The NIST Cybersecurity Framework,explained
The NIST Cybersecurity Framework (CSF) is a voluntary, widely used way to organise and improve how you manage cybersecurity risk. Version 2.0 groups the work into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. It is outcome-based, so you use it to assess maturity and prioritise improvement rather than to pass a fixed test.
What the NIST CSF is
The Cybersecurity Framework is published by the US National Institute of Standards and Technology (NIST). It is voluntary and sector-neutral, designed to give any organisation a common structure and language for managing cybersecurity risk. Version 2.0, released in 2024, broadened its audience beyond critical infrastructure to organisations of all sizes.
It is a framework, not a certification. There is no CSF certificate to earn; the value is a shared structure for understanding where you are and where you want to be.
The six functions
CSF 2.0 organises outcomes into six functions, which together describe a full cybersecurity programme:
- Govern: the strategy, roles, and policy that set how cybersecurity risk is managed. This function was added in 2.0.
- Identify: understanding your assets, data, and risks.
- Protect: the safeguards that reduce the likelihood and impact of incidents.
- Detect: finding incidents and anomalies quickly.
- Respond: acting on a detected incident to contain and manage it.
- Recover: restoring services and learning from what happened.
Tiers and profiles
Two tools make the framework practical. Tiers (from Partial to Adaptive) describe how rigorous and repeatable your risk management is. Profiles describe your current state and your target state, so the gap between them becomes your improvement plan.
This is why the CSF works well as a maturity tool: you baseline a current profile, agree a target profile, and track progress between them over time.
How it relates to other frameworks
The CSF is deliberately high level, so it maps cleanly onto more detailed standards. It cross-references ISO 27001 and SOC 2, so work you do for those carries across, and it sits above NIST 800-53, a much larger control catalogue used heavily in US federal contexts.
A common pattern is to use the CSF as the organising layer for your programme, then satisfy a certification like ISO 27001 underneath it using the same control work.
How to use it
- 1Baseline a current profile across the six functions, honestly.
- 2Set a target profile based on your risk and your obligations.
- 3Prioritise the gaps that reduce the most risk first.
- 4Track controls and evidence against the functions, with owners and review dates.
- 5Reassess on a cadence, so maturity is something you can show improving.
Frequently asked questions
Is the NIST CSF a certification?
No. The NIST CSF is a voluntary framework, so there is no certificate to earn or accrediting body. Organisations self-assess their maturity against it using tiers and profiles. It is often used alongside a certification like ISO 27001, which the CSF cross-references.
What is the difference between the CSF and NIST 800-53?
The CSF is a high-level framework of outcomes across six functions, useful for organising and communicating a programme. NIST 800-53 is a large, detailed catalogue of specific security controls, used heavily in US federal contexts. The CSF can be implemented using 800-53 controls underneath it.
What changed in CSF 2.0?
The biggest change was adding the Govern function, which raises governance, strategy, and roles to the same level as the technical work. Version 2.0 also broadened the framework beyond critical infrastructure to organisations of all sizes and sectors.
Do this in a fraction of the time
Diligio centralises your approved answers, drafts each response grounded in your sources, and independently verifies it before you review. RFPs, DDQs, and security questionnaires, answered from one knowledge base.