What is NIST CSF ?

What is NIST CSF ?

NIST CSF, or the National Institute of Standards and Technology Cybersecurity Framework, is a set of guidelines, best practices, and standards designed to help organizations manage and improve their cybersecurity risk management processes.

The framework provides a common language for understanding, managing, and expressing cybersecurity risks. The NIST CSF is widely used by businesses and government entities to enhance their cybersecurity resilience.

There are three components of this framework (see Figure 1):

  • Core:The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand.
  • TiersThe Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management.
  • Profiles: It is the alignment of the Functions, Categories, and Subcategories (see below) with the business requirements, risk tolerance, and resources of the organization.

Figure 1: NIST CSF Components

NIST CSF 2.0 core contains following six Functions (see Figure 2):

  • Govern (GV): Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy.
  • Identify (ID): Help determine the current cybersecurity risk to the organization.
  • Protect (PR): Use safeguards to prevent or reduce cybersecurity risk.
  • Detect (DE): Find and analyze possible cybersecurity attacks and compromises.
  • Respond (RS): Take action regarding a detected cybersecurity incident.
  • Recover (RC):  Restore assets and operations that were impacted by a cybersecurity incident.

Figure 2: NIST CSF Functions

These functions serve as a flexible and scalable approach for organizations to strengthen their cybersecurity posture and better respond to and recover from cyber threats.

Comparison of Profiles (e.g., the Current Profile and Target Profile, see Figure 3) may reveal gaps to be addressed to meet cybersecurity risk management objectives.  

Figure 3: Cybersecurity Framework Profiles

Steps for Creating and Using Profiles:

One way an organization could use Current and Target Profiles to help inform continuous improvement of its cybersecurity using following steps (Figure 4):

Figure 4: Steps for creating and using NIST CSF Profiles

Categories: Each function is further divided into categories, representing specific cybersecurity activities and outcomes.

Subcategories: Subcategories provide more detailed guidance on implementing the categories.

Figure 5: NIST CSF 2.0 Core Functions and Category Names with Identifier




GOVERN (GV): Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy


Organizational Context (GV.OC): The circumstances – mission, stakeholder expectations, and legal, regulatory, and contractual requirements – surrounding the organization’s cybersecurity risk management decisions are understood (formerly ID.BE)


GV.OC-01: The organizational mission is understood and informs cybersecurity risk management (formerly ID.BE-02, ID.BE-03)


GV.OC-02: Internal and external stakeholders are determined, and their needs and expectations regarding cybersecurity risk management are understood


GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity – including privacy and civil liberties obligations – are understood and managed (formerly ID.GV-03)


GV.OC-04: Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are determined and communicated (formerly ID.BE-04, ID.BE-05)


GV.OC-05: Outcomes, capabilities, and services that the organization depends on are determined and communicated (formerly ID.BE-01, ID.BE-04)


Risk Management Strategy (GV.RM): The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions (formerly ID.RM)


GV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders (formerly ID.RM-01)


GV.RM-02: Risk appetite and risk tolerance statements are determined, communicated, and maintained (formerly ID.RM-02, ID.RM-03)


GV.RM-03: Enterprise risk management processes include cybersecurity risk management activities and outcomes (formerly ID.GV-04)


GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated


GV.RM-05: Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties


GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated


GV.RM-07: Strategic opportunities (i.e., positive risks) are identified and included in organizational cybersecurity risk discussions


Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders (formerly ID.SC)


GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders (formerly ID.SC-01)


GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally (formerly ID.AM-06)


GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes (formerly ID.SC-02)


GV.SC-04: Suppliers are known and prioritized by criticality


GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties (formerly ID.SC-03)


GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships


GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are identified, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship (formerly ID.SC-02, ID.SC-04)


GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities (formerly ID.SC-05)


GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle


GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement


Roles, Responsibilities, and Authorities (GV.RR): Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated (formerly ID.GV-02)


GV.RR-01: Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving


GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced (formerly ID.AM-06, ID.GV-02, DE.DP-01)


