NIST Cybersecurity Framework

Last updated

The NIST Cybersecurity Framework (also known as NIST CSF), is a set of guidelines designed to help organizations assess and improve their preparedness against cybersecurity threats. [1] [2] Developed in 2014 by the U.S. National Institute of Standards and Technology, the framework has been adopted by cyber security professionals and organizations around the world. [3] The NIST framework has provided a basis for communication and understanding of cybersecurity principles between organizations, both in the private sector and public, such as governments. The framework, which is publicly available online for free, provides recommendations of existing cybersecurity standards and actions that organizations can take to mitigate cybersecurity risk. [4]

Contents

The NIST CSF is made up of three overarching components: the CSF Core, CSF Organizational Profiles, and CSF Tiers. The CSF Core is divided into six functions, each focused on maximizing cybersecurity preparedness, improving communication, and mitigating risk. The six CSF Core functions include: Govern, Identify, Protect, Detect, Respond, and Recover. These six core functions are then further broken down into subcategories. The CSF Organizational Profiles provide guidance on how organizations can assess themselves in terms of the CSF Core and where their cybersecurity practices can be improved and implemented. The CSF Tiers characterize and evaluate an organization's cybersecurity readiness and ability to mitigate risks. [5] The CSF Tiers are helpful for organizations to know what level of cybersecurity protection they have in place and the processes behind the protection.

After its publishment in 2014, the NIST CSF has been updated to reflect the most current cybersecurity practices. Among these updates is version 1.1, which was released in 2018. In version 1.1, changes were made to the framework to include supply chain risk management and new self-assessment processes. The current version of the NIST CSF is version 2.0, which was released in 2024. This current version introduced a new function to the CSF Core: Govern. Version 2.0 also increased the scope of the NIST CSF framework and its applicability to smaller organizations. [6] Improvements to the framework language were also made, increasing its readability for non-technical audiences.

The NIST Cybersecurity Framework is used internationally by organizations of varying sizes and sectors. [7] [8] [9] Available for free to implement, NIST CSF sets cybersecurity guidelines and best practices for organizations to increase their defense against cyber threats and prepare for future risks. [10] [11] [12] [13]

Overview

The NIST Cybersecurity Framework (CSF) is a set of guidelines developed by the U.S. National Institute of Standards and Technology (NIST) to help organizations manage and mitigate cybersecurity risks. It draws from existing standards, guidelines, and best practices to provide a flexible and scalable approach to cybersecurity. [14] The framework provides a high-level taxonomy of cybersecurity outcomes and offers a methodology for assessing and managing those outcomes. [15] Additionally, it addresses the protection of privacy and civil liberties in a cybersecurity context. [16]

The CSF has been translated into multiple languages and is widely used by governments, businesses, and organizations across various sectors. [17] [18] According to a 2016 survey, 70% of organizations view the NIST Cybersecurity Framework as a best practice for computer security, though some have noted that implementation can require significant investment. [19]

The framework is designed to be flexible and adaptable, providing high-level guidance that allows individual organizations to determine the specifics of implementation based on their unique needs and risk profiles. [20]

Version 1.0 of the framework was published in 2014, primarily targeting operators of critical infrastructure. A public draft of Version 1.1 was released for comment in 2017, and the final version was published on April 16, 2018. Version 1.1 retained compatibility with the original framework while introducing additional guidance on areas such as supply chain risk management. Version 2.0 was released in 2024 and is the most current version of the NIST framework. This new version made significant updates to Version 1.1, by adding a "Govern" function to the CSF Core, expanding the framework's scope and applicability, and improving readability for non-technical stakeholders.

The NIST Framework is made up of three main components: the CSF Core, CSF Organization Profiles, and CSF Tiers. [21] The Core consists of six distinct functions, each contributing to a specific area of cybersecurity and risk management. [22] [23] [24] These six functions are broken down into categories and subcategories. The Organization Profiles help organizations assess their current state of cybersecurity preparedness in terms of the CSF Core, and where improvements and adjustments can be made. The CSF Tiers help inform organizations on their current and target profiles in the CSF Organization Profiles. The CSF Tiers determine how rigorous an organization's current cybersecurity risk governance practices are and help to provide context for an organization's cybersecurity strategies and processes that are in place. [25]

Organizations typically start by developing a "Current Profile" to describe their existing cybersecurity practices and outcomes. From there, they can create a "Target Profile" to outline the desired future state and define the steps needed to achieve it. Alternatively, organizations can adopt a baseline profile based on their sector or specific industry needs.

