What is NIST Cybersecurity Framework?

NIST CSF Definition

NIST Cybersecurity Framework is a voluntary standard developed by the U.S. National Institute of Standards and Technology (NIST), providing guidelines for managing cybersecurity risk. First published in 2014, the framework has become a global standard used worldwide, not just in the USA.

Five Core Functions

Identify:

• Asset management
• Business environment
• Risk assessment
• Governance

Protect:

• Access control
• Awareness and training
• Data security
• Protective technology

Detect:

• Anomalies and events
• Continuous monitoring
• Detection processes

Respond:

• Response planning
• Communications
• Analysis
• Mitigation

Recover:

• Recovery planning
• Improvements
• Communications

Framework Components

Framework Core:

• 5 Functions
• 23 Categories
• 108 Subcategories
• Informative references

Implementation Tiers:

• Tier 1: Partial
• Tier 2: Risk Informed
• Tier 3: Repeatable
• Tier 4: Adaptive

Framework Profiles:

• Current state profile
• Target state profile
• Gap analysis

NIST CSF 2.0

Version 2.0 (2024) introduced:

• Govern function - a new sixth function
• Greater emphasis on supply chain
• Expanded guidance for small organizations
• Better international alignment

Why Use NIST CSF?

• Flexibility: Adapts to different organization sizes
• Universal: Applicable across sectors
• Benchmark: Enables maturity comparison
• Integrable: Works with ISO 27001, COBIT
• Risk-based: Focus on business risk

NIST CSF vs ISO 27001

Aspect	NIST CSF	ISO 27001
Nature	Guidelines	Standard for certification
Certification	No	Yes
Approach	Risk-based	Control-based
Region	USA (global adoption)	International

Many organizations use both: NIST CSF as a risk framework and ISO 27001 for certification.

NIST Cybersecurity Framework is a fundamental tool for building and maturing cybersecurity programs, providing structure and common language.