What is NIST CSF?

The short answer

The NIST Cybersecurity Framework (NIST CSF) is a voluntary framework published by the US National Institute of Standards and Technology. It gives organisations a common language for describing, managing, and reducing cybersecurity risk. NIST CSF 2.0, released in February 2024, is the current version.

Unlike SOC 2 or ISO 27001, NIST CSF is not certified or audited by a third party. There is no NIST CSF certificate. Instead, organisations use it as a self-assessment tool to organise their security program, communicate about risk with stakeholders, and benchmark progress over time.

The six core functions (NIST CSF 2.0)

CSF 2.0 added Govern as a new top-level function, bringing the total to six. These functions are the framework's spine — every CSF category and subcategory lives under one of them.

Govern (new in 2.0)

Cybersecurity risk management strategy, governance, roles, and policy. Establishes who is accountable for what and how cyber risk fits into broader enterprise risk.

Identify

Asset management, business environment, risk assessment, supply chain. The "what do we own and what could go wrong" function.

Protect

Access control, awareness and training, data security, platform security, identity management. The preventive controls.

Detect

Continuous monitoring, anomaly detection, security event analysis. The "are we under attack right now" function.

Respond

Incident response, analysis, communications, mitigation. What you do when something happens.

Recover

Recovery planning, improvements, communications. Getting back to normal operations and learning from incidents.

Implementation Tiers

CSF describes four implementation tiers that characterise how rigorously an organisation manages cyber risk:

• Tier 1: Partial — ad-hoc, reactive. Risk management is informal.
• Tier 2: Risk Informed — risk-management practices exist but aren't fully integrated across the organisation.
• Tier 3: Repeatable — formal policies are in place; risk decisions are documented and consistent.
• Tier 4: Adaptive — continuous improvement based on metrics, lessons learned, and threat intelligence.

The tiers are not "maturity levels" you progress through; they're descriptors. A small company might rationally choose to operate at Tier 2 while a financial institution targets Tier 4.

Profiles

A CSF Profile is your organisation's tailored snapshot — which subcategories matter, what your current state is, and what your target state is. The gap between current and target is your improvement roadmap.

NIST also publishes Community Profiles for specific sectors (manufacturing, election infrastructure, ransomware-resistant, smart grid) — pre-built starting points for industries that share threat profiles.

Who uses NIST CSF?

• US federal contractors — increasingly required, especially as a feeder into NIST 800-53 and CMMC compliance
• Critical infrastructure operators — energy, water, financial services, healthcare
• Mid-market and enterprise security teams — as the organising backbone for the security program, often alongside SOC 2 or ISO 27001 for certification
• State and local governments in the US
• Companies who want a security program but don't yet need a certification — NIST CSF is the rare framework you can adopt at your own pace without paying an auditor

How NIST CSF relates to other frameworks

CSF is intentionally framework-agnostic. It maps to NIST 800-53, ISO 27001/27002, COBIT, and many others through published crosswalks. In practice:

• Using SOC 2 already? CSF can sit alongside it as your organising framework — the Trust Services Criteria become your "audit deliverable" while CSF is your "running playbook."
• Pursuing ISO 27001? The Annex A controls map cleanly to CSF subcategories. Most CSF programs satisfy 80% of Annex A out of the box.
• Doing CMMC? CMMC is built on top of NIST 800-171, which itself maps tightly to CSF.

For a fuller walkthrough including how to choose between CSF, SOC 2, and ISO 27001, see our managing multiple frameworks guide.

How to implement NIST CSF — a practical sequence

The framework itself is descriptive, not prescriptive. The path that actually works for a small or mid-sized organization looks like this:

1. Set scope and stakeholders. Pick the business unit, product line, or operating environment to start with. Identify an executive sponsor, a program lead, and a function owner for each of the six functions.
2. Build the Current Profile. Score each of the ~106 subcategories on a 0–4 scale for where you are today. Use whatever evidence you already have — policies, tickets, scan results. Don't try to look good; the point is to know.
3. Build the Target Profile. Score each subcategory for where you need to be. Drive the target from real business inputs — regulatory requirements, customer contractual demands, board appetite — not from a desire to max out every score.
4. Identify gaps and prioritize. The delta between Current and Target is your roadmap. Sort projects by risk reduction per dollar, not by which function feels weakest. A 1.0 → 2.0 lift in Detect often beats a 3.0 → 4.0 lift in Identify.
5. Execute and measure. Run the projects. Measure outcomes (controls deployed, incidents avoided, MTTR), not activity (meetings held, tickets filed). Update the Current Profile quarterly so the program is alive, not a 200-slide deck.
6. Re-baseline annually. Threats change. Business changes. Redo the gap analysis every 12 months and adjust the Target Profile.