GV.RR-03: Adequate resources are allocated commensurate with cybersecurity risk strategy, roles and responsibilities, and policies


GV.RR-04: Cybersecurity is included in human resources practices (formerly PR.IP-11)


Policies, Processes, and Procedures (GV.PO): Organizational cybersecurity policies, processes, and procedures are established, communicated, and enforced (formerly ID.GV-01)


GV.PO-01: Policies, processes, and procedures for managing cybersecurity risks are established based on organizational context, cybersecurity strategy, and priorities and are communicated and enforced (formerly ID.GV-01)


GV.PO-02: Policies, processes, and procedures for managing cybersecurity risks are reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission (formerly ID.GV-01)


Oversight (GV.OV): Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy


GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction


GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks


GV.OV-03: Organizational cybersecurity risk management performance is measured and reviewed to confirm and adjust strategic direction

IDENTIFY (ID): Help determine the current cybersecurity risk to the organization


Asset Management (ID.AM): Assets (e.g., data, hardware software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy


ID.AM-01: Inventories of hardware managed by the organization are maintained


ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained


ID.AM-03: Representations of the organization’s authorized network communication and internal and external network data flows are maintained (formerly ID.AM-03, DE.AE-01)


ID.AM-04: Inventories of services provided by suppliers are maintained


ID.AM-05: Assets are prioritized based on classification, criticality, resources, and impact on the mission


ID.AM-06: Dropped (moved to GV.RR-02, GV.SC-02)


ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained


ID.AM-08: Systems, hardware, software, and services are managed throughout their life cycle (formerly PR.DS-03, PR.IP-02, PR.MA-01, PR.MA-02)


Business Environment (ID.BE): Dropped (moved to GV.OC)


ID.BE-01: Dropped (moved to GV.OC-05)


ID.BE-02: Dropped (moved to GV.OC-01)


ID.BE-03: Dropped (moved to GV.OC-01)


ID.BE-04: Dropped (moved to GV.OC-04, GV.OC-05)


ID.BE-05: Dropped (moved to GV.OC-04)


Governance (ID.GV): Dropped (moved to GV)


ID.GV-01: Dropped (moved to GV.PO)


ID.GV-02: Dropped (moved to GV.RR-02)


ID.GV-03: Dropped (moved to GV.OC-03)


ID.GV-04: Dropped (moved to GV.RM-03)


Risk Assessment (ID.RA): The organization understands the cybersecurity risk to the organization, assets, and individuals.


ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded (formerly ID.RA-01, PR.IP-12, DE.CM-08)


ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources


ID.RA-03: Internal and external threats to the organization are identified and recorded


ID.RA-04: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded


ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk and inform risk prioritization


ID.RA-06: Risk responses are chosen from the available options, prioritized, planned, tracked, and communicated (formerly ID.RA-06, RS.MI-03)


ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked (formerly part of PR.IP-03)


ID.RA-08: Processes for receiving, analyzing, and responding to vulnerability disclosures are established (formerly RS.AN-05)


ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use (formerly PR.DS-08)


Risk Management Strategy (ID.RM): Dropped (moved to GV.RM)


ID.RM-01: Dropped (moved to GV.RM-01)


ID.RM-02: Dropped (moved to GV.RM-02)


ID.RM-03: Dropped (moved to GV.RM-02)


Supply Chain Risk Management (ID.SC): Dropped (moved to GV.SC)


ID.SC-01: Dropped (moved to GV.SC-01)


ID.SC-02: Dropped (moved to GV.SC-03, GV.SC-07)


ID.SC-03: Dropped (moved to GV.SC-05)


ID.SC-04: Dropped (moved to GV.SC-07)


ID.SC-05: Dropped (moved to GV.SC-08, ID.IM-02)


Improvement (ID.IM): Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all Framework Functions


ID.IM-01: Continuous evaluation is applied to identify improvements


ID.IM-02: Security tests and exercises, including those done in coordination with suppliers and relevant third parties, are conducted to identify improvements (formerly ID.SC-05, PR.IP-10, DE.DP-03)


