Govern
GV · new in 2.0Establish and monitor the organization's cybersecurity risk management strategy, expectations, and policy. New in CSF 2.0, and placed at the centre because it informs all the others.
Framework guide · ~12 min read · Updated June 2026
The NIST Cybersecurity Framework
The NIST Cybersecurity Framework (CSF) is a voluntary, outcome-based framework from the US National Institute of Standards and Technology for managing cybersecurity risk. Its 2024 update, CSF 2.0, organises the work into six functions: Govern, Identify, Protect, Detect, Respond, and Recover, and applies to organisations of every size and sector.
- Author
- NIST
- Latest
- CSF 2.0 (2024)
- Functions
- 6
- Adoption
- Voluntary
01 · Definition
What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework (CSF) is a voluntary framework for managing and reducing cybersecurity risk, published by the US National Institute of Standards and Technology. Rather than prescribing specific technologies, it describes cybersecurity outcomes that any organisation can use to assess where it stands, decide where it wants to be, and talk about risk in a common language with executives and partners.
First published in 2014 for critical-infrastructure operators, the framework has become one of the most widely used cybersecurity references in the world. The current version, CSF 2.0 (February 2024), broadened its scope to all organisations and added a governance function. It is freely available and maps to other major standards, so it works as the connective tissue across a broader compliance programme.
"The CSF provides a taxonomy of high-level cybersecurity outcomes that can be used by any organization, regardless of its size, sector, or maturity."
02 · Origin
Why the framework exists
The CSF was created in response to Executive Order 13636 in 2013, which called for a voluntary framework to help critical-infrastructure operators manage cyber risk. NIST convened industry and published version 1.0 in 2014, with a 1.1 refresh in 2018.
Its value turned out to be broader than critical infrastructure. The framework gave organisations a shared vocabulary, a way to describe cybersecurity posture that a security engineer, a CISO, and a board member could all use. That common language is why it spread across sectors and became a fixture of vendor questionnaires, cyber-insurance applications, and regulatory references. CSF 2.0 formalised that broader reality by extending the scope to all organisations.
03 · The Core
The six functions of CSF 2.0
The framework Core is organised around six functions. Govern is new in 2.0 and sits at the centre, informing the five operational functions that follow it.
Identify
IDUnderstand the assets, data, suppliers, and risks in scope. You cannot protect what you have not catalogued, so this function maps the organization's current cybersecurity risks.
Protect
PRImplement safeguards to manage risk: identity and access management, awareness training, data security, platform security, and resilience of technology.
Detect
DEFind and analyse possible cybersecurity attacks and compromises. Continuous monitoring and event analysis to spot the things that get past the safeguards.
Respond
RSTake action on a detected cybersecurity incident: incident management, analysis, mitigation, reporting, and communication while it is happening.
Recover
RCRestore assets and operations affected by an incident, and learn from it. The function that gets the business back to normal and feeds lessons into Govern.
04 · Structure
Core, Tiers, and Profiles
The framework has three components that work together: what to achieve, how rigorously, and where you are versus where you want to be.
The Core
The set of cybersecurity outcomes, organised as Functions → Categories → Subcategories. The Subcategories are the specific outcomes you assess against.
Implementation Tiers
Four tiers, 1 Partial, 2 Risk Informed, 3 Repeatable, 4 Adaptive, describing how rigorous and integrated an organisation's cyber risk management is.
Profiles
A Current Profile (where you are) and a Target Profile (where you want to be). The gap between them is your prioritised improvement roadmap.
05 · The 2024 update
What is new in CSF 2.0
Released in February 2024, CSF 2.0 is the first major revision since 2014. The headline changes:
- Added the Govern function, elevating cybersecurity strategy, roles, policy, and supply-chain risk to a top-level outcome
- Expanded scope from critical infrastructure to organisations of all sizes and sectors
- Strengthened cybersecurity supply-chain risk management throughout the Core
- Added implementation resources: quick-start guides, organisational and community profiles, and a searchable reference tool
- Improved alignment and mapping with other NIST resources and external frameworks
06 · Comparison
CSF vs ISO 27001 and NIST 800-53
These three come up together constantly. They are complementary, not competing: the CSF is the high-level structure, the others supply the detailed controls or the certification.
| Aspect | NIST CSF | ISO 27001 | NIST 800-53 |
|---|---|---|---|
| Type | Outcome framework | Management-system standard | Control catalogue |
| Certifiable | No | Yes (accredited audit) | No (basis for assessment) |
| Best for | Structure, assessment, board communication | Proving a managed system to third parties | US federal programmes (FedRAMP, FISMA) |
Many programmes use the CSF as the organising layer and map down to ISO 27001 or 800-53 for detailed controls. For a related comparison, see ISO 27001 vs SOC 2.