How NIST CSF maps to specific control catalogs

CSF is the executive-level framework; you still need a granular control catalog to actually do the work. NIST publishes an "Informative References" mapping that ties each CSF subcategory to specific controls in:

• NIST 800-53 — the federal control catalog. Most CSF subcategories map to 3–7 specific 800-53 controls.
• NIST 800-171 — the controlled-unclassified-information subset for federal contractors. CMMC inherits from this.
• ISO 27001 Annex A — the 93 ISO controls map 1:1 or 1:many to CSF subcategories.
• CIS Critical Security Controls v8 — operational checklists that fit naturally into Protect and Detect.

The most common production setup we see: CSF on the slides, 800-53 or ISO Annex A in the GRC tool. CSF tells the board what's happening; the control catalog gives the auditors something to test.

Related reading

• How to build a security program from scratch — what comes before any framework
• Managing multiple frameworks at once — running CSF alongside SOC 2 or ISO 27001
• Deep guide: implementing NIST CSF — step-by-step with examples
• ISO 27001 explained — the certification companion
• SOC 2 explained — the US audit deliverable
• CMMC explained — built on 800-171, which maps tightly to CSF

Common questions

Is NIST CSF mandatory?

For most organisations, no — it's voluntary. However, US federal agencies, contractors, and some state laws now require it (or pieces of it). Many enterprise customers expect it as part of their vendor assessment.

Can I get certified in NIST CSF?

No. NIST does not certify organisations against CSF. You can self-assess and document your tier/profile, and third parties can attest to your conformance, but there's no official certificate.

What are the 6 functions of NIST CSF 2.0?

Govern (organizational context, risk strategy, roles and policies), Identify (asset, supplier, and risk inventory), Protect (access control, data security, training), Detect (continuous monitoring, anomaly detection), Respond (incident response, communication, mitigation), and Recover (recovery planning, communications, improvements). Govern was added in 2.0; the other five existed in CSF 1.1.

What are the 4 implementation tiers?

Tier 1 Partial (ad-hoc, reactive), Tier 2 Risk Informed (risk-aware but inconsistent), Tier 3 Repeatable (formal policies, organization-wide), Tier 4 Adaptive (continuous improvement, threat-informed). Tiers describe how mature your processes are, not how many controls you have.

What's a CSF profile?

A profile is a documented snapshot of which CSF outcomes you currently achieve (Current Profile) and which you intend to achieve (Target Profile). The gap between them becomes your roadmap. Profiles let you tailor the framework to your sector, size, and risk tolerance.

How long does NIST CSF implementation take?

For a small SaaS doing a basic Current Profile + gap analysis: 4–8 weeks. Reaching Tier 3 (repeatable, organization-wide) is a 6–18 month effort depending on starting point. Tier 4 takes years because it requires real continuous improvement cycles, not just documentation.

How does NIST CSF map to NIST 800-53?

NIST publishes an Informative References mapping from each CSF subcategory to specific 800-53 controls. Use CSF for executive-level structure and 800-53 for granular control implementation. Most federal contractors track both — CSF for the board narrative, 800-53 for the auditor.

What changed in NIST CSF 2.0?

The biggest changes: a new Govern function (bringing the total to six), broader applicability (CSF 1.x was framed around critical infrastructure; 2.0 explicitly targets all organisations), and updated subcategories to reflect contemporary threats like supply chain and ransomware.

Is NIST CSF a replacement for SOC 2 or ISO 27001?

No. CSF is an organising framework, not an audit framework. You use CSF to structure your program; you use SOC 2 or ISO 27001 to produce evidence that satisfies customers and regulators.

Is NIST CSF free?

Yes. NIST publishes the framework, all reference materials, OSCAL data, and the quick-start guides at no cost. The cost comes from implementation labor and the GRC tooling you use to track it.

Last updated: May 25, 2026 · Reviewed by the LukaGRC compliance team