NIST Cybersecurity Framework (CSF)
Overview
A voluntary framework developed by NIST to help organizations manage and reduce cybersecurity risk. CSF 2.0 (released 2024) added a sixth function: Govern.
The 6 Core Functions
1. GOVERN (GV) — NEW in CSF 2.0
Establish and monitor cybersecurity risk management strategy, policies, and roles.
- Organizational context
- Risk management strategy
- Roles and responsibilities
- Policy
2. IDENTIFY (ID)
Understand your assets, risks, and business context.
- Asset management
- Risk assessment
- Supply chain risk management
- Improvement
3. PROTECT (PR)
Implement safeguards to ensure delivery of critical services.
- Identity management & access control
- Awareness and training
- Data security
- Platform security
- Technology infrastructure resilience
4. DETECT (DE)
Identify cybersecurity incidents in a timely manner.
- Continuous monitoring
- Adverse event analysis
5. RESPOND (RS)
Take action regarding a detected incident.
- Incident management
- Incident analysis
- Incident response reporting
- Communication
- Mitigation
6. RECOVER (RC)
Restore capabilities or services impaired by an incident.
- Incident recovery plan execution
- Incident recovery communication
Implementation Tiers
| Tier | Name | Description |
|---|---|---|
| 1 | Partial | Reactive, ad hoc practices |
| 2 | Risk Informed | Risk-aware but not organization-wide |
| 3 | Repeatable | Formal policies, consistently applied |
| 4 | Adaptive | Continuously improved, lessons learned |
CSF Profiles
- Current Profile — Current cybersecurity outcomes
- Target Profile — Desired cybersecurity outcomes
- Gap Analysis — Difference between current and target
Quick Reference
Govern → Strategy, policy, roles
Identify → Assets, risks, context
Protect → Access, training, data security
Detect → Monitoring, anomaly detection
Respond → Containment, analysis, comms
Recover → Restoration, post-incident review- Framework: https://www.nist.gov/cyberframework
- CSF 2.0 PDF: https://doi.org/10.6028/NIST.CSWP.29