Continue your mission
The NIST Cybersecurity Framework (CSF) is a voluntary framework published by the National Institute of Standards and Technology that provides organizations with a structured approach to managing cybersecurity risk.
# NIST Cybersecurity Framework (CSF) 2.0
The NIST Cybersecurity Framework (CSF) is a voluntary framework published by the National Institute of Standards and Technology that provides organizations with a structured approach to managing cybersecurity risk. Originally published in 2014 as Executive Order 13636's response to critical infrastructure cybersecurity threats, CSF was updated to version 2.0 in February 2024 with expanded scope, a new Govern function, and broader applicability beyond critical infrastructure to all organizations regardless of size, sector, or maturity.
CSF 2.0 organizes cybersecurity activities into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each function contains categories and subcategories that describe specific cybersecurity outcomes. The framework does not prescribe specific controls or technologies. It provides a taxonomy of outcomes that organizations can use to assess their current state, define a target state, and prioritize improvements.
CSF is the most widely adopted cybersecurity framework in the United States and increasingly influential internationally. Its voluntary nature, technology-neutral language, and flexible structure make it applicable to organizations of any size, sector, or maturity level. Federal agencies are required to use CSF under Executive Order 13800 (2017). Many state governments, healthcare organizations, financial institutions, and defense contractors use CSF as their primary cybersecurity framework or as a complement to sector-specific requirements (HIPAA, PCI DSS, CMMC).
CSF 2.0 organizes all cybersecurity activities into six functions. Each function represents a high-level outcome that a cybersecurity program must achieve.
Govern (GV). New in CSF 2.0. Establish and monitor the organization's cybersecurity risk management strategy, expectations, and policy. Govern is the strategic function: it defines the organizational context, risk management strategy, roles and responsibilities, cybersecurity supply chain risk management, and oversight mechanisms. Govern applies across all other functions.
Identify (ID). Understand the organization's current cybersecurity posture. Asset management, risk assessment, improvement planning, and understanding the business environment. Identify answers: what do we have, what are we trying to protect, and where are we vulnerable?
Protect (PR). Implement safeguards to manage cybersecurity risk. Identity management and access control, awareness and training, data security, platform security (hardware, software, services), and technology infrastructure resilience. Protect answers: what controls do we have in place to prevent or limit the impact of a cybersecurity event?
Detect (DE). Discover cybersecurity events in a timely manner. Continuous monitoring, adverse event analysis, and detection process management. Detect answers: can we see when something goes wrong?
Respond (RS). Take action regarding a detected cybersecurity incident. Incident management, incident analysis, incident response reporting and communication, and incident mitigation. Respond answers: what do we do when something goes wrong?
Recover (RC). Restore capabilities or services impaired by a cybersecurity incident. Incident recovery plan execution, recovery communication, and improvement based on lessons learned. Recover answers: how do we get back to normal, and how do we prevent recurrence?
CSF defines four implementation tiers that describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics of the framework:
Tier 1: Partial. Cybersecurity risk management is ad hoc and reactive. Limited awareness of cybersecurity risk at the organizational level. No formalized risk management processes.
Tier 2: Risk Informed. Risk management practices are approved by management but may not be established as organization-wide policy. Awareness of cybersecurity risk exists but the organization-wide approach is inconsistent.
Tier 3: Repeatable. Risk management practices are formally approved and expressed as policy. Consistent, organization-wide approach to cybersecurity. Regular updates based on changing risk landscape.
Tier 4: Adaptive. The organization adapts cybersecurity practices based on lessons learned and predictive indicators. Continuous improvement is integrated into organizational culture. Real-time or near-real-time risk management.
Tiers are not maturity levels. They are descriptions of how integrated cybersecurity risk management is within the organization's broader operations. An organization does not need to be Tier 4 in every category. The appropriate tier depends on the organization's risk environment, regulatory requirements, and business objectives.
A CSF Profile represents the alignment of the framework's functions, categories, and subcategories with the organization's business requirements, risk tolerance, and resources. Organizations create two profiles:
Current Profile. The cybersecurity outcomes currently being achieved. This is the "as-is" state.
Target Profile. The cybersecurity outcomes desired. This is the "to-be" state, informed by business objectives, regulatory requirements, and risk tolerance.
The gap between Current Profile and Target Profile produces a prioritized action plan. The action plan is the operational output of a CSF assessment: a ranked list of improvements that move the organization from its current state toward its target state.
CSF 2.0 introduced several significant changes from version 1.1:
Govern function added. The most significant structural change. CSF 1.1 had five functions (Identify, Protect, Detect, Respond, Recover). CSF 2.0 adds Govern as the overarching function that provides strategic context for all others. This reflects the growing recognition that cybersecurity is a governance issue, not just a technical one.
Expanded scope. CSF 1.1 was explicitly targeted at critical infrastructure. CSF 2.0 applies to all organizations regardless of sector, size, or cybersecurity maturity. The language and examples are broadened to be universally applicable.
Supply chain risk management elevated. Supply chain cybersecurity, previously a subcategory under Identify, is now a category under the Govern function, reflecting its increased importance after SolarWinds, Log4Shell, and MOVEit.
