What Is the NIST Cybersecurity Framework?

A board asks the security team one question: are we secure? The honest answer is never yes or no, it is "secure against what, and how would we know." That gap, between a technical control list and a business conversation about risk, is the gap the NIST Cybersecurity Framework was built to close. It does not tell you which firewall to buy. It gives you a shared structure for deciding what to protect, what could go wrong, and whether your spending matches your risk.

The framework is voluntary, technology-neutral, and free. It started in 2014 as a tool for U.S. critical infrastructure and has since become the common language a hospital, a bank, and a software vendor can all use to describe their security posture to each other. The current edition, CSF 2.0, landed in February 2024 and made one structural change that matters: it added Govern as a sixth function and put it at the center.

This guide defines the framework against its primary source, walks the six functions, explains the three components that make it usable (the Core, Profiles, and Tiers), and gives a straight path for putting it to work without turning it into a paperwork exercise.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a set of voluntary guidelines, published by the U.S. National Institute of Standards and Technology, that helps an organization understand, assess, prioritize, and communicate its cybersecurity risk. It is published as NIST CSWP 29 and is the reference point that other standards, contracts, and regulators increasingly point to.

It is not a control catalog and not a checklist you pass or fail. It is an organizing layer that sits above the controls you already run. The framework tells you what outcomes to aim for, in plain enough language that a CISO and a CFO can both follow, and then points you at the detailed standards (NIST SP 800-53, ISO 27001, CIS Controls, and others) that specify how to achieve each outcome. That is its core trick: it separates "what good looks like" from "which product or control delivers it," so the strategy survives a tooling change.

Three properties make it stick. It is outcome-based, so it does not go stale when technology moves. It is common-language, so it works across departments and across organizations in a supply chain. And it is scalable, so a 20-person clinic and a global bank both use the same structure at different depths. CSF 2.0 made the scaling explicit: the 2014 and 2018 versions were framed around critical infrastructure, and 2.0 broadened the stated audience to organizations of all sizes and sectors.

The framework is built from three components that work together: the Core (the catalog of security outcomes, organized by function), Profiles (where you record your current state and your target state), and Tiers (how rigorous and risk-informed your practices are). The functions get the attention, but the Profiles are where the framework actually does work.

The six CSF 2.0 functions

The Core organizes every security outcome under six high-level functions. Five of them describe the lifecycle of dealing with a threat. The sixth, Govern, wraps the other five and is the headline change in 2.0.

• Govern (GV). Establish and monitor the organization's cybersecurity risk management strategy, expectations, and policy. Govern is who decides, who is accountable, how risk tolerance is set, how roles are assigned, and how cybersecurity fits the broader enterprise risk picture, including the supply chain. It is new as a standalone function in CSF 2.0, and NIST places it at the center because it informs how the organization carries out the other five.
• Identify (ID). Understand what you have and what threatens it: assets (hardware, software, data, services), the business context, and the cybersecurity risks to them. You cannot protect an asset you do not know exists, so this function is the inventory and the cybersecurity risk assessment that the rest of the program is built on.
• Protect (PR). Put safeguards in place to limit or contain the impact of an event: identity management and access control, awareness training, data security, and the secure configuration and maintenance of systems.
• Detect (DE). Find and analyze possible attacks and compromises. This is the monitoring function: continuous monitoring of the network and assets, and the analysis that turns raw events into a confirmed adverse event.
• Respond (RS). Take action once an incident is detected: triage, analysis, containment, eradication, and the communications that have to happen during an incident. This is where the incident response plan executes.
• Recover (RC). Restore the assets and operations that an incident affected, and fold the lessons learned back into the program so the next incident lands softer.

A useful way to read the six: Govern sets the rules of the game, Identify and Protect are the work you do before anything happens, Detect is how you notice, and Respond and Recover are what you do after. The order is not a maturity ladder. A real program runs all six continuously and in parallel.

The single most important takeaway from 2.0 is the elevation of Govern. In the 2018 edition, governance was scattered through the other functions. Pulling it out and centering it reflects what practitioners already knew: most programs do not fail on tooling, they fail on unclear ownership, untested risk tolerance, and supply-chain blind spots. Govern names those as first-class problems.

The Core: functions, categories, and subcategories

The six functions are the top of a three-level tree. Under each function sit Categories, and under each Category sit Subcategories. The functions are the headline. The Subcategories are where the actual, assessable outcomes live.

• Functions are the six high-level groupings above (Govern, Identify, Protect, Detect, Respond, Recover).
• Categories are the groups of related outcomes inside a function, such as Asset Management and Risk Assessment under Identify, or Identity Management, Authentication, and Access Control under Protect. CSF 2.0 organizes the Core into 22 Categories across the six functions.
• Subcategories are the specific, outcome-based statements you actually measure yourself against, such as "Hardware managed by the organization is inventoried" or "Backups of data are created, protected, maintained, and tested." CSF 2.0 defines 106 Subcategories.

The Subcategories are deliberately written as outcomes, not actions. They say what should be true, not which product makes it true. That is what lets the same Subcategory apply to a cloud-native startup and an on-premise utility. To bridge from a Subcategory to a concrete control, the framework uses Informative References: explicit mappings from each Subcategory to the relevant lines in detailed standards like NIST SP 800-53, ISO 27001, and the CIS Controls. NIST publishes these mappings separately so they can be updated without reissuing the framework.

This three-level structure is what makes the framework auditable in practice even though it is not a pass or fail standard. You assess yourself Subcategory by Subcategory, roll the results up to Categories and functions, and get a posture you can show a board. The Profiles are how you record that.