Research indicates that the NIST Cybersecurity Framework has the potential to influence cybersecurity standards both within the United States and internationally, particularly in sectors where formal cybersecurity standards are still emerging. This influence could foster better international cybersecurity practices, benefiting businesses that operate across borders and contributing to global cybersecurity efforts. [26]

NIST CSF Core Functions

This circle represents the six functions that make up the NIST CSF 2.0. NIST Version 2.0.png
This circle represents the six functions that make up the NIST CSF 2.0.

The Core is one of the three overarching components of the NIST CSF. The Core is categorized into six functions, which are further divided into 22 categories. Each category is then further divided, amounting to a total of 106 subcategories of cybersecurity outcomes.

For each subcategory, it also provides "Informative Resources" referencing specific sections of a variety of other information security standards, including ISO 27001, COBIT, NIST SP 800-53, ANSI/ISA-62443, and the Council on CyberSecurity Critical Security Controls (CCS CSC, now managed by the Center for Internet Security). Special Publications (SP) aside, most of the informative references requires a paid membership or purchase to access their respective guides. The cost and complexity of the framework has resulted in bills from both houses of Congress that direct NIST to create Cybersecurity Framework guides that are more accessible to small and medium businesses. [27] [28]

Here are the functions and categories, along with their unique identifiers and definitions, as stated in the framework document. [29]

Govern

According to NIST CSF 2.0, the Govern function is defined as: "the organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored."

The Govern function is divided into six categories. These six categories are defined below according to NIST CSF 2.0:

Identify

"Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities."

Protect

"Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services."

Detect

"Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event."

Respond

"Develop and implement the appropriate activities to take action regarding a detected cybersecurity incident."

Recover

"Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident."

NIST CSF Organizational Profiles

Organizational Profiles are also part of the three overarching components of the NIST CSF. The Organizational Profiles provide guidance to organizations on how they can assess themselves in terms of the CSF Core and where they can improve and implement their cybersecurity practices according to their mission objectives, stakeholder expectations, the threat landscape, and other needs. This way, organizations can focus on specific areas of cybersecurity to meet their goals and communicate these changes to stakeholders.

An Organizational Profile can be one or both of the following:

  1. A Current Profile: describes the Core outcomes that an organization is meeting or aiming for and informs organizations on how they are achieving each outcome.
  2. A Target Profile: describes the goals for cybersecurity risk management that an organization has selected to pursue. A Target Profile takes into account incoming changes to an organization's cybersecurity practices including new requirements, technology integration, and trends of threat intelligence.

Additionally, an organization can follow a Community Profile:

A Community Profile is a set of CSF outcomes that a group of organizations has selected to pursue to reach shared cybersecurity goals and interests. Community Profiles are commonly created for different sectors, technologies, threats, and other specific areas. Additionally, organizations can set a Community Profile as their Target Profile, creating an outline of improvements they can work towards together to improve their cybersecurity risk management. [1]

Below are one-way organizations can use an Organizational Profile to improve their cybersecurity practices, as described by NIST CSF 2.0:

  1. "Scope the Organizational Profile.": An organization needs to decide the scope, or how broad they want their Organizational Profile to be. An organization can have multiple Organizational Profiles, ranging from a single Profile for the entire organization or different ones for specific areas such as fighting cyber-attacks.
  2. "Gather the information needed to prepare the Organizational Profile.": Organizations need to collect information before creating their Profile. Information can consist of organizational policies and rules, priorities for managing risk and resources, cybersecurity requirements, and other practices followed by an organization.
  3. "Create the Organizational Profile.": This step involves deciding what information the Profile will have based on the chosen CSF outcomes. This includes understanding the risks of the Current Profile and determining what improvements should be made to it to then create the Target Profile. An organization can use a Community Profile as their Target Profile.
  4. "Analyze the gaps between the Current and Target Profiles, and create an action plan.": After creating an Organizational Profile, organizations should analyze how their Current Profile and Target Profile differ and create a plan to achieve their Target Profile.
  5. "Implement the action plan, and update the Organizational Profile.": The final step is to act and follow the plan made in the previous step to achieve the Target Profile. The Target Profile can have a deadline that the organization has selected or remain an ongoing process.  

