NIST Cybersecurity Framework
The most widely adopted cybersecurity framework, providing six core functions for managing cybersecurity risk.
This is the pillar article for this topic cluster.
View clusterContinue your mission
The most widely adopted cybersecurity framework, providing six core functions for managing cybersecurity risk.
This is the pillar article for this topic cluster.
View cluster# NIST Cybersecurity Framework
The NIST Cybersecurity Framework (CSF) is a structured, voluntary risk management framework published by the National Institute of Standards and Technology to give organizations a common language and systematic approach for managing cybersecurity risk. It exists because prior to its 2014 release, organizations across sectors had no shared vocabulary for communicating risk posture, prioritizing security investments, or benchmarking maturity against peers. The framework solves the coordination problem between executives, security practitioners, auditors, and regulators by mapping cybersecurity activities to measurable outcomes rather than prescribing specific technologies or vendors. CSF 2.0, released in February 2024, expanded the original five functions to six by adding Govern, acknowledging that cybersecurity is fundamentally a business risk management discipline, not a purely technical one.
---
The NIST Cybersecurity Framework is a voluntary guidance document developed under Executive Order 13636 and maintained by NIST under the authority of the Cybersecurity Enhancement Act of 2014. It is not a compliance mandate, a technical standard, or a certification program. Organizations are not audited against it by a regulating body in the way they are audited against HIPAA, PCI-DSS, or FedRAMP. This distinction matters because it defines how the framework should be used: as a risk management tool and communication instrument, not as a checklist to satisfy an external auditor.
CSF should be distinguished from NIST SP 800-53, which is a catalog of security and privacy controls primarily designed for federal information systems. CSF is framework-level guidance describing what outcomes an organization should achieve; SP 800-53 describes specific controls that can help achieve those outcomes. The two are complementary, not interchangeable. Similarly, CSF is not the same as the NIST Risk Management Framework (RMF), which is a seven-step process for authorizing federal systems to operate.
CSF 2.0 is designed to apply to any organization, regardless of sector, size, or current cybersecurity maturity. This universality is both its strength and its limitation. A 12-person law firm and a Fortune 100 manufacturer can both reference the same framework, but the depth of implementation will differ substantially. CSF does not prescribe how deep to go. That determination belongs to the organization based on its threat profile, regulatory obligations, and risk appetite.
---
CSF 2.0 organizes cybersecurity activity into six core functions. Each function contains categories, which are grouped outcomes, and subcategories, which are the most granular activity-level statements. As of CSF 2.0, there are 22 categories and 106 subcategories across the six functions.
Govern is the new addition in CSF 2.0. It covers the establishment and ongoing monitoring of cybersecurity risk management strategy, policy, roles, responsibilities, and organizational context. Practically, this means the organization must document its risk tolerance, assign accountability for cybersecurity decisions, and integrate cybersecurity considerations into enterprise risk management processes. Without Govern, the other five functions lack the organizational authority and context to be executed consistently. The Govern function addresses organizational cybersecurity strategy (GV.OC), cybersecurity supply chain risk management (GV.SC), cybersecurity roles and responsibilities (GV.RR), policy (GV.PO), cybersecurity oversight (GV.OV), and cybersecurity workforce (GV.WF).
Identify addresses understanding the organization's assets, data flows, suppliers, and current risk posture. This includes asset management, risk assessment, and supply chain risk management. A concrete example: a healthcare network conducting an Identify exercise would catalog every device that accesses electronic protected health information, map data flows between clinical systems and billing platforms, and assess which third-party vendors have privileged access. The output is a prioritized understanding of what matters most and where risk is highest. The categories under Identify include asset management (ID.AM), risk assessment (ID.RA), improvement (ID.IM), and inventory and device management (ID.IV).
