The NIST Cybersecurity Framework

The CSF core is a three-tier hierarchy. At the top are the six functions, which name broad cybersecurity outcomes. Each function contains categories that group related activities. Each category contains subcategories that describe specific, measurable outcomes. The subcategories are the actionable layer: they are concrete enough to be assigned to a team, mapped to a control, or used as an audit criterion.

Govern sits at the centre of the CSF 2.0 model. It asks: does the organisation have a documented cybersecurity strategy? Are roles and responsibilities defined? Is there a policy that drives the other five functions? Without Govern, the other functions risk being implemented inconsistently, underfunded, or disconnected from business objectives. The categories under Govern include Organisational Context, Risk Management Strategy, Cybersecurity Supply Chain Risk Management, Roles and Responsibilities, Policies and Procedures, and Oversight.

The remaining five functions address the operational lifecycle of cybersecurity. Identify covers asset management, risk assessment, and improvement activities: you must know what you have and what threatens it before you can protect it. Protect covers access control, awareness and training, data security, and platform security. Detect covers continuous monitoring and adverse event analysis. Respond covers incident management, analysis, mitigation, and communication. Recover covers incident recovery planning, restoration, and communication with stakeholders after an incident.

The four implementation tiers characterise how an organisation manages cybersecurity risk, from ad hoc to adaptive. They are not a scoring ladder where higher is always better. An organisation should operate at the tier that matches its risk exposure, regulatory environment, and available resources. A small community library has a very different risk profile from a national payment processor; forcing the library to Tier 4 practices would be wasteful and is not the framework's intent.

• Tier 1: Partial. Cybersecurity risk management is not formalised. Practices are ad hoc and reactive. Risk awareness exists at the individual level but is not shared across the organisation.
• Tier 2: Risk Informed. Risk management practices exist but are not organisation-wide. Cybersecurity information is shared internally in some cases but is not consistent. There is awareness of risk but no formal programme.
• Tier 3: Repeatable. Formally approved risk management practices are consistently applied across the organisation. Risk-informed policies and procedures update regularly based on business needs and a changing threat environment.
• Tier 4: Adaptive. The organisation uses lessons learned and predictive analysis to update cybersecurity practices continuously. Active sharing of threat intelligence with partners occurs. Risk management is integrated into organisational culture.

In practice, most organisations that have formally adopted the CSF sit at Tier 2 or Tier 3. Tier 4 is appropriate for organisations with significant threat actor interest (national infrastructure, major financial institutions, large defence contractors) and the resources to sustain continuous adaptive practices. Tier assessments are typically made per function or per major system, not for the whole organisation as a single number.

A profile translates the CSF core into a prioritised set of outcomes for a specific organisation, sector, or use case. The profile exercise forces concrete decisions: which subcategories matter most for this organisation's business context and risk tolerance, and which are lower priority? Those decisions reflect business mission, legal obligations, risk appetite, and resource constraints.

The process has two steps. First, construct a Current Profile by assessing which CSF subcategories the organisation currently meets, partially meets, or does not meet. This is essentially a gap analysis against the full subcategory list. Second, construct a Target Profile by selecting the subcategories the organisation aims to satisfy, at what tier, within a defined planning horizon. The gap between Current and Target becomes the roadmap. Subcategories in the gap are ranked by risk priority: a gap in a subcategory covering access control for privileged accounts is typically higher priority than a gap in one covering documentation formatting.

NIST and sector bodies publish Community Profiles: pre-built Target Profiles for specific industries or use cases. Examples include profiles for small businesses, for higher education, and for water and wastewater utilities. A Community Profile provides a starting point so organisations do not have to conduct the full subcategory-by-subcategory exercise from scratch. An organisation adopts a Community Profile as its initial Target and then adjusts it to reflect its specific context.

NIST published CSF 2.0 in February 2024 after an extended public comment process that began in 2022. The headline change is the addition of the Govern function. CSF 1.1 treated governance as context that sat around the framework rather than a core function within it. CSF 2.0 brings governance into the core, recognising that cybersecurity decisions without a governance structure to coordinate them tend to produce inconsistent, underfunded, and poorly communicated outcomes.

The supply chain additions are significant. Cybersecurity Supply Chain Risk Management (C-SCRM) now sits as a dedicated category under Govern. It addresses the risk that a supplier, vendor, or third-party service provider introduces vulnerabilities into an organisation's environment. This reflects high-profile incidents such as the 2020 SolarWinds compromise, in which attackers used a trusted software update mechanism to reach thousands of downstream organisations. Organisations using CSF 1.1 will find their supply chain controls underweighted relative to what CSF 2.0 now expects.

For organisations already using CSF 1.1, the transition is not a full restart. NIST provides a mapping document showing how each CSF 1.1 subcategory corresponds to CSF 2.0 subcategories. The five original functions remain, and their category structures are largely recognisable. The practical work of transitioning is primarily: completing a Govern assessment (which was not previously required), reviewing supply chain controls against the new C-SCRM category, and updating any internal documentation that references CSF 1.1 function names.

Organisations new to the CSF often ask where to start. NIST's recommended entry point is the Current Profile exercise, because it forces the organisation to confront what it actually has in place rather than what it believes or hopes it has. The exercise works best as a cross-functional workshop: IT, security, legal, compliance, and business unit leaders should all participate, because many CSF subcategories (particularly under Govern and Identify) describe organisational decisions, not just technical configurations.

Once the Current Profile is complete, the organisation constructs a Target Profile by selecting the subcategories it needs to satisfy, informed by its risk register, regulatory obligations, and business priorities. The gap between Current and Target produces a prioritised action plan. Priorities are determined by risk: a gap in a control that addresses a high-likelihood, high-impact threat scenario outranks a gap in a control addressing an unlikely, low-impact scenario. This is exactly the output of a formal risk assessment, which should feed into the Target Profile exercise.

The CSF is also a communication tool between an organisation and its auditors, regulators, and customers. When a regulator asks about cybersecurity posture, a profile-based summary is more useful than a raw list of controls. When a customer conducts vendor due diligence, asking for a CSF Current Profile is a common and efficient request. Organisations in the European Union may be subject to the NIS2 Directive, which requires risk management measures and incident reporting in terms that align closely with the CSF Protect, Detect, and Respond functions; having a CSF profile makes NIS2 evidence gathering faster.

No organisation uses the CSF in isolation. The framework is designed to coexist with and map to other standards. ISO/IEC 27001 is the most widely used international information security management standard; NIST publishes a crosswalk showing how ISO 27001 Annex A controls correspond to CSF subcategories. An organisation already certified to ISO 27001 will find that it satisfies a significant portion of the CSF Protect and Identify subcategories through its existing control set.

CIS Controls (published by the Center for Internet Security) provide a prioritised, highly prescriptive list of 18 control groups and 153 safeguards, organised into Implementation Groups by organisation size and risk profile. The CIS Controls and CSF are complementary: the CSF provides the outcome-oriented framework and governance layer, while CIS Controls provide specific technical safeguards that satisfy many CSF subcategories. See CIS Controls and Implementation Groups for a detailed treatment.

NIST SP 800-53, the US federal government's control catalogue, is more granular than the CSF: it specifies hundreds of individual controls organised into control families. Federal agencies in the United States must satisfy SP 800-53 as part of the Federal Risk and Authorization Management Program (FedRAMP) and the Risk Management Framework (RMF). The CSF maps to SP 800-53 control families, so a federal agency can use its CSF profile to communicate its SP 800-53 posture in a more accessible format for executives and board members who are not familiar with control-family notation.