These steps can be repeated as many times as the organization desires to continuously improve their cybersecurity risk preparedness.

NIST CSF Tiers

The CSF Tiers characterize and evaluate an organization's cybersecurity readiness and ability to mitigate risks. [30] [31] [32] The CSF Tiers are helpful for organizations to be informed of what level of cybersecurity protection they currently have and the processes behind the protection. The Tiers can be used to inform an organization's Current and Target Profiles. There are four Tiers which describe an organization's cybersecurity risk preparedness. The four Tiers include: Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3), and Adaptive (Tier 4). The Tiers provide guidance on how organizations can improve their cybersecurity practices by describing increasing levels of cybersecurity risk management. The Tiers can also be used to inform all people in an organization of the chosen level of cybersecurity practices, so employees are aware of the organization's security goals. Although the Tiers provide organizations with an overall evaluation of their cybersecurity preparedness, the Tiers should be used as a complement and not replace the Organizational Profiles.

Updates

In 2021 NIST released Security Measures for "EO-Critical Software" Use Under Executive Order (EO) 14028 to outline security measures intended to better protect the use of deployed EO-critical software in agencies’ operational environments. [33]

Journey to CSF 2.0

The NIST Cybersecurity Framework is meant to be a living document, meaning it will be updated and improved over time to keep up with changes in technology and cybersecurity threats, as well as to integrate best-practices and lessons learned. Since releasing version 1.1 in 2018, stakeholders have provided feedback that the CSF needed to be updated. In February 2022, NIST released a request for information on ways to improve the CSF, and released a subsequent concept paper in January of 2023 with proposed changes. Most recently, NIST released its Discussion Draft: The NIST Cybersecurity Framework 2.0 Core with Implementation Examples and has requested public comments be submitted by November 4, 2023. [34]

Main Changes

The following is a list of the major changes to the framework from version 1.1 to 2.0: [35]

  1. The title of the framework has changed from "Framework for Improving Critical Infrastructure Cybersecurity" to "Cybersecurity Framework". The scope of the framework has been updated to reflect the large population of organizations that use the framework.
  2. Implementation examples have been added to provide practical and action-oriented processes to help users achieve the CSF subcategories. Additionally, the framework Profiles have been revised and expanded to demonstrate the various purposes of the profiles.
  3. A new Function, Govern, has been added to provide organizational context and the roles and responsibilities associated with developing a cybersecurity governance model. There is also an additional category in this Function focused on cybersecurity supply chain risk management.
  4. The latest update also provides greater information on cybersecurity assessments by placing greater importance on the continuous improvement of security through a new Improvement Category in the Identify Function.

See also

References

PD-icon.svg This article incorporates public domain material from NIST Cybersecurity Framework (PDF). National Institute of Standards and Technology.