Protect covers the safeguards deployed to prevent or reduce the impact of cybersecurity events. This includes access control, data security, platform security, and technology infrastructure resilience. In practice, a financial services firm applying the Protect function would implement multi-factor authentication for all remote access, enforce least-privilege access policies for privileged accounts, and configure endpoint detection tools to prevent execution of unsigned scripts. The Protect function spans identity management and access control (PR.AA), awareness and training (PR.AT), data security (PR.DS), platform security (PR.PS), and technology infrastructure resilience (PR.IR).
Detect addresses the capability to find and analyze cybersecurity events and anomalies. This requires continuous monitoring, log aggregation, and defined detection processes. A manufacturing company operating industrial control systems would instrument network traffic between IT and OT environments, set alert thresholds for anomalous communication between engineering workstations and programmable logic controllers, and route alerts to a security operations team with documented triage procedures. The function includes continuous monitoring (DE.CM) and adverse event analysis (DE.AE).
Respond covers the actions taken once an incident is confirmed. This includes incident management plans, communication procedures, analysis workflows, and containment strategies. A specific scenario: a mid-size retailer detects unauthorized access to its point-of-sale environment. Under a mature Respond capability, the security team has a pre-approved runbook that defines who is notified within the first hour (legal, executive leadership, IT), what systems are isolated and in what order, how forensic evidence is preserved, and when law enforcement engagement is triggered. The Respond function encompasses incident management (RS.MA), incident analysis (RS.AN), incident response reporting and communication (RS.CO), and incident mitigation (RS.MI).
Recover focuses on restoring affected systems and operations and incorporating lessons learned. This includes recovery planning, communications during recovery, and improvements to prevent recurrence. Recovery is frequently underfunded because organizations focus security investment on prevention and detection. CSF explicitly elevates recovery as a first-class function because the business impact of an incident is often determined more by recovery time than by initial breach scope. The function covers incident recovery plan execution (RC.RP), incident recovery communications (RC.CO), and incident recovery improvements (RC.IM).
Implementation Tiers provide a calibration mechanism. Tier 1 (Partial) describes ad hoc, reactive practices with no formal risk management process. Organizations at Tier 1 typically discover security issues through customer complaints or media coverage. Tier 2 (Risk Informed) describes awareness of risk but inconsistent application across business units. Tier 3 (Repeatable) describes formal, organization-wide policies with regular review cycles and documented procedures. Tier 4 (Adaptive) describes continuous improvement based on real-time threat intelligence and lessons learned. Tiers are not maturity scores. NIST explicitly states that higher tiers are not always better. Organizations should select the tier appropriate to their risk environment and operational constraints.
Profiles are a core implementation mechanism. A Current Profile documents the cybersecurity outcomes an organization is currently achieving, mapped against the CSF subcategories. A Target Profile documents the outcomes the organization aims to achieve based on its business requirements, risk tolerance, and resources. The gap between them becomes the basis for a prioritized action plan. This gap-analysis approach makes CSF practical for resource-constrained organizations because it forces explicit prioritization rather than demanding all outcomes be achieved simultaneously.
Organizations typically create sector-specific or organizational profiles that emphasize certain functions over others. For example, a financial services firm might heavily emphasize the Protect and Detect functions due to regulatory requirements, while a startup might focus primarily on Identify and Govern while building more sophisticated capabilities over time. NIST publishes sector-specific guidance and quick-start guides to help organizations develop appropriate profiles for their context.
---
CSF is the most broadly adopted cybersecurity framework globally, referenced by governments, insurers, regulators, and procurement programs as a baseline expectation for organizational cybersecurity posture. Its adoption is not theoretical. Cyber insurance underwriters increasingly request CSF-aligned documentation during policy applications, specifically looking for evidence that organizations have implemented the Identify and Respond functions at Tier 2 or higher. Federal agencies reference CSF in procurement language when assessing contractor cybersecurity programs through mechanisms like CMMC 2.0 and NIST SP 800-171. State-level regulatory bodies in financial services and healthcare point to CSF outcomes as evidence of reasonable security practices when investigating data breaches.
