Voluntary framework
NIST Cybersecurity Framework 2.0
Voluntary framework

NIST Cybersecurity Framework 2.0

All frameworks

What it is

A voluntary framework published by the U.S. National Institute of Standards and Technology that organizes cybersecurity outcomes into six high-level Functions. It is the most common 'common language' framework used across industries.

Who uses it

Used by organizations of any size or sector — federal contractors, healthcare, finance, SaaS, manufacturing — usually as the umbrella program structure that other frameworks (ISO 27001, SOC 2, HIPAA) plug into.

Why it matters

Gives GRC teams a stable vocabulary to describe a program to executives, auditors, and engineers. Maps cleanly to most other frameworks, which is why crosswalks usually start here.

Structure

Govern (GV)

Oversight, strategy, roles, policy, risk appetite, supply chain — the function added in 2.0 that elevates governance to a top-level concern.

Identify (ID)

Asset management, business environment, risk assessment — understand what you have and what could go wrong.

Protect (PR)

Access control, awareness training, data security, baseline configurations — the safeguards that reduce likelihood.

Detect (DE)

Continuous monitoring, anomaly detection, event analysis — knowing when something is happening.

Respond (RS)

Incident response planning, communications, analysis, mitigation — what you do during an event.

Recover (RC)

Recovery planning, improvements, communications — restoring services and learning from the event.

Terminology

Function
One of the six top-level categories (Govern, Identify, Protect, Detect, Respond, Recover).
Category
Subdivision of a Function (e.g., 'Asset Management' under Identify).
Subcategory
Specific outcome statement (e.g., 'ID.AM-01: Inventories of hardware are maintained').
Profile
A snapshot showing current-state outcomes vs. target-state outcomes.
Tier
Maturity descriptor (Partial, Risk-Informed, Repeatable, Adaptive).

Beginner explanation

Think of CSF as the table of contents for a cybersecurity program. It does not tell you exactly how to do anything — it tells you the outcomes you should be able to demonstrate, grouped into six themes.

Practical examples

  • A SaaS startup maps its onboarding/offboarding process to PR.AA (Access Control) and uses it to prove access governance to a SOC 2 auditor.
  • A hospital uses CSF Profiles to compare its current state to a target state required by its cyber-insurance carrier.

Advanced notes

CSF 2.0 introduced Govern (GV) and Community Profiles, and is designed to be paired with the NIST CSF Reference Tool and informative references like NIST SP 800-53.