Improved guidance. CSF 2.0 includes expanded implementation guidance, Quick Start Guides for different audiences (small business, enterprise, government), and a searchable online reference with direct links to informative references (NIST 800-53, CIS Controls, ISO 27001 mappings).
CSF is the closest thing to a universal cybersecurity standard in the United States. Unlike sector-specific frameworks (HIPAA for healthcare, PCI DSS for payment cards, CMMC for defense contractors), CSF applies to any organization. This makes it the natural starting point for organizations that need to build a cybersecurity program from scratch, align multiple existing programs under a common framework, or communicate cybersecurity posture to a diverse set of stakeholders (boards, regulators, customers, partners).
CSF provides a common language for discussing cybersecurity across technical, management, and executive audiences. When a CISO reports to the board using CSF functions ("our Detect capability is mature, but our Recover capability needs investment"), the board understands the structure without requiring technical expertise. When two organizations assess each other's cybersecurity posture (for M&A, partnership, or vendor risk), CSF provides a common assessment framework.
CSF maps directly to most sector-specific frameworks. NIST publishes crosswalks between CSF and ISO 27001, CIS Controls, HIPAA, and others. This means an organization that implements CSF controls can map that implementation to multiple compliance requirements simultaneously, reducing duplication and audit preparation effort.
Federal agencies are required to use CSF. Federal contractors are increasingly expected to demonstrate CSF alignment. Many state governments reference CSF in their cybersecurity regulations. Cyber insurance providers use CSF as a reference framework for assessing policyholder maturity.
CSF is not a complete cybersecurity program. It is a framework for organizing one. CSF does not prescribe specific controls, technologies, or implementation approaches. It describes outcomes. An organization that achieves all CSF outcomes has a comprehensive cybersecurity program. But CSF does not tell the organization how to achieve those outcomes; that requires implementation guidance from complementary sources (NIST 800-53, CIS Controls, vendor documentation, or an operational partner like CDA).
CSF is also voluntary. Unlike HIPAA, PCI DSS, or CMMC, there is no regulatory enforcement mechanism for CSF compliance (except for federal agencies). This means organizations can adopt CSF at any level of rigor, including superficially. A CSF assessment that produces a pretty radar chart but does not drive operational improvement is a governance exercise that changes nothing.
CSF and the Planetary Defense Model answer different questions about the same subject. CSF organizes cybersecurity by function: what activities are you performing (Govern, Identify, Protect, Detect, Respond, Recover)? The PDM organizes cybersecurity by defense architecture: what are you defending (Data, Surfaces, Posture, Identity, Threats, Governance)?
The frameworks are complementary, not competing. CSF tells you what to do. The PDM tells you where to do it.
The mapping between CSF functions and PDM domains is not one-to-one (each CSF function touches multiple PDM domains, and each PDM domain is addressed by multiple CSF functions), but the structural alignment is clear:
| CSF Function | Primary PDM Domains | Relationship | |-------------|--------------------|----| | Govern (GV) | RGA | Govern is the CSF function most directly aligned with RGA. Risk management strategy, organizational context, policy, oversight, and supply chain governance are all RGA operations. | | Identify (ID) | RGA, DPS, VSD | Asset management and risk assessment (RGA), data inventory (DPS), and attack surface discovery (VSD). | | Protect (PR) | DPS, SPH, IAT, VSD | Data security (DPS), platform security and configuration (SPH), identity management and access control (IAT), technology infrastructure resilience (VSD). | | Detect (DE) | TID | Detection and monitoring are TID's core function. | | Respond (RS) | TID (lead), all domains | TID leads response. DPS assesses data impact. IAT manages credential response. VSD identifies the entry vector. SPH assesses system integrity. RGA manages regulatory notification. | | Recover (RC) | DPS, SPH, RGA | Data restoration (DPS), system recovery (SPH), recovery governance and communication (RGA). |
CDA uses CSF as one of several reference frameworks that clients may be measured against, but the PDM is the operational architecture that organizes how CDA executes the work. A client who needs CSF alignment receives a CSF Profile assessment (RGA-R01: Compliance Landscape Mapping maps the CSF requirements). The remediation work is then organized by PDM domain: DPS missions for data protection gaps, VSD missions for vulnerability management gaps, SPH missions for configuration and hygiene gaps, IAT missions for identity and access gaps, TID missions for detection and response gaps, and RGA missions for governance and compliance gaps.
The advantage of this approach: the PDM's domain structure prevents the common failure mode of CSF implementation where organizations address CSF functions in silos (one team for Protect, another for Detect, another for Recover) without recognizing the cross-domain dependencies. A CSF Detect improvement (deploying a new SIEM) requires SPH cooperation (connecting log sources), IAT cooperation (identity telemetry), VSD context (vulnerability intelligence), DPS awareness (data classification for alert prioritization), and RGA authorization (budget and policy). The PDM maps these dependencies explicitly. CSF alone does not.
Three TOP missions connect directly to CSF implementation:
Word count: 2,187
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.