The NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) is a voluntary, risk-based framework published by the US National Institute of Standards and Technology. It is deliberately technology-neutral and adaptable to any organization size or sector.

Its strength is a simple, memorable structure for organizing a security program. Originally built for critical infrastructure, it is now used broadly worldwide as a common language for cybersecurity risk.

The heart of the CSF is the Core, organized into high-level Functions. The classic five are:

• Identify — understand your assets and risks.
• Protect — put safeguards in place.
• Detect — find events when they happen.
• Respond — act on detected incidents.
• Recover — restore and learn.

CSF 2.0 (2024) adds a sixth, Govern, wrapping the others with oversight and strategy.