Pricing Contact Sales Book a Demo
Pricing Contact Sales Book a Demo
Blog
Article

NIST CSF: What Is the Cybersecurity Framework? [2026]

SaltyCloud Research Team

Updated Mar 13, 2026 Read Time 14 min
Table of Contents
Join 1,500+ security and compliance professionals who get monthly regulatory updates, GRC strategies, and threat intel with actionable next steps.
Case Study
Large U.S. Bank Replaces FFIEC CAT with NIST CSF 2.0 Assessments
One large U.S. bank has already made this transition by implementing Isora GRC to strengthen cybersecurity readiness. The bank moved away from fragmented spreadsheets and manual assessments, adopting Isora’s centralized, automated platform to better align with NIST CSF.
Read the Case Study

What Is NIST CSF? A Complete Guide to the Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) is the most widely adopted voluntary cybersecurity framework in the United States. Published by the National Institute of Standards and Technology (NIST), it helps organizations—from federal agencies and critical infrastructure operators to universities and small businesses—understand and manage cybersecurity risk.

NIST CSF 2.0 is the most current version in 2026. Published in 2024, it organizes cybersecurity activities into six core functions, four implementation tiers, 22 categories, and 106 subcategories that explain what good cybersecurity practices look like. Today, organizations in more than 185 countries use the framework as a global benchmark for managing cybersecurity risk.

This guide explains what NIST CSF is, its six core functions, how the framework is structured, what changed in version 2.0, who uses it, how it compares to other frameworks, and how organizations can begin implementation.

What Is NIST CSF?

The NIST Cybersecurity Framework (CSF) is a voluntary risk management framework that helps organizations understand their cybersecurity risks, assess existing capabilities, and improve their security posture over time.

The NIST Cybersecurity Framework (CSF) is a voluntary risk management framework that helps organizations of all sizes assess and improve their cybersecurity posture through outcome-based guidance, implementation tiers, and organizational profiles. NIST CSF 2.0 organizes cybersecurity activities into six core functions—Govern, Identify, Protect, Detect, Respond, and Recover.

The framework was first released in 2014 following Executive Order 13636, which directed NIST to develop cybersecurity guidance for critical infrastructure. Published in February 2024, the CSF 2.0 update added a new Govern function, expanded the framework to all organizations, and introduced community profiles for different industries.

What Does NIST CSF Stand For?

NIST CSF stands for the National Institute of Standards and Technology Cybersecurity Framework.

  • NIST is the National Institute of Standards and Technology, a U.S. Department of Commerce agency responsible for developing technical standards and guidance.
  • CSF stands for Cybersecurity Framework.

Originally, the framework was titled Framework for Improving Critical Infrastructure Cybersecurity. But when NIST published a major update in 2024, the agency also changed the official title to The NIST Cybersecurity Framework (CSF) 2.0. Today, the framework is commonly referred to as “NIST CSF,” “CSF,” or “CSF 2.0”.

How NIST CSF Works

NIST CSF is designed around outcomes, which means that it does not require organizations to implement a specific set of security controls. Instead, it explains how organizations should manage cybersecurity risk, while allowing them to choose the tools and practices that work best for them.

In other words, the CSF usually starts with a simple question: What cybersecurity outcomes must your organization achieve to manage risk? This approach makes CSF different from prescriptive standards such as NIST 800-53, which tell organizations exactly which security controls to implement.

A Voluntary Framework for Organizations of All Sizes

NIST is a federal agency that develops standards and guidance for cybersecurity. However, unlike regulators, NIST does not enforce rules. As a result, organizations adopt the NIST CSF voluntarily, although some regulations and executive orders reference or encourage alignment with its guidance.

The latest version of the framework, CSF 2.0, expands the framework beyond its original focus on critical infrastructure. Today, organizations of any size or sector, including small businesses, nonprofits, educational institutions, hospitals, power plants, and global enterprises, use CSF to structure cybersecurity risk management programs.

A Structured Approach to Risk Management

The CSF has a clear structure. It includes six core functions, 22 categories, and 106 subcategories that together form the Framework Core, which describes the cybersecurity outcomes organizations should achieve. Organizations then use implementation tiers and organizational profiles to assess their current practices, set target goals, and improve their cybersecurity programs over time.

A Common Language for Cybersecurity Risk

By organizing cybersecurity into clear outcomes that describe what organizations should achieve, using six core functions that are easy for executives to understand, and applying consistent terminology throughout the framework, CSF gives organizations a common language for explaining cybersecurity risk to leadership, boards, and other stakeholders.

History of the NIST Cybersecurity Framework

President Obama signed Executive Order 13636 in 2013, directing NIST to develop a voluntary cybersecurity framework for critical infrastructure to address the growing threat landscape. NIST built the framework through a collaborative process that included input from industry, government, and academic experts.

