify cybersecurity events |
| Respond | Take action regarding a detected cybersecurity incident |
| Recover | Restore capabilities affected by a cybersecurity incident |
Each function contains Categories and Subcategories that provide more granular guidance. For example:
- Identify -> Asset Management: Inventory of physical devices, software, data
- Protect -> Access Control: Authentication, authorization, data-at-rest encryption
- Respond -> Incident Management: Response plan, communications, analysis
- Recover -> Recovery Planning: Recovery plan, improvements, communications
Tiers (Profile Implementation)
The framework defines 4 tiers to describe how an organization’s cybersecurity risk management practices evolve:
- Tier 1: Partial — Reactive, ad-hoc practices; no formal policy
- Tier 2: Risk-Informed — Management awareness; inconsistent implementation
- Tier 3: Repeatable — Formal policy; consistently applied; leadership engaged
- Tier 4: Adaptive — Proactive; agile; continuous improvement; lessons learned integrated
Profiles
Organizations create Profiles to describe their current and target state:
- Current Profile — what the organization is doing today
- Target Profile — where the organization wants to be
- Gap Analysis — the difference between the two, driving remediation priorities
NIST CSF 2.0 (2024)
In February 2024, NIST released CSF 2.0, adding a sixth function:
- Govern (GV) — Organizational context, strategy, risk management oversight, roles and responsibilities, policy, monitoring
This addition acknowledges that cybersecurity must be driven from executive leadership, not just technical teams.
Relationship to Other Frameworks
- ISO 27001 — NIST CSF maps to ISO 27001 Annex A controls; many organizations use both
- CIS Controls — NIST CSF provides the “what,” CIS provides the “how”
- SOC 2 — SOC 2 trust principles align with NIST CSF functions
- technologies/security-frameworks/iso-27001.md — ISO standard for information security management systems
References
- NIST CSF 2.0 official
- NIST SP 800-53 — Security and privacy controls
- compliance — Compliance frameworks overview
- risk management — Risk management concepts