Is the NIST Cybersecurity Framework mandatory?

No. The CSF is voluntary for most organizations. However, U.S. federal agencies and many contractors are required to use NIST guidance, and some regulators and customers contractually require alignment with it. Many organizations adopt it voluntarily because it is free, vendor-neutral, and widely recognized.

What is the biggest change in CSF 2.0 compared to version 1.1?

The two biggest changes are the addition of a sixth Function, GOVERN, which elevates cybersecurity to an enterprise risk-management and board-level concern, and the broadening of scope so the framework explicitly applies to all organizations rather than just critical infrastructure. CSF 2.0 also added Implementation Examples and Community Profiles to make adoption easier.

Can you get certified in the NIST CSF?

There is no official NIST CSF certification for organizations the way there is for ISO/IEC 27001. The CSF is a self-assessment and risk-management framework. Individuals can take training courses, and organizations can demonstrate alignment, but NIST itself does not certify compliance.

How is the CSF different from ISO 27001?

The CSF is an outcome-based framework that describes what good cybersecurity looks like and helps prioritize risk, while ISO 27001 is a certifiable standard for building an information security management system (ISMS) with specific controls. They are complementary — the CSF often serves as the strategic layer, with ISO 27001 or NIST 800-53 providing the detailed controls underneath.

Where should a small organization start with the CSF?

Start with the GOVERN and IDENTIFY Functions: understand your assets, data, and risks, and define who is accountable. Then build a simple Current Profile, set a realistic Target Profile based on your risk appetite, and address the highest-risk gaps first. You do not need to reach Tier 4 — choose a tier appropriate to your size and risk.

Engineering·10 min read·June 17, 2026

📋 The NIST Cybersecurity Framework (CSF 2.0): A Practical Guide

A vendor-neutral walkthrough of the NIST Cybersecurity Framework 2.0 — its six core Functions (including the new GOVERN), the Functions-Categories-Subcategories structure, Implementation Tiers, Profiles, and how to actually adopt it.

What Is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (CSF) is a voluntary set of guidelines, best practices, and standards that helps organizations understand, manage, and reduce cybersecurity risk. It is published by the U.S. National Institute of Standards and Technology (NIST), an agency within the Department of Commerce.

Crucially, the CSF is not a checklist or a certification. It is a flexible, outcome-based framework. Rather than telling you exactly which product to buy or which control to deploy, it describes what good cybersecurity outcomes look like and lets each organization decide how to achieve them based on its own risk profile, sector, and resources.

This makes it useful to almost anyone — a 10-person startup, a hospital network, a water utility, or a multinational manufacturer can all use the same vocabulary to discuss and prioritize risk.

A Brief History

The framework was born out of Executive Order 13636 (2013), which directed NIST to develop a voluntary framework to protect U.S. critical infrastructure. CSF 1.0 arrived in 2014, followed by the incremental CSF 1.1 in 2018, which added supply-chain risk management and self-assessment guidance.

In February 2024, NIST released CSF 2.0 — the first major revision. The headline change is its broadened scope: the framework is now explicitly intended for all organizations, not just critical infrastructure. The other landmark change is the addition of a sixth core Function: GOVERN.

The Six Core Functions of CSF 2.0

The heart of the framework is the Core, organized into six high-level Functions. The first five (Identify, Protect, Detect, Respond, Recover) date back to CSF 1.0; GOVERN is new in 2.0 and now sits at the center, wrapping around the other five.

1. GOVERN (new in CSF 2.0)

GOVERN establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy. It treats cyber risk as a major enterprise risk alongside financial and reputational risk — a board-level concern, not just an IT problem.

Defining organizational risk appetite and tolerance
Establishing roles, responsibilities, and accountability
Setting cybersecurity policy aligned with business objectives
Overseeing the cybersecurity supply chain

2. IDENTIFY

IDENTIFY helps an organization understand its assets, systems, data, suppliers, and the associated risks. You cannot protect what you do not know you have.

Maintaining an inventory of hardware, software, and data
Mapping data flows and business dependencies
Performing risk assessments and identifying vulnerabilities
Cataloging third-party and supply-chain risk

3. PROTECT

PROTECT covers the safeguards used to manage risk and limit or contain the impact of a potential incident.

Identity management, authentication, and access control (e.g., MFA, least privilege)
Security awareness and training for staff
Data security (encryption at rest and in transit)
Platform and infrastructure hardening, patch management, and secure configuration

4. DETECT

DETECT finds and analyzes possible attacks and compromises in a timely manner.

Continuous monitoring of networks, systems, and physical environments
Log collection and correlation (SIEM)
Anomaly detection and alerting against a known baseline
Analyzing detected events to understand impact

5. RESPOND

RESPOND takes action once an incident is detected, to contain its effects.