Profiles and Tiers: making it operational

The functions get the slides. Profiles and Tiers are what turn the framework from a poster into a plan.

An Organizational Profile describes your cybersecurity posture in terms of the Core outcomes. You build two. The Current Profile records the outcomes you are achieving today, Subcategory by Subcategory. The Target Profile records the outcomes you need, given your mission, threats, and risk tolerance. The gap between Current and Target is your roadmap: it is a prioritized, defensible list of exactly which outcomes to close and in what order. CSF 2.0 leans hard on this. The Profile is how you move from "we should be more secure" to "these eight Subcategories are below target and here is the plan for each."

Tiers describe how rigorous and risk-informed your practices are, on a four-step scale. They characterize the program, not individual controls.

Tiers are not a grading system, and Tier 4 is not the goal for everyone. The point is to match your Tier to your risk: a small business with low-sensitivity data does not need Tier 4 rigor, and forcing it would waste money the framework is meant to save. You pick a target Tier the same way you pick a Target Profile, by reasoning from your actual risk.

How to use the NIST Cybersecurity Framework

The framework only pays off if you run it as a cycle, not a one-time assessment. NIST frames the work as a repeatable loop, and the practical version is five moves.

Scope it. Decide what the assessment covers: the whole organization, one business unit, one product, one system. Pull in the people who own the risk, not just the security team, because Govern requires business input on risk tolerance and priorities.

Build the Current Profile. Walk the Core and honestly record which outcomes you are achieving today, Subcategory by Subcategory. Be specific and be honest. A Current Profile that flatters you produces a roadmap that protects nothing.

Build the Target Profile. Decide which outcomes you actually need, driven by your mission, your threats, your risk tolerance, and any regulatory or contractual obligations. The Target Profile is a risk decision, not a wish list, and it is where Govern earns its place at the center.

Analyze the gap and prioritize. Compare Current to Target. Each gap is a candidate project. Rank them by risk reduced per dollar, not by how easy they are. This is the output that justifies a budget: a defensible, prioritized list tied to specific outcomes.

Act, then repeat. Close the highest-priority gaps, measure again, and update the Profiles. Threats change, the business changes, and the framework expects you to re-run the loop. A Profile is only true on the day you built it.

Two cautions from the field. First, the framework describes outcomes, not controls, so it never tells you the exact setting to change. For that you drop into the Informative References (SP 800-53, ISO 27001, CIS Controls) the Subcategory maps to. Second, the framework is a structure, not a substitute for the work. You can have a beautiful Target Profile and an unhardened network. The Profile tells you what to do; doing it is still on you.

Frequently Asked Questions

What is the NIST Cybersecurity Framework in simple terms?

It is a voluntary, free set of guidelines from NIST that gives organizations a common structure for managing cybersecurity risk. It organizes security work into six functions (Govern, Identify, Protect, Detect, Respond, Recover) and helps you assess where you are, decide where you need to be, and prioritize the gap. It is a strategy and communication layer that sits above your specific controls and tools.

What are the six functions of NIST CSF 2.0?

Govern, Identify, Protect, Detect, Respond, and Recover. Govern is the addition in CSF 2.0 and sits at the center: it covers strategy, roles, accountability, risk tolerance, policy, and supply-chain risk, and it informs the other five. Identify and Protect are the pre-incident work, Detect is monitoring, and Respond and Recover are post-incident action and restoration.

What changed in NIST CSF 2.0 versus 1.1?

The headline change is the new Govern function, which pulls governance out from where it was scattered across the other functions and centers it. CSF 2.0, released in February 2024, also broadened the framework's stated audience from critical infrastructure to organizations of all sizes and sectors, and expanded its guidance and Quick Start Guides. The Identify, Protect, Detect, Respond, and Recover functions carried over, reorganized.

Is the NIST Cybersecurity Framework mandatory?

No. The framework is voluntary for most organizations. It is widely adopted because contracts, insurers, and regulators increasingly reference it, and because it maps cleanly to mandatory standards, but the framework itself imposes no requirement and has no certification. Some U.S. federal agencies are directed to use NIST guidance, but the CSF for private organizations is a voluntary tool.

Is NIST CSF the same as NIST SP 800-53?

No. The CSF is a high-level, outcome-based framework that says what security results to aim for. NIST SP 800-53 is a detailed catalog of specific security and privacy controls. They work together: the CSF's Subcategories include Informative References that map each outcome to the relevant SP 800-53 controls, so you use the CSF to decide priorities and 800-53 to implement them.

How do CSF Profiles and Tiers differ?

A Profile describes your posture in terms of the Core outcomes. You build a Current Profile (what you achieve today) and a Target Profile (what you need), and the gap is your roadmap. Tiers describe how rigorous and risk-informed your overall risk management is, on a four-step scale from Partial to Adaptive. Profiles tell you which outcomes to close; Tiers tell you how mature the program around them is.

The bottom line

The NIST Cybersecurity Framework is the common language for cybersecurity risk: voluntary, free, outcome-based, and built to translate technical security into a business conversation. CSF 2.0, released in February 2024, organizes that work into six functions (Govern, Identify, Protect, Detect, Respond, Recover) over 22 Categories and 106 Subcategories, with Govern centered to fix the ownership and risk-tolerance failures that sink real programs.

Use it as a loop, not a one-time audit. Build a Current Profile, decide a Target Profile from your actual risk, analyze the gap, prioritize by risk reduced, close the gaps, and re-run. The framework tells you what to aim for and gives you a defensible way to show progress. It does not do the hardening for you. Run it as a cycle and it becomes the thing that turns "are we secure" into a list of specific, ranked, fundable decisions.