ID.IM-03: Lessons learned during execution of operational processes, procedures, and activities are used to identify improvements (formerly PR.IP-07, PR.IP-08, DE.DP-05, RS.IM-01, RS.IM-02, RC.IM-01, RC.IM-02)


ID.IM-04: Cybersecurity plans that affect operations are communicated, maintained, and improved (formerly PR.IP-09)

PROTECT (PR): Use safeguards to prevent or reduce cybersecurity risk


Identity Management, Authentication, and Access Control (PR.AA): Access to physical and logical assets is limited to authorized users, services, and hardware, and is managed commensurate with the assessed risk of unauthorized access (formerly PR.AC)


PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization (formerly PR.AC-01)


PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions (formerly PR.AC-06)


PR.AA-03: Users, services, and hardware are authenticated (formerly PR.AC-03, PR.AC-07)


PR.AA-04: Identity assertions are protected, conveyed, and verified


PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties (formerly PR.AC-01, PR.AC-03, PR.AC-04)


PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk (formerly PR.AC-02, PR.PT-04)


Identity Management, Authentication and Access Control (PR.AC): Dropped (moved to PR.AA)


PR.AC-01: Dropped (moved to PR.AA-01, PR.AA-05)


PR.AC-02: Dropped (moved to PR.AA-06)


PR.AC-03: Dropped (moved to PR.AA-03, PR.AA-05, PR.IR-01)


PR.AC-04: Dropped (moved to PR.AA-05)


PR.AC-05: Dropped (moved to PR.IR-01)


PR.AC-06: Dropped (moved to PR.AA-02)


PR.AC-07: Dropped (moved to PR.AA-03)


Awareness and Training (PR.AT): The organization’s personnel are provided cybersecurity awareness and training so they can perform their cybersecurity-related tasks


PR.AT-01: Users are provided awareness and training so they possess the knowledge and skills to perform general tasks with security risks in mind (formerly PR.AT-01, PR.AT-03, RS.CO-01)


PR.AT-02: Individuals in specialized roles are provided awareness and training so they possess the knowledge and skills to perform relevant tasks with security risks in mind (formerly PR.AT-02, PR.AT-03, PR.AT-04, PR.AT-05)


PR.AT-03: Dropped (moved to PR.AT-01, PR.AT-02)


PR.AT-04: Dropped (moved to PR.AT-02)


PR.AT-05: Dropped (moved to PR.AT-02)


Data Security (PR.DS): Data is managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information


PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected (formerly PR.DS-01, PR-DS.05, PR.DS-06, PR.PT-02)


PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected (formerly PR.DS-02, PR.DS-05)


PR.DS-03: Dropped (moved to ID.AM-08)


PR.DS-04: Dropped (moved to PR.IR-04)


PR.DS-05: Dropped (moved to PR.DS-01, PR-DS-02, PR.DS-10)


PR.DS-06: Dropped (moved to PR.DS-01, DE.CM-09)


PR.DS-07: Dropped (moved to PR.IR-01)


PR.DS-08: Dropped (moved to ID.RA-09, DE.CM-09)


PR.DS-09: Data is managed throughout its life cycle, including destruction (formerly PR.IP-06)


PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected (formerly PR.DS-05)


PR.DS-11: Backups of data are created, protected, maintained, and tested (formerly PR.IP-04)


Information Protection Processes and Procedures (PR.IP): Dropped (moved to other Categories and Functions)


PR.IP-01: Dropped (moved to PR.PS-01)


PR.IP-02: Dropped (moved to ID.AM-08)


PR.IP-03: Dropped (moved to PR.PS-01, ID.RA-07)


PR.IP-04: Dropped (moved to PR.DS-11)


PR.IP-05: Dropped (moved to PR.IR-02)


PR.IP-06: Dropped (moved to PR.DS-09)


PR.IP-07: Dropped (moved to ID.IM-03)