The framework has evolved through several major releases:

  • CSF Version 1.0 (February, 2014): NIST published the first version of the framework under the title, Framework for Improving Critical Infrastructure Cybersecurity. It introduced five core functions: Identify, Protect, Detect, Respond, and Recover, along with implementation tiers and profiles.
  • CSF Version 1.1 (April, 2018) : NIST updated the framework with additional guidance on self-assessment, supply chain risk management, and clarified authentication and identity management. The five-function structure remained unchanged.
  • CSF 2.0 (February, 2024): This was the most significant update to the framework since its original release. NIST published CSF 2.0, adding a sixth core function (Govern), expanding the framework’s scope beyond critical infrastructure to organizations of all sizes, and introducing community profiles along with enhanced implementation guidance.

What started as guidance for critical infrastructure is now a universal standard for managing cybersecurity risk. Ongoing NIST CSF news and updates continue to influence how organizations approach security governance.

Who Uses the NIST Cybersecurity Framework?

Organizations across sectors use NIST CSF to manage cybersecurity risk, including federal agencies, critical infrastructure operators, universities, healthcare providers, financial institutions, and private companies. To make the framework more relevant and accessible to all organizations, NIST expanded the framework beyond critical infrastructure in CSF 2.0.

Industry Why NIST CSF Key Driver
Federal agencies Manage cybersecurity risk across government systems Executive Order 13800
Critical infrastructure Protect essential services such as energy, transportation, and utilities Presidential Policy Directive 21
Higher education Protect federally funded research and sensitive data CUI requirements and research security programs
CMMC alignment
Healthcare Align cybersecurity programs with healthcare security requirements HIPAA Security Rule
Financial services Structure enterprise cybersecurity risk management programs FFIEC and OCC guidance
Private sector (SMBs) Use a widely recognized framework for improving cybersecurity practices Voluntary best practice
(CSF 2.0 expanded scope)
International organizations Adopt a globally recognized cybersecurity risk framework Cross-border security and regulatory alignment

How Different Sectors Use the CSF

Organizations across sectors adopt the NIST Cybersecurity Framework for different regulatory, operational, and risk management reasons.

  • Federal agencies were directed to use CSF to manage cybersecurity risk under Executive Order 13800, signed in May 2017.
  • Critical infrastructure operators across all 16 sectors use CSF as their baseline for cybersecurity risk management. The Cybersecurity and Infrastructure Security Agency (CISA) reinforces this by aligning its Cross-Sector Cybersecurity Performance Goals directly with CSF 2.0 functions.
  • Higher education institutions increasingly adopt CSF to protect federally funded research. For example, Boise State University adopted NIST CSF in 2025 to strengthen its research security program.
  • Healthcare organizations use CSF to align cybersecurity programs with HIPAA Security Rule requirements.
  • Financial services firms often use the framework alongside regulatory guidance from the FFIEC and OCC.

CSF adoption also continues to grow internationally. Since its original release, the framework has been downloaded more than two million times from the NIST website. CSF 2.0’s Quick Start Guides make the framework accessible to organizations that previously found it too complex. As more regulations worldwide reference the framework, understanding NIST CSF compliance requirements is increasingly important.

Six Core Functions of NIST CSF 2.0

The NIST Cybersecurity Framework organizes cybersecurity activities into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Here’s a closer look at each:

  • Govern (New in CSF 2.0): The Govern function establishes how leaders oversee cybersecurity. Leaders set security policies, define responsibilities, and manage cybersecurity risk as part of overall business risk. This function was added in CSF 2.0 to emphasize leadership oversight and accountability.
  • Identify: The Identify function helps organizations understand what they need to protect. This includes knowing what systems, data, and assets exist, understanding potential risks, and finding security gaps.
  • Protect: The Protect function covers the safeguards organizations need to put in place to secure systems and data. This includes things like access controls, employee security training, and protecting sensitive information.
  • Detect: The Detect function helps organizations find cybersecurity incidents as quickly as possible. Teams monitor systems for unusual activity that signals a security issue.
  • Respond: The Respond function describes how an organization should handle a cybersecurity incident once it is discovered. This includes investigating the incident, communicating with stakeholders, and taking steps to limit damage.
  • Recover: The Recover function explains how organizations restore systems and operations after an incident. Recovery plans help bring systems back online and return to normal operations.
Function Code Categories Purpose
Govern (NEW) GV 6 Establish and monitor cybersecurity risk management strategy, expectations, and policy
Identify ID 3 Understand the organization’s cybersecurity risk to systems, assets, data, and capabilities
Protect PR 5 Implement safeguards to ensure delivery of critical services
Detect DE 2 Identify cybersecurity events in a timely manner
Respond RS 4 Take action regarding detected cybersecurity incidents
Recover RC 2 Maintain plans for resilience and restore capabilities after an incident

NIST CSF Implementation Tiers

NIST CSF defines four implementation tiers that describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework. Tiers describe the rigor and sophistication of risk management practices rather than assigning a grade. However, organizations commonly use tiers as a maturity benchmark, and the progression from Tier 1 to Tier 4 does represent increasing organizational capability.