  1. 1 2 Ibrahim, Ahmed; Valli, Craig; McAteer, Ian; Chaudhry, Junaid (October 1, 2018). "A security review of local government using NIST CSF: a case study". The Journal of Supercomputing. 74 (10): 5171–5186. doi:10.1007/s11227-018-2479-2. ISSN   1573-0484.
  2. Gourisetti, Sri Nikhil Gupta; Mylrea, Michael; Patangia, Hirak (April 2020). "Cybersecurity vulnerability mitigation framework through empirical paradigm: Enhanced prioritized gap analysis". Future Generation Computer Systems. 105: 410–431. doi:10.1016/j.future.2019.12.018.
  3. Salas-Riega, Juan Luis; Riega-Virú, Yasmina; Ninaquispe-Soto, Mario; Salas-Riega, José Miguel (2025). "Cybersecurity and the NIST Framework: A Systematic Review of its Implementation and Effectiveness Against Cyber Threats". International Journal of Advanced Computer Science and Applications. 16 (6). doi:10.14569/IJACSA.2025.0160672.
  4. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
  5. Irawan, Hafizhan; Muhammad, Alva Hendi; Nasiri, Asro (June 16, 2024). "Design of Cybersecurity Maturity Assessment Framework Using NIST CSF v1.1 and CIS Controls v8". INOVTEK Polbeng - Seri Informatika. 9 (1). doi:10.35314/isi.v9i1.3973. ISSN   2527-9866.
  6. Calvo-Manzano, Jose A.; San Feliu, Tomás; Herranz, Ángel; Mariño, Julio; Fredlund, Lars-Åke; Moreno, Ana M. (2025). "CyberESP: An Integrated Cybersecurity Framework for SMEs". Journal of Software: Evolution and Process. 37 (9): e70050. doi:10.1002/smr.70050. ISSN   2047-7481.{{cite journal}}: CS1 maint: article number as page number (link)
  7. Rofi’ah, Darojatum Muthi’atur (March 7, 2025). "NIST Cybersecurity Framework in the Lens of Indonesian Internal Auditors". Indonesian Interdisciplinary Journal of Sharia Economics (IIJSE). 8 (2): 3349–3367. doi:10.31538/iijse.v8i2.6027. ISSN   2621-606X.
  8. Toussaint, Marion; Krima, Sylvère; Panetto, Hervé (May 1, 2024). "Industry 4.0 data security: A cybersecurity frameworks review". Journal of Industrial Information Integration. 39: 100604. doi:10.1016/j.jii.2024.100604. ISSN   2452-414X.{{cite journal}}: CS1 maint: article number as page number (link)
  9. Baseri, Yaser; Chouhan, Vikas; Ghorbani, Ali; Chow, Aaron (March 1, 2025). "Evaluation framework for quantum security risk assessment: A comprehensive strategy for quantum-safe transition". Computers & Security. 150: 104272. doi:10.1016/j.cose.2024.104272. ISSN   0167-4048.{{cite journal}}: CS1 maint: article number as page number (link)
  10. da Silva, Edvan Gomes; Georg, Marcus Aurélio Carvalho; Júnior, Luiz Antônio Ribeiro; Ferreira, Leonardo Rodrigo; de Melo, Laerte Peotta; Nunes, Rafael Rabelo (July 1, 2025). "International perspectives on critical infrastructure: Evaluation criteria and definitions". International Journal of Critical Infrastructure Protection. 49: 100761. doi:10.1016/j.ijcip.2025.100761. ISSN   1874-5482.{{cite journal}}: CS1 maint: article number as page number (link)
  11. Taherdoost, Hamed (January 2022). "Understanding Cybersecurity Frameworks and Information Security Standards—A Review and Comprehensive Overview". Electronics. 11 (14). doi:10.3390/electronic. ISSN   2079-9292. Archived from the original on April 16, 2025.{{cite journal}}: CS1 maint: unflagged free DOI (link)
  12. Reuben-Owoh, Blessing; Haig, Ella (September 12, 2025). "A Systematic Review of Voluntary Cybersecurity Standards and Frameworks". International Journal of Information Security. 24 (5): 206. doi:10.1007/s10207-025-01121-0. ISSN   1615-5270.
  13. McIntosh, Timothy R.; Susnjak, Teo; Liu, Tong; Watters, Paul; Xu, Dan; Liu, Dongwei; Nowrozy, Raza; Halgamuge, Malka N. (September 1, 2024). "From COBIT to ISO 42001: Evaluating cybersecurity frameworks for opportunities, risks, and regulatory compliance in commercializing large language models". Computers & Security. 144: 103964. doi:10.1016/j.cose.2024.103964. ISSN   0167-4048.{{cite journal}}: CS1 maint: article number as page number (link)
  14. Gordon, Lawrence A; Loeb, Martin P; Zhou, Lei (January 1, 2020). "Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model". Journal of Cybersecurity. 6 (tyaa005). doi: 10.1093/cybsec/tyaa005 . ISSN   2057-2085.
