Skip to main content
> NIST CSF

NIST Cybersecurity Framework

A risk-based approach to managing cybersecurity across any organization

Established: 2014 (Version 2.0 released 2024) Last Updated: February 2024 (Version 2.0) Scope: United States (widely adopted globally)
6
Core Functions

What is the NIST Cybersecurity Framework?

The [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) is a voluntary, risk-based set of guidelines that any organization can use to manage cybersecurity risk. NIST (the National Institute of Standards and Technology) released version 2.0 in February 2024, adding a sixth core function, Govern, to the original five: Identify, Protect, Detect, Respond, and Recover. The framework does not prescribe specific controls; it describes outcomes and lets you choose how to achieve them. That flexibility is what makes it widely adopted across sectors and sizes, from small businesses to federal agencies. It also maps to other frameworks, including ISO 27001, HIPAA, and PCI-DSS, making it a useful starting point when your organization faces multiple compliance requirements.

// What is NIST CSF?

The NIST Cybersecurity Framework provides a flexible, risk-based approach to cybersecurity that organizations of any size or sector can adopt. Originally developed for critical infrastructure, CSF has become the de facto standard for security program development across industries.

Version 2.0, released in February 2024, adds Govern as a sixth core function, emphasizing cybersecurity governance and supply chain risk management. The framework doesn't prescribe specific controls but provides a common language for understanding, managing, and expressing cybersecurity risk.

NIST CSF's broad adoption makes it particularly valuable for organizations navigating multiple compliance requirements, as it maps to numerous other frameworks including ISO 27001, HIPAA, and PCI-DSS.

// Inside the Regulation

NIST CSF 2.0 organizes cybersecurity activities into six core Functions, each containing Categories and Subcategories defining specific outcomes. Organizations implement controls achieving these outcomes based on their risk profile and Implementation Tier.

1

Govern (GV)

New in version 2.0, this function establishes cybersecurity as an enterprise risk managed at the highest organizational levels.

Organizational Context

Understanding the organization's mission, stakeholder expectations, and dependencies informing cybersecurity risk decisions.

Risk Management Strategy

Establishing risk tolerance, priorities, and the organization's approach to managing cybersecurity risk.

Cybersecurity Supply Chain Risk Management

Processes for identifying, assessing, and managing supply chain risks across the organization.

Roles and Responsibilities

Establishing accountability for cybersecurity across the organization including workforce and third parties.

2

Identify (ID)

Develop organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

Asset Management

Identify and manage hardware, software, data, and systems enabling the organization to achieve business objectives.

Risk Assessment

Understand cybersecurity risks to operations, assets, and individuals through threat and vulnerability identification.

Improvement

Identify improvements to organizational cybersecurity through evaluation of current practices.

3

Protect (PR)

Develop and implement appropriate safeguards to ensure delivery of critical services.

Identity Management and Access Control

Limit access to assets and capabilities to authorized users, processes, and devices.

Awareness and Training

Educate personnel to perform their cybersecurity duties consistent with policies and procedures.

Data Security

Manage data consistent with risk strategy including confidentiality, integrity, and availability protections.

Platform Security

Protect hardware, software, and services through technical security mechanisms.

Technology Infrastructure Resilience

Manage security architectures to protect asset confidentiality, integrity, and availability.

4

Detect (DE)

Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

Continuous Monitoring

Monitor assets to identify cybersecurity events and verify protective measure effectiveness.

Adverse Event Analysis

Analyze anomalies and events to understand attack targets and methods.

5

Respond (RS)

Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

Incident Management

Processes ensuring response to detected cybersecurity incidents including triage, containment, and eradication.

Incident Analysis

Analysis conducted to understand the scope and impact of detected incidents.

Incident Response Reporting and Communication

Coordination and communication activities with internal and external stakeholders during incidents.

Incident Mitigation

Activities to prevent expansion of an incident and resolve it.

6

Recover (RC)

Develop and implement appropriate activities to maintain resilience and restore capabilities impaired by a cybersecurity incident.

Incident Recovery Plan Execution

Restore systems and assets affected by cybersecurity incidents to normal operation.

Incident Recovery Communication

Coordinate restoration activities with internal and external stakeholders.