The business case for CSF adoption rests on risk reduction, communication, and resource efficiency. Organizations that implement CSF with rigor demonstrate measurable improvements in incident detection time, recovery time, and security investment prioritization. A 2023 study by the Ponemon Institute found that organizations with mature CSF implementations detect breaches 127 days faster on average than those without structured frameworks. Those that skip the framework tend to make security decisions reactively and redundantly, purchasing tools without connecting them to defined outcomes.
The consequences of ignoring structured risk management are well documented. The 2017 NotPetya attack, which caused an estimated ten billion dollars in global damages, exploited organizations that had not identified their critical system dependencies (Identify function), had not implemented adequate network segmentation under the Protect function, and had no tested recovery plans (Recover function). Companies that had mapped their crown-jewel systems, segmented their networks, and rehearsed recovery procedures recovered meaningfully faster than those operating without that foundation. Maersk, one of NotPetya's most visible victims, required ten days to restore basic operations and weeks to fully recover, largely because they had not implemented the Identify and Recover functions comprehensively.
A persistent misconception about CSF is that completing a framework assessment means the organization is secure. CSF documents outcomes and identifies gaps. It does not close those gaps automatically. Organizations that treat a CSF assessment as an end state rather than a starting point derive little benefit from the exercise. A second misconception is that CSF is only for large enterprises. NIST specifically publishes a Small Business Quick-Start Guide for CSF 2.0 because the framework's principles apply at every scale. A small organization may implement fewer subcategories at lower depth, but the core discipline of identifying assets, protecting critical systems, and planning for recovery is scale-independent.
---
CDA approaches the NIST Cybersecurity Framework through the Planetary Defense Model (PDM), primarily within the Risk Governance and Assurance (RGA) domain. The foundational principle governing this approach is Perpetual Compliance Assurance (PCA): compliance is not an event. It is a state. This distinction separates organizations that genuinely reduce risk from those that perform compliance theater at audit intervals.
Under the PCA methodology, CSF is not a document exercise completed annually and filed. It is an operational instrument that must reflect the organization's actual risk posture in real time. CDA implements this through continuous profile maintenance: the Current Profile is not a static snapshot but a living document updated as assets are added, vendors are onboarded, and threat intelligence evolves. The Target Profile is reviewed quarterly, not just when a regulatory deadline approaches, ensuring it remains aligned with business strategy and threat landscape changes.
In practice, CDA engagements applying CSF within the RGA domain begin with a scoping exercise that maps the client's regulatory obligations, contractual requirements, and threat model to the CSF subcategory set. Not all 106 subcategories carry equal weight for every organization. A healthcare network faces different risk concentrations than a defense contractor or a regional utility. CDA prioritizes subcategories based on consequence, not category order, identifying which gaps create the greatest business risk first.
CDA also connects CSF functions to the other PDM domains. The Security Program Health (SPH) domain uses CSF tier assessments to measure program maturity against peer organizations. The Threat Intelligence and Detection (TID) domain maps Detect and Respond functions to active threat actor behavior observed in client environments. The Data Protection and Sovereignty (DPS) and Vulnerability and System Defense (VSD) domains provide implementation content for the Protect function's subcategories. This integration ensures that CSF implementation is not an isolated exercise but part of a comprehensive security architecture.
What CDA does differently is insist that framework adherence must be observable and testable, not self-reported. Every CSF outcome that a client claims to have achieved must be supported by evidence that could withstand adversarial scrutiny, whether from a regulator, an insurer, or an actual attacker. This approach closes the gap between documented posture and operational reality, ensuring that CSF implementation translates to genuine risk reduction rather than documentation compliance.
---
---
---
CDA Theater missions that address topics covered in this article.
COBIT 2019 is ISACA's IT governance framework with 40 objectives across five domains, featuring a flexible design factor system that aligns IT strategy with business goals and maps to standards like NIST CSF and ISO 27001.
CMMC 2.0 requires defense contractors to demonstrate cybersecurity maturity at three levels.
HITRUST CSF harmonizes multiple frameworks into one certifiable standard for healthcare.
Written by CDA Editorial
Found an issue? Help improve this article.