07 · Implementation
How to implement the NIST CSF
Six steps that turn the framework into a working programme. The Current-to-Target Profile gap is the engine: it converts an abstract framework into a prioritised, ownable roadmap.
- 1
Scope and prioritise
Decide which parts of the organization, systems, and risks the framework will cover first, and tie the effort to a business driver, a contract, a regulator, or a board concern.
- 2
Build a Current Profile
Assess where you stand today against the CSF Core outcomes. Score each subcategory honestly, this is your baseline and it will look uncomfortable, which is the point.
- 3
Set a Target Profile
Define the outcomes you need to reach, informed by your risk appetite, your sector, and any Community Profile that fits your industry. The gap between current and target is your roadmap.
- 4
Analyse gaps and prioritise actions
Compare current and target, prioritise the gaps by risk and effort, assign owners, and turn them into a tracked action plan rather than a static document.
- 5
Implement and cross-map
Execute the plan and map your CSF outcomes to the other frameworks you run (ISO 27001, NIST 800-53, SOC 2) so one control satisfies many requirements.
- 6
Monitor and improve
Re-assess on a cadence, track movement from your baseline, and feed incidents and changes back into the Govern function. The framework is a loop, not a project.
Assess against the Core, automatically
Run CSF as a scored, cross-mapped assessment.
RiskWatch ships a pre-built NIST CSF assessment with Current and Target profiles, scores every subcategory, tracks remediation to closure, and cross-maps the Core to ISO 27001, 800-53, and the other frameworks you run, so one control satisfies many.
08 · Frequently asked
NIST CSF, answered
The questions people search most when adopting the framework.
What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework (CSF) is a voluntary, outcome-based framework for managing and reducing cybersecurity risk. Created by the US National Institute of Standards and Technology, it organises cybersecurity work into a small set of functions and outcomes that any organisation can use to assess where it stands, set goals, and communicate about risk in a common language. It is technology-neutral and widely adopted across sectors and around the world.
What are the functions of the NIST CSF?
CSF 2.0 has six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Govern (added in version 2.0) sits at the centre and covers the cybersecurity risk management strategy and policy that informs the other five. Identify maps assets and risks, Protect applies safeguards, Detect finds incidents, Respond acts on them, and Recover restores operations and captures lessons learned.
What is CSF 2.0 and what changed?
CSF 2.0, released by NIST in February 2024, is the first major update since 2014. The two biggest changes are the addition of the Govern function, elevating cybersecurity governance and supply-chain risk to a top-level outcome, and the expansion of the framework's scope from critical infrastructure to organisations of all sizes and sectors. CSF 2.0 also added implementation resources such as quick-start guides and a searchable reference tool.
What are the three components of the NIST CSF?
The framework has three parts. The Core is the set of cybersecurity outcomes organised by Function, Category, and Subcategory. The Implementation Tiers (1 Partial, 2 Risk Informed, 3 Repeatable, 4 Adaptive) describe how rigorous and integrated an organisation's cyber risk management is. Profiles describe a Current state and a Target state for the Core outcomes, and the gap between them is the improvement roadmap.
Is the NIST Cybersecurity Framework mandatory?
The CSF itself is voluntary. However, it is frequently required indirectly: US federal agencies are directed to use it, many contracts and regulators reference it, and it is a common expectation in vendor security questionnaires and cyber-insurance applications. Many organisations adopt it because it is a clear, defensible way to demonstrate a managed approach to cyber risk.
What is the difference between the NIST CSF and NIST 800-53?
The CSF is a high-level, outcome-based framework that tells you what cybersecurity results to achieve. NIST 800-53 is a detailed catalogue of specific security and privacy controls that tell you how to achieve them, and it anchors federal programmes like FedRAMP and FISMA. Many organisations use the CSF to structure and communicate their programme and map down to 800-53 (or ISO 27001) for the detailed controls.
What is the difference between the NIST CSF and ISO 27001?
Both address cybersecurity, but ISO 27001 is a certifiable management-system standard with formal requirements and an accredited audit, while the NIST CSF is a voluntary, flexible framework with no certification. ISO 27001 proves a managed system to third parties through certification; the CSF is often easier to adopt incrementally and to use for internal assessment and board communication. They map to each other and are frequently run together.
Who created the NIST Cybersecurity Framework?
The framework was created by the National Institute of Standards and Technology (NIST), part of the US Department of Commerce, in response to Executive Order 13636 in 2013. Version 1.0 was published in 2014, version 1.1 in 2018, and version 2.0 in February 2024. NIST develops it in collaboration with industry, and it is freely available.
From the framework to a working program
Turn the NIST CSF into a scored, living roadmap.
A pre-built CSF 2.0 assessment with Current and Target profiles, cross-mapped controls, and remediation tracking. 30-day free trial, no credit card.
No credit card required · 30-day free trial · Cancel anytime