PR.IP-08: Dropped (moved to ID.IM-03)


PR.IP-09: Dropped (moved to ID.IM-04)


PR.IP-10: Dropped (moved to ID.IM-02)


PR.IP-11: Dropped (moved to GV.RR-04)


PR.IP-12: Dropped (moved to ID.RA-01, PR.PS-02)


Maintenance (PR.MA): Dropped (moved to ID.AM-08)


PR.MA-01: Dropped (moved to ID.AM-08, PR.PS-03)


PR.MA-02: Dropped (moved to ID.AM-08, PR.PS-02)


Protective Technology (PR.PT): Dropped (moved to other Protect Categories)


PR.PT-01: Dropped (moved to PR.PS-04)


PR.PT-02: Dropped (moved to PR.DS-01, PR.PS-01)


PR.PT-03: Dropped (moved to PR.PS-01)


PR.PT-04: Dropped (moved to PR.AA-07, PR.IR-01)


PR.PT-05: Dropped (moved to PR.IR-04)


Platform Security (PR.PS): The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization’s risk strategy to protect their confidentiality, integrity, and availability


PR.PS-01: Configuration management practices are applied (formerly PR.IP-01, PR.IP-03, PR.PT-02, PR.PT-03)


PR.PS-02: Software is maintained, replaced, and removed commensurate with risk (formerly PR.IP-12, PR.MA-02)


PR.PS-03: Hardware is maintained, replaced, and removed commensurate with risk (formerly PR.MA-01)


PR.PS-04: Log records are generated and made available for continuous monitoring (formerly PR.PT-01)


PR.PS-05: Installation and execution of unauthorized software are prevented


PR.PS-06: Secure software development practices are integrated and their performance is monitored throughout the software development life cycle


Technology Infrastructure Resilience (PR.IR): Security architectures are managed with the organization’s risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience


PR.IR-01: Networks and environments are protected from unauthorized logical access and usage (formerly PR.AC-03, PR.AC-05, PR.DS-07, PR.PT-04)


PR.IR-02: The organization’s technology assets are protected from environmental threats (formerly PR.IP-05)


PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations (formerly PR.PT-05)


PR.IR-04: Adequate resource capacity to ensure availability is maintained (formerly PR.DS-04)

DETECT (DE): Find and analyze possible cybersecurity attacks and compromises


Continuous Monitoring (DE.CM): Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events


DE.CM-01: Networks and network services are monitored to find potentially adverse events (formerly DE.CM-01, DE.CM-04, DE.CM-05, DE.CM-07)


DE.CM-02: The physical environment is monitored to find potentially adverse events


DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events (formerly DE.CM-03, DE.CM-07)


DE.CM-04: Dropped (moved to DE.CM-01, DE.CM-09)


DE.CM-05: Dropped (moved to DE.CM-01, DE.CM-09)


DE.CM-06: External service provider activities and services are monitored to find potentially adverse events (formerly DE.CM-06, DE.CM-07)


DE.CM-07: Dropped (moved to DE.CM-01, DE.CM-03, DE.CM-06, DE.CM-09)


DE.CM-08: Dropped (moved to ID.RA-01)


DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events (formerly PR.DS-06, PR.DS-08, DE.CM-04, DE.CM-05, DE.CM-07)


Adverse Event Analysis (DE.AE): Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents (formerly DE.AE, DE.DP-02)


DE.AE-01: Dropped (moved to ID.AM-03)


DE.AE-02: Potentially adverse events are analyzed to better understand associated activities


DE.AE-03: Information is correlated from multiple sources


DE.AE-04: The estimated impact and scope of adverse events are determined


DE.AE-05: Dropped (moved to DE.AE-08)


DE.AE-06: Information on adverse events is provided to authorized staff and tools (formerly DE.DP-04)


DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis


DE.AE-08: Incidents are declared when adverse events meet the defined incident criteria (formerly DE.AE-05)


Detection Processes (DE.DP): Dropped (moved to other Categories and Functions)


DE.DP-01: Dropped (moved to GV.RR-02)