Note: NIST CSF uses Implementation Tiers (1-4) to characterize organizational approaches to cybersecurity risk management, from Partial (Tier 1) to Adaptive (Tier 4). Organizations develop Framework Profiles describing their current state and target state, using the gap to prioritize improvements.

// Who Must Comply

  • 1 Federal contractors and suppliers (often required)
  • 2 Critical infrastructure operators (energy, healthcare, financial services, transportation)
  • 3 Organizations seeking structured security program development
  • 4 Companies pursuing cyber insurance (commonly referenced in applications)
  • 5 Any organization wanting a recognized framework for security program maturity

// Key Requirements

Risk Assessment

Identify and assess cybersecurity risks to operations, assets, and individuals

Asset Management

Maintain inventories of hardware, software, data, and systems supporting business objectives

Protective Controls

Implement safeguards including access control, awareness training, and data security

Detection Capabilities

Deploy monitoring and detection mechanisms to identify cybersecurity events

Incident Response

Establish and test procedures for responding to and recovering from incidents

Continuous Improvement

Evaluate and improve security practices based on lessons learned and changing threats

// Enforcement & Penalties

NIST CSF itself is voluntary with no direct enforcement mechanism. However, federal contracts increasingly require CSF alignment, and failure to implement appropriate cybersecurity may trigger liability under other regulations or contractual obligations.

Maximum Penalty

No direct regulatory fines (voluntary framework)

Examples:

  • Loss of federal contract eligibility for non-aligned organizations
  • Increased liability exposure if breach occurs without reasonable security practices
  • Difficulty obtaining or maintaining cyber insurance coverage
  • Customer requirements making CSF alignment a business necessity

// Cyber Insurance Impact

Cyber insurers frequently reference NIST CSF in applications and underwriting. Demonstrating alignment with CSF functions (particularly around risk assessment, detection, and incident response) can improve coverage terms. Insurers view CSF adoption as evidence of mature risk management practices, potentially reducing premiums and improving policy limits.

// Common Questions

What are the six NIST CSF 2.0 functions?

NIST CSF 2.0 organizes cybersecurity activities into six Functions. Govern establishes the strategy, policies, and accountability structures for managing cybersecurity risk. Identify covers understanding your assets, risks, and environment. Protect focuses on safeguards to limit the impact of potential incidents. Detect addresses finding cybersecurity events when they occur. Respond covers taking action after a detected incident. Recover addresses restoring operations after an incident. Govern is new in version 2.0; the other five appeared in the original 2014 release. See the full framework at nist.gov/cyberframework.

What changed in NIST CSF 2.0?

NIST released CSF 2.0 in February 2024 with three notable changes from version 1.1. First, Govern was added as a sixth Function, elevating cybersecurity risk management to a board-level concern alongside finance and operations. Second, scope broadened: the original framework targeted critical infrastructure, while 2.0 is explicitly designed for organizations of any size or sector. Third, supply chain risk management received expanded attention within the Govern function. The six Functions and the overall risk-based approach remain consistent with version 1.1.

Is the NIST Cybersecurity Framework mandatory?

For most organizations, no. NIST is not a regulatory body, and CSF adoption is voluntary. The exception is US federal government agencies, where Executive Order 13800 made the Framework mandatory. Federal contractors may face CSF requirements through agency-specific contracts or program requirements rather than a blanket rule. Many organizations adopt it voluntarily because it provides a common language for security discussions, maps to other frameworks, and satisfies questions from customers, insurers, and auditors who ask about your security program structure.

Who should use the NIST Cybersecurity Framework?

Any organization that wants a structured way to manage cybersecurity risk. NIST designed CSF 2.0 for organizations of all sizes and sectors, not just critical infrastructure or large enterprises. In practice, it is most commonly adopted by organizations that need a recognized baseline for their security program, are pursuing cyber insurance and need to demonstrate mature risk management, have federal contracts that reference NIST standards, or want a single framework that maps to multiple compliance requirements like HIPAA, PCI-DSS, and ISO 27001. A gap assessment against CSF is a common starting point for building or maturing a security program.

// Industries That Need NIST CSF

These industries commonly require NIST CSF compliance as part of their regulatory obligations.

Guide last reviewed: June 16, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873