Platform
Solutions
Partners
Why NMT
Resources
Contact Us
GuidesFrameworks & Standards

What is the NIST Cybersecurity Framework?

The NIST CSF is the most widely used way to organise a security programme. Here is what it is and how CSF 2.0 changed it.

6 min read

The NIST Cybersecurity Framework (CSF) is a voluntary framework from the US National Institute of Standards and Technology for organising and improving a cybersecurity programme. It is widely adopted worldwide because it is practical, outcome-based, and maps cleanly to other standards.

CSF 2.0, released in 2024, added a new Govern function and broadened the framework beyond critical infrastructure to any organisation. This guide covers its structure and how to use it.

Key takeaways
  • CSF is a voluntary framework for structuring a programme, not a certification.
  • CSF 2.0 has six functions: Govern, Identify, Protect, Detect, Respond, and Recover.
  • Tiers describe how mature your practices are; Profiles describe your current and target state.
  • It is a common language that maps to ISO 27001, SOC 2, and regulatory frameworks.

The six functions

CSF 2.0 organises cybersecurity outcomes into six functions:

  • Govern: set and monitor strategy, roles, and risk management (new in 2.0).
  • Identify: understand assets, risks, and exposure.
  • Protect: put safeguards in place.
  • Detect: find events quickly.
  • Respond: act on incidents.
  • Recover: restore operations.

Tiers and profiles

Tiers (1 to 4) describe how rigorous and adaptive your risk practices are, from partial to adaptive. Profiles let you describe your current state and a target state, so the gap between them becomes your roadmap. Together they turn the framework into a plan rather than a static list.

How to use it

Most organisations use CSF as the backbone of their programme: map current controls to the functions, identify gaps against a target profile, and prioritize. Because CSF maps to standards like ISO 27001 and SOC 2, it also helps you avoid duplicating work across multiple compliance efforts.

Frequently asked questions

Is the NIST CSF mandatory?
It is voluntary for most organisations, though some sectors and contracts reference it. Its value is as a widely understood way to structure and communicate a security programme.
What is new in CSF 2.0?
The biggest change is the new Govern function, which elevates governance and risk management. CSF 2.0 also applies to organisations of all types and sizes, not just critical infrastructure.
Does CSF replace ISO 27001 or SOC 2?
No. CSF organises your programme, while ISO 27001 certifies a management system and SOC 2 attests to controls. They complement each other and map together.
How does NMT help with the NIST CSF?
NMT gives you continuous visibility across the CSF functions, quantifies risk to prioritize, and maps evidence so your CSF profile stays current instead of being a once-a-year exercise.

Put a framework behind your programme

Get a clear, prioritized view of your risk aligned to the CSF functions.

Get your free risk score
Related
NOVA DRIM platform Guide: What is Cyber Risk Quantification? Guide: What is ISO 27001?