NIST Cybersecurity Framework
The NIST Cybersecurity Framework (CSF) is a voluntary guidance framework developed by the National Institute of Standards and Technology that provides organizations with a structured approach to managing and reducing cybersecurity risk.
Originally released in 2014 and updated to version 2.0 in 2024, the NIST CSF was developed through collaboration between government and private sector stakeholders. While initially targeting critical infrastructure, the framework has been widely adopted across industries and organization sizes due to its flexible, risk-based approach.
The framework is organized around six core functions in version 2.0: Govern, Identify, Protect, Detect, Respond, and Recover. The Govern function was added in version 2.0 to emphasize the importance of cybersecurity governance and risk management strategy. Each function is divided into categories and subcategories that provide specific outcomes organizations should work toward.
One of the key strengths of the NIST CSF is its use of Implementation Tiers, which describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework. The four tiers range from Partial (Tier 1) to Adaptive (Tier 4), allowing organizations to assess their current state and set target goals for improvement.
The framework also introduces the concept of Profiles, which align the framework's core functions with an organization's business requirements, risk tolerance, and resources. Organizations create a Current Profile describing their present cybersecurity posture and a Target Profile describing their desired state, enabling a gap analysis that guides investment and improvement priorities.