Executing an incident response plan
Triage, analysis, and forensic investigation
Internal and external communication, including regulatory and legal notification
Mitigation to neutralize the incident and prevent expansion

6. RECOVER

RECOVER restores assets and operations affected by an incident and returns the organization to normal.

Executing and testing recovery plans (backups, failover)
Restoring systems and verifying their integrity
Coordinating recovery communications
Capturing lessons learned to improve resilience

How the Framework Is Structured

The CSF Core is a hierarchy that moves from the abstract to the concrete:

Functions — the six broadest groupings (Govern, Identify, Protect, Detect, Respond, Recover).
Categories — outcome groups within each Function (e.g., under Protect, "Identity Management, Authentication and Access Control").
Subcategories — specific, granular outcome statements (the most detailed level), such as "Identities and credentials for authorized users are managed."

Two supporting concepts add usability:

Informative References — pointers that map each Subcategory to specific controls in other standards (ISO 27001, NIST 800-53, CIS Controls, etc.), so you do not have to reinvent control catalogs.
Implementation Examples — new in 2.0, these give concrete, action-oriented illustrations of how to achieve a given Subcategory outcome.

Implementation Tiers

Tiers describe the rigor and maturity of an organization's cybersecurity risk management practices. They are a self-characterization, not a grade or a maturity-model requirement — a small business may rationally choose to stay at a lower tier.

Tier 1 — Partial: Risk management is ad hoc and reactive; limited awareness of cyber risk; little organization-wide coordination.
Tier 2 — Risk Informed: Risk practices are approved by management but may not be established as organization-wide policy.
Tier 3 — Repeatable: Formally approved, organization-wide policies and processes that are regularly updated.
Tier 4 — Adaptive: The organization actively adapts its practices based on lessons learned, predictive indicators, and a continuous-improvement culture.

Profiles: Current vs. Target

A Profile describes an organization's cybersecurity posture in terms of the Core's outcomes, tailored to its business needs, threats, and requirements.

A Current Profile captures what outcomes you are achieving today.
A Target Profile captures the outcomes you need to achieve to meet your risk objectives.

The gap between the two is your roadmap. CSF 2.0 also introduced Community Profiles — shared baseline profiles built for a specific sector or use case (e.g., manufacturing, electric utilities), giving organizations a head start.

How an Organization Actually Adopts the CSF

Adoption is iterative, not a one-time project. A typical cycle looks like this:

Scope and prioritize. Decide which business lines or systems the effort covers and align with organizational risk strategy (the GOVERN Function).
Build a Current Profile. Assess which Subcategory outcomes you achieve today and at what tier.
Define a Target Profile. Set the desired outcomes based on risk appetite, regulatory drivers, and threat landscape.
Perform a gap analysis. Compare current vs. target to identify shortfalls.
Prioritize and plan. Rank gaps by risk reduction, cost, and effort to create an actionable, budget-aware implementation plan.
Implement, measure, and repeat. Execute, monitor progress, and re-baseline as the business and threats evolve.

How CSF Maps to Other Standards

The CSF is deliberately designed to organize and complement other standards rather than replace them. Through Informative References, its outcome-based Subcategories cross-reference the detailed controls in:

ISO/IEC 27001 & 27002 — the international standard for information security management systems (ISMS); CSF outcomes map cleanly to ISO Annex A controls, and many organizations run both.
NIST SP 800-53 — the deep federal control catalog; useful when you need detailed, prescriptive control language behind a CSF outcome.
CIS Critical Security Controls — a prioritized, prescriptive set of defensive actions that pairs well with the "how" beneath CSF's "what."

A common pattern: use the CSF as the strategic, board-facing layer and language, then implement and certify against a control catalog such as ISO 27001 or CIS underneath.

Relevance to Critical Infrastructure and OT

Because it originated from a critical-infrastructure mandate, the CSF remains a cornerstone reference for sectors such as energy, water, manufacturing, and transportation. These environments rely heavily on operational technology (OT) — industrial control systems, SCADA, and PLCs — where the priorities differ from traditional IT: safety and availability often outrank confidentiality, and downtime can have physical, even life-safety, consequences.

The framework's outcome-based, vendor-neutral design lets OT operators apply it without forcing IT-centric assumptions, and it pairs naturally with OT-specific guidance such as NIST SP 800-82. The new GOVERN Function is especially valuable here, because OT cyber risk is increasingly a regulated, board-level safety issue.

Topics covered

NIST Cybersecurity FrameworkCSF 2.0NIST CSF functionscybersecurity risk managementGOVERN functionimplementation tierscritical infrastructure securityISO 27001 mapping

🛠️ Related Free Tools

Put this knowledge to work on your iPhone

Browse our full catalog of professional iOS apps — from electrical code tools to AI builders.

Browse All 95+ Apps