Tier Name Definition
1 Partial Cybersecurity practices are informal and reactive. Risk awareness is limited and processes are not consistently defined.
2 Risk Informed Risk management practices are approved by management but are not consistently implemented across the organization.
3 Repeatable The organization has formal cybersecurity policies and processes that are consistently applied and regularly reviewed.
4 Adaptive Cybersecurity practices are continuously improved using lessons learned, threat intelligence, and predictive indicators.

NIST CSF 2.0: What Changed

NIST released CSF 2.0 on February 26, 2024, marking the most significant update to the framework since its original release in 2014. The update expands the framework beyond critical infrastructure and introduces several structural and usability improvements that include:

  • Govern function. A sixth core function, Govern, which emphasizes cybersecurity as an enterprise risk that requires leadership oversight and organizational policy.
  • Expanded scope. The framework now applies to organizations of all sizes and sectors, not just critical infrastructure.
  • Updated subcategories. CSF 2.0 includes 106 subcategories (up from 98 in version 1.1), reflecting refinements to how cybersecurity outcomes are described.
  • Community profiles. New community profiles help industries adapt the framework to sector-specific needs.
  • Improved implementation guidance. NIST introduced updated resources such as the Quick Start Guides to help organizations implement the framework more easily.
  • Online reference tool. NIST launched an interactive reference tool to make navigating the framework easier.

How to Implement NIST CSF

Organizations typically implement the NIST CSF by assessing their current cybersecurity practices, identifying gaps, and developing a roadmap for improvement.

At the highest level, a basic implementation process includes:

  1. Define scope and priorities. Identify the systems, data, and business objectives the framework will cover.
  2. Understand your current posture. Review existing cybersecurity activities and determine your current implementation tier.
  3. Create a Current Profile. Map existing cybersecurity practices to the CSF functions, categories, and outcomes.
  4. Identify gaps and assess risk. Conduct a risk assessment to determine where controls or processes need improvement.
  5. Create a Target Profile and roadmap. Define your desired cybersecurity outcomes and develop a prioritized improvement plan.

To help organizations begin implementation, NIST provides free Quick Start Guides.

Benefits of the NIST Cybersecurity Framework

Organizations use the NIST Cybersecurity Framework because it provides a structured, risk-based approach to managing cybersecurity risk.

  • Common language for cybersecurity. CSF provides a shared vocabulary for security teams, executives, and board members.
  • Applicable across organizations. The framework applies to organizations of any size or industry. CSF 2.0expanded the framework beyond critical infrastructure.
  • Risk-based prioritization. CSF helps focus resources on the highest-impact risks.
  • Regulatory alignment. CSF maps to standards such as NIST 800-53, ISO 27001, HIPAA, CMMC through informative references and crosswalks.
  • Continuous improvement. Profiles, gap analysis, and tier progression support ongoing compliance and maturity growth. CISA Performance Goals provide measurable, CSF-aligned practices.

NIST CSF vs Other Frameworks

Organizations often use NIST CSF alongside other frameworks for several reasons. Some regulations require specific standards, such as HIPAA for healthcare or CMMC for defense contractors. In other cases, organizations use CSF to structure cybersecurity risk management while implementing the detailed controls required by frameworks such as NIST 800-53 or ISO 27001.

Framework Type Why Orgs Use It Relationship to CSF Mandatory?
NIST 800-53 Control catalog U.S. Federal systems and contractors handling federal data CSF outcomes often map to 800-53 controls Yes (federal)
ISO 27001 Information security management system (ISMS) standard Organizations seeking international certification Significant overlap. Often implemented alongside CSF Voluntary (certification-based)
CMMC Maturity certification Companies in the U.S. Department of Defense supply chain Built on NIST 800-171, which derives from 800-53 Yes (DoD contractors)
HIPAA Security Rule Healthcare security regulation U.S. Healthcare providers and organizations handling protected health information CSF outcomes map to HIPAA securitysafeguards Yes
NIST RMF (800-37) Risk management process U.S. federal systems RMF is the process used to implement frameworks like 800-53 Yes (federal)

NIST CSF Tools and Assessment

The NIST Cybersecurity Framework site hosts the CSF 2.0 reference tool, Quick Start Guides, implementation examples, and community profiles. GRC platforms help operationalize CSF assessments across departments.

