The NIST Cybersecurity Framework (NIST CSF) is a widely adopted, flexible framework developed by the National Institute of Standards and Technology in the United States. It’s designed to help organisations of all sizes manage and reduce cybersecurity risk in a structured, repeatable, and risk-based way.
Contents
🧱 Core Structure of NIST CSF
The framework is organised into five core functions, each representing a high-level cybersecurity outcome:
| Function | Description |
|---|---|
| 1. Identify | Understand your environment to manage cybersecurity risks to systems, assets, data, and capabilities. |
| 2. Protect | Implement safeguards to ensure delivery of critical services and limit the impact of a potential event. |
| 3. Detect | Develop and implement activities to identify the occurrence of a cybersecurity event. |
| 4. Respond | Take action regarding a detected cybersecurity incident. |
| 5. Recover | Maintain plans for resilience and restore any capabilities or services impaired due to a cybersecurity event. |
📂 Each Function Contains:
- Categories (e.g. Asset Management, Awareness & Training, Data Security)
- Subcategories (specific outcomes like “Data-at-rest is protected”)
- Informative References (e.g. NIST SP 800-53, ISO 27001, COBIT)
🛠️ Why Use NIST CSF?
- ✅ Non-prescriptive — It tells you what to do, not how to do it.
- ✅ Customisable — Can be tailored to any industry, size, or risk appetite.
- ✅ Widely recognised — Used by governments, critical infrastructure, and private sector.
- ✅ Improves communication — Helps bridge the gap between technical teams and executives.
🧪 Real-World Use Case
A financial firm uses the NIST CSF to:
- Identify critical assets and business functions
- Protect data using encryption and access controls
- Detect threats with SIEM and EDR
- Respond with a documented incident response plan
- Recover using a tested disaster recovery plan
📊 NIST CSF Versions
- Version 1.0 (2014): Original release
- Version 1.1 (2018): Enhanced supply chain and identity management
- Version 2.0 (2024): Adds governance as a 6th function and enhances international alignment