DE.DP-02: Dropped (moved to DE.AE)


DE.DP-03: Dropped (moved to ID.IM-02)


DE.DP-04: Dropped (moved to DE.AE-06)


DE.DP-05: Dropped (moved to ID.IM-03)

RESPOND (RS): Take action regarding a detected cybersecurity incident


Response Planning (RS.RP): Dropped (moved to RS.MA)


RS.RP-01: Dropped (moved to RS.MA-01)


Incident Management (RS.MA): Responses to detected cybersecurity incidents are managed (formerly RS.RP)


RS.MA-01: The incident response plan is executed once an incident is declared in coordination with relevant third parties (formerly RS.RP-01, RS.CO-04)


RS.MA-02: Incident reports are triaged and validated (formerly RS.AN-01, RS.AN-02)


RS.MA-03: Incidents are categorized and prioritized (formerly RS.AN-04, RS.AN-02)


RS.MA-04: Incidents are escalated or elevated as needed (formerly RS.AN-02, RS.CO-04)


RS.MA-05: The criteria for initiating incident recovery are applied


Incident Analysis (RS.AN): Investigation is conducted to ensure effective response and support forensics and recovery activities


RS.AN-01: Dropped (moved to RS.MA-02)


RS.AN-02: Dropped (moved to RS.MA-02, RS.MA-03, RS.MA-04)


RS.AN-03: Analysis is performed to determine what has taken place during an incident and the root cause of the incident


RS.AN-04: Dropped (moved to RS.MA-03)


RS.AN-05: Dropped (moved to ID.RA-08)


RS.AN-06: Actions performed during an investigation are recorded and the records’ integrity and provenance are preserved (formerly part of RS.AN-03)


RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved


RS.AN-08: The incident’s magnitude is estimated and validated


Incident Response Reporting and Communication (RS.CO): Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies


RS.CO-01: Dropped (moved to PR.AT-01)


RS.CO-02: Internal and external stakeholders are notified of incidents


RS.CO-03: Information is shared with designated internal and external stakeholders (formerly RS.CO-03, RS.CO-05)


RS.CO-04: Dropped (moved to RS.MA-01, RS.MA-04)


RS.CO-05: Dropped (moved to RS.CO-03)


Incident Mitigation (RS.MI): Activities are performed to prevent expansion of an event and mitigate its effects


RS.MI-01: Incidents are contained


RS.MI-02: Incidents are eradicated


RS.MI-03: Dropped (moved to ID.RA-06)


Improvements (RS.IM): Dropped (moved to ID.IM)


RS.IM-01: Dropped (moved to ID.IM-03)


RS.IM-02: Dropped (moved to ID.IM-03)

RECOVER (RC): Restore assets and operations that were impacted by a cybersecurity incident


Incident Recovery Plan Execution (RC.RP): Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents


RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process


RC.RP-02: Recovery actions are determined, scoped, prioritized, and performed


RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration


RC.RP-04: Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms


RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed


RC.RP-06: The criteria for determining the end of incident recovery are applied, and incident-related documentation is completed


Incident Recovery Communication (RC.CO): Restoration activities are coordinated with internal and external parties


RC.CO-01: Dropped (moved to RC.CO-04)


RC.CO-02: Dropped (moved to RC.CO-04)


RC.CO-03: Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders


RC.CO-04: Public updates on incident recovery are properly shared using approved methods and messaging (formerly RC.CO-01, RC.CO-02)


Improvements (RC.IM): Dropped (moved to ID.IM)


RC.IM-01: Dropped (moved to ID.IM-03)


RC.IM-02: Dropped (moved to ID.IM-03)


Table 1: CSF 2.0 Core Functions, Categories and Subcategories


  • https://www.nist.gov/cyberframework
  • https://www.nist.gov/cyberframework/getting-started
  • https://www.nist.gov/cyberframework/examples-framework-profile
  • https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.ipd.pdf
Share this Post

Leave a Reply

Your email address will not be published. Required fields are marked *