The NIST Cybersecurity Framework (CSF) is the most widely adopted cybersecurity framework in the United States — and one of the most misunderstood. Here’s what it actually is, what it covers, and how to use it.
What Is the NIST CSF?
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a voluntary framework developed to help organizations manage cybersecurity risk. It was originally created for critical infrastructure sectors but has been widely adopted across industries and organization sizes as a practical baseline for building and assessing cybersecurity programs.
Unlike prescriptive compliance frameworks, the NIST CSF is outcome-based. It tells you what good looks like without mandating exactly how to achieve it, giving organizations flexibility to implement controls appropriate for their size, risk profile, and resources.
The Five Core Functions
Identify: Understand your assets, data, systems, and the risks associated with them. You can’t protect what you don’t know you have.
Protect: Implement safeguards to limit the impact of a cybersecurity event. Access controls, data security, training, and protective technology fall here.
Detect: Develop capabilities to identify cybersecurity events quickly. Continuous monitoring and anomaly detection are the focus.
Respond: Plan and implement responses to detected cybersecurity incidents. Incident response plans, communications, and mitigation activities.
Recover: Maintain plans for resilience and restore capabilities after an incident. Business continuity, disaster recovery, and lessons learned.
NIST CSF 2.0: What Changed
NIST released CSF 2.0 in 2024, adding a sixth function: Govern. This addition acknowledges that cybersecurity is a business risk that requires leadership oversight and organizational accountability — not just a technical program. Govern covers organizational context, risk management strategy, supply chain risk, and roles and responsibilities.
How to Use the Framework
Organizations use the NIST CSF in one of three ways: as an assessment tool (where are we today?), as a target state (where do we want to be?), or as a communication tool (how do we explain our security posture to leadership and the board?). Most mature programs use it for all three.