Glossary · Frameworks & standards

What is NIST Cybersecurity Framework?

Also known as: NIST CSF, NIST CSF 2.0, Cybersecurity Framework

The NIST Cybersecurity Framework (NIST CSF) is a voluntary framework from the US National Institute of Standards and Technology that helps organizations manage and reduce cybersecurity risk. Its 2.0 version is organized around six core functions - Govern, Identify, Protect, Detect, Respond, and Recover - and is widely used across industries to structure security programs.

Key takeaways

  • NIST CSF is voluntary guidance, not a certifiable standard.
  • Version 2.0 has six functions: Govern, Identify, Protect, Detect, Respond, Recover.
  • Govern was added in 2.0 to emphasize cybersecurity as an enterprise risk.
  • It is outcome-based and maps to other standards like ISO 27001 and SOC 2.
  • Often used as a common language to organize and communicate security posture.

The six core functions

NIST CSF organizes cybersecurity outcomes into functions, each broken into categories and subcategories. Version 2.0 elevated governance to a top-level function, reflecting that cyber risk is an enterprise risk owned by leadership.

  • Govern - establish and monitor the cybersecurity risk-management strategy and roles.
  • Identify - understand assets, risks, and the business context.
  • Protect - implement safeguards to limit the impact of incidents.
  • Detect - find cybersecurity events as they occur.
  • Respond - take action on detected incidents.
  • Recover - restore capabilities and services after an incident.

How organizations use the framework

CSF is intentionally flexible. Organizations assess their current state, define a target profile based on risk and business needs, and prioritize the gap between them. Implementation tiers describe how rigorous and adaptive the risk-management practices are, from partial to adaptive.

Because it is outcome-based, CSF works well as an organizing layer over more prescriptive standards. Its subcategories map to ISO 27001 controls and the Trust Services Criteria behind SOC 2, letting teams use one common vocabulary across multiple programs.

Connecting the framework to live security testing

The Detect, Respond, and Recover functions are only as good as the evidence that they actually work. CATAAM connects CSF outcomes to breach and attack simulation and internal attack surface management, so detection and response capabilities are continuously exercised against simulated attacks rather than assumed to function.

This bridges the gap between framework on paper and resilience in practice - showing not just that a control is documented, but that defenses respond as intended when tested.

Frequently asked questions

What are the functions of NIST CSF 2.0?
NIST CSF 2.0 has six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Govern was newly added in version 2.0 to emphasize cybersecurity governance.
Can you get certified in NIST CSF?
No. NIST CSF is voluntary guidance and there is no official certification. Organizations use it to assess and communicate posture, often alongside certifiable standards like ISO 27001.
What changed in NIST CSF 2.0?
Version 2.0 added the Govern function, broadened applicability beyond critical infrastructure to all organizations, and expanded guidance on supply-chain risk and implementation.
How does NIST CSF relate to ISO 27001?
They are complementary. CSF is an outcome-based framework that maps onto ISO 27001's certifiable management system, so many organizations use CSF to organize and ISO 27001 to certify.

Authoritative sources

← Back to the glossary