NIST CSF
The NIST Cybersecurity Framework - voluntary guidelines helping organisations manage cyber risk through six functions: govern, identify, protect, detect, respond, recover.
What is NIST CSF?
NIST CSF (Cybersecurity Framework) is a cyber risk management framework developed by the National Institute of Standards and Technology (NIST). The first version was published in 2014 at the request of the US administration, and version 2.0 was released in February 2024. Although NIST CSF is not mandatory (except for US federal agencies), it has become one of the most widely adopted cybersecurity frameworks worldwide.
NIST CSF 2.0 defines six security functions. Govern (new in v2.0) - establishing cybersecurity strategy and governance. Identify - identifying assets, risks and business context. Protect - implementing protective measures. Detect - detecting security incidents. Respond - responding to detected incidents. Recover - restoring normal operations after an incident.
Each function is divided into categories and subcategories defining specific practices. The framework also includes profiles (target and current security state) and tiers (maturity levels from 1-Partial to 4-Adaptive). NIST CSF can be mapped to other standards: ISO 27001, CIS Controls, COBIT.
Why does it matter?
NIST CSF offers a common language for communicating about cybersecurity between technical teams and senior management. It is general enough to apply in any industry, yet detailed enough to serve as a practical guide. Many regulations (including NIS2) reference NIST CSF as one of the recognised security assessment frameworks.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.