How to Simplify NIST CSF Compliance

Coordinating assessments, evidence collection, and progress tracking across six CSF functions and multiple departments is hard. Spreadsheets circulate, questionnaires get buried in email threads, and no one has a clear view of maturity across the framework.

Isora GRC, the collaborative GRC Assessment Platform built for security teams, gives you one shared workspace to run NIST CSF assessments and coordinate responses across the organization.

  • Assessment distribution: Send CSF questionnaires to control owners across teams and collect responses, evidence, and documentation in one place. Quickly see the status of all assessments in one centralized view.
  • Maturity scoring: Measure cybersecurity maturity across the six CSF functions and track progress over time.
  • Reporting and oversight: Generate reports that summarize assessment results and support communication with leadership, boards, and auditors.

See how Isora GRC simplifies NIST CSF compliance

NIST CSF FAQs

What is NIST CSF?

The NIST Cybersecurity Framework (CSF) is a voluntary cybersecurity risk management framework that helps organizations understand their cybersecurity risks and shows what good cybersecurity practices look like. Published by the National Institute of Standards and Technology (NIST) in 2024, NIST CSF 2.0 organizes cybersecurity into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. The current version is CSF 2.0, released in February 2024.

What does NIST CSF stand for?

NIST CSF stands for the National Institute of Standards and Technology Cybersecurity Framework. NIST is a U.S. government agency that develops standards and guidance for technology and cybersecurity. The Cybersecurity Framework is one of its most widely used publications for managing cybersecurity risk.

Is NIST CSF mandatory?

No, NIST CSF is voluntary. However, Executive Order 13800 directed federal agencies to use the framework to manage cybersecurity risk, and many organizations adopt it because regulators and industry guidance often reference or encourage alignment with CSF.

What are the 6 functions of NIST CSF?

The six functions are Govern, Identify, Protect, Detect, Respond, and Recover. They describe the key steps organizations take to manage cybersecurity and respond to attacks. The Govern function was added in CSF 2.0.

What is the difference between NIST CSF and NIST 800-53?

NIST CSF and NIST 800-53 serve different purposes. CSF explains what good cybersecurity should achieve, while NIST 800-53 lists the specific security controls organizations can implement to achieve it.

What changed in NIST CSF 2.0?

CSF 2.0 introduced several updates, including the introduction of a new function called Govern, expanding the framework so organizations of any size can use it, offering community profiles for different industries, and adding new guidance to help organizations implement the framework.

Who uses NIST CSF?

Organizations across many industries use NIST CSF, including federal agencies, critical infrastructure operators, universities, healthcare providers, financial institutions, and private companies around the world.

How many tiers are in NIST CSF?

NIST CSF has four implementation tiers: Partial, Risk Informed, Repeatable, and Adaptive. These tiers describe how well an organization manages cybersecurity risk, from informal and reactive practices to structured programs that continuously improve.

Is NIST CSF the same as NIST RMF?

No, CSF is not the same as NIST RMF. NIST CSF explains what good cybersecurity should achieve, while RMF is a step-by-step process for selecting and managing security controls. But they are complementary—organizations can use CSF to organize their cybersecurity program and RMF to implement and monitor the controls that support it.

How many controls are in NIST CSF?

NIST CSF does not define controls in the prescriptive sense. Instead, it organizes cybersecurity outcomes into 6 functions, 22 categories, and 106 subcategories.

How do I get started with NIST CSF?

Start by reviewing your current cybersecurity practices and creating a Current Profile. Identify gaps and define a Target Profile that describes the improvements you want to make. NIST also provides free Quick Start Guides to help organizations get started.

Key Takeaways

The NIST Cybersecurity Framework (CSF) gives organizations a structured, outcome-based approach to managing cybersecurity risk. With six core functions, 22 categories, 106 subcategories, and four implementation tiers, CSF 2.0 applies to organizations of any size and sector.

Whether you’re a federal agency required to adopt the framework, a critical infrastructure operator aligning with sector-specific guidance, or a private organization seeking a proven risk management approach, CSF provides the common language and structure to assess, prioritize, and improve your cybersecurity posture over time.

Ready to assess your organization’s maturity? See how Isora GRC simplifies CSF assessments.

This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.

The InfoSec GRC Brief
Join 1,500+ security and compliance professionals who get monthly regulatory updates, GRC strategies, and threat intel with actionable next steps.
Let’s Chat
Streamline every step of your org’s security GRC workflows
Book a Demo
Woot!
We got your request. Hang on tight and we'll get back to you!
Thanks!
You successfully subscribed to our newsletter