NIST Cybersecurity Framework
Definition
The NIST Cybersecurity Framework (CSF) is a voluntary set of standards, guidelines, and best practices developed by the National Institute of Standards and Technology to help organizations manage and reduce cybersecurity risk. CSF 2.0, released in 2024, expanded the framework to six core functions with the addition of Govern, emphasizing cybersecurity as a governance priority for all organizations.
Six Core Functions
Govern (GV)
Establish and monitor cybersecurity risk management strategy, expectations, and policy. New in CSF 2.0, this function places cybersecurity governance alongside enterprise risk management.
Identify (ID)
Understand organizational context, assets, risks, and supply chain dependencies. Covers asset management, risk assessment, and business environment understanding.
Protect (PR)
Implement safeguards to ensure delivery of critical services. Covers identity management, awareness training, data security, and protective technology.
Detect (DE)
Develop capabilities to identify cybersecurity events. Covers continuous monitoring, anomaly detection, and security event analysis.
Respond (RS)
Take action regarding detected cybersecurity incidents. Covers response planning, communications, analysis, mitigation, and improvements.
Recover (RC)
Maintain and restore capabilities impaired by cybersecurity incidents. Covers recovery planning, improvements, and communications.
Implementation Tiers
Tier 1 (Partial) -- ad hoc, reactive risk management with limited awareness
Tier 2 (Risk Informed) -- risk management practices approved by management but not established organization-wide
Tier 3 (Repeatable) -- formally approved, regularly updated risk management practices expressed as policy
Tier 4 (Adaptive) -- organization adapts cybersecurity practices based on lessons learned and predictive indicators