  15. "Achieving Successful Outcomes With the NIST Cybersecurity Framework". GovLoop. February 13, 2019. Retrieved June 12, 2021.
  16. HealthITSecurity (February 10, 2016). "HIMSS: NIST Cybersecurity Framework Positive, Can Improve" . Retrieved August 2, 2016.
  17. "NIST Cybersecurity Framework".
  18. "Workshop plots evolution of NIST Cybersecurity Framework". FedScoop. April 7, 2016. Retrieved August 2, 2016.
  19. "NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds". Information Week Dark Reading. March 30, 2016. Retrieved August 2, 2016.
  20. Gordon, Lawrence A; Loeb, Martin P; Zhou, Lei (January 1, 2020). "Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model". Journal of Cybersecurity. 6 (1). doi: 10.1093/cybsec/tyaa005 . ISSN   2057-2085.
  21. Luidold, Christian; Jungbauer, Christoph (May 9, 2024). "Cybersecurity policy framework requirements for the establishment of highly interoperable and interconnected health data spaces". Frontiers in Medicine. 11. doi:10.3389/fmed.2024.1379852. ISSN   2296-858X.{{cite journal}}: CS1 maint: unflagged free DOI (link)
  22. Casaril, Francesco; Galletta, Letterio (December 1, 2025). "Developing security metrics for space systems: A study considering the NIST Cybersecurity Framework 2.0 and the NIS2". International Journal of Critical Infrastructure Protection. 51: 100805. doi:10.1016/j.ijcip.2025.100805. ISSN   1874-5482.{{cite journal}}: CS1 maint: article number as page number (link)
  23. Dimakopoulou, Anastasia; Rantos, Konstantinos (May 30, 2024). "Comprehensive Analysis of Maritime Cybersecurity Landscape Based on the NIST CSF v2.0". Journal of Marine Science and Engineering. 12 (6): 919. doi:10.3390/jmse12060919. ISSN   2077-1312.{{cite journal}}: CS1 maint: unflagged free DOI (link)
  24. Bernardo, Luís; Malta, Silvestre; Magalhães, João (March 28, 2025). "An Evaluation Framework for Cybersecurity Maturity Aligned with the NIST CSF". Electronics. 14 (7): 1364. doi:10.3390/electronics14071364. ISSN   2079-9292.{{cite journal}}: CS1 maint: unflagged free DOI (link)
  25. Reuben-Owoh, Blessing; Haig, Ella (September 12, 2025). "A Systematic Review of Voluntary Cybersecurity Standards and Frameworks". International Journal of Information Security. 24 (5): 206. doi:10.1007/s10207-025-01121-0. ISSN   1615-5270.
  26. Shackelford, Scott J; Proia, Andrew A; Martell, Brenton; Craig, Amanda N (2015). "Toward a Global Cybersecurity Standard of Care?: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices". Texas International Law Journal. 50 (2/3): 305–355. SSRN   2446631. ProQuest   1704865080.
  27. "MAIN STREET Cybersecurity Act of 2017". congress.gov. Retrieved October 5, 2017.
  28. "NIST Small Business Cybersecurity Act of 2017". congress.gov. Retrieved October 5, 2017.
  29. "Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1" (Document). National Institute of Standards and Technology. April 16, 2018. doi: 10.6028/nist.cswp.04162018 .
  30. Aljumaiah, Osama; Jiang, Weiwei; Addula, Santosh Reddy; Almaiah, Mohammed Amin (April 4, 2025). "Analyzing Cybersecurity Risks and Threats in IT Infrastructure based on NIST Framework". Journal of Cyber Security and Risk Auditing. 2025 (2): 12–26. doi:10.63180/jcsra.thestap.2025.2.2. ISSN   3079-5354.
  31. Zakiy, Faishal Wafiq; Angresti, Nisa Dwi (December 23, 2024). "Comparative Analysis of Cybersecurity Maturity Frameworks: NIST-CSF and C2M2". JOISTECH: Journal of Information System and Technology. 1 (2): 82–87. ISSN   3063-9778.
  32. Gordon, Lawrence A; Loeb, Martin P; Zhou, Lei (January 1, 2020). "Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model". Journal of Cybersecurity. 6 (1). doi:10.1093/cybsec/tyaa005. ISSN   2057-2085.
  33. "Security Measures for "EO-Critical Software" Use". NIST. May 12, 2021.
  34. "The NIST Cybersecurity Framework 2.0". NIST. 2023. doi: 10.6028/NIST.CSWP.29.ipd . Retrieved October 20, 2023.
  35. "Public Draft: The NIST Cybersecurity Framework 2.0" (PDF). NIST. Retrieved October 20, 2023.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.