The NIST Cybersecurity Framework (CSF) is a voluntary framework, published by the US National Institute of Standards and Technology, for organizing and improving cybersecurity risk management.
Its flexibility and plain-language structure have made it one of the most widely adopted frameworks worldwide, used well beyond the US government context it originated in. The current version, CSF 2.0, released in 2024, broadened the framework’s scope to organizations of all sizes and sectors and added an explicit governance function.
See the latest GRC Webinars (Updated Daily!)
This page is part of our GRC frameworks hub. For the broader discipline, see our complete guide to governance, risk, and compliance.
The six core functions
CSF 2.0 organizes cybersecurity activity into six high-level functions that together form a continuous lifecycle:
- Govern — establishing and monitoring the organization’s cybersecurity risk management strategy, expectations, and policy (new in 2.0, and the function that ties the framework to GRC).
- Identify — understanding assets, risks, and the business context.
- Protect — implementing safeguards to limit or contain the impact of events.
- Detect — finding and analyzing possible cybersecurity events.
- Respond — taking action on a detected incident.
- Recover — restoring capabilities and services after an incident.
Beneath the functions sit categories and subcategories that translate the high-level outcomes into specific, manageable activities, which organizations map to their own controls.
Tiers and profiles
The framework also provides implementation tiers (from Partial to Adaptive) that describe how rigorous and integrated an organization’s risk management practices are, and profiles that let an organization define a “current” and “target” state to prioritize improvements. This makes the CSF as useful for measuring maturity as for organizing controls.
How the NIST CSF fits a GRC program
The CSF is a natural organizing spine for a GRC program.
Its new Govern function aligns directly with governance and enterprise risk management; its Identify and Protect functions map to control and compliance management; and its Detect, Respond, and Recover functions connect GRC to security operations.
Because the CSF cross-references other standards, it is frequently used as the framework that maps an organization’s ISO 27001 and SOC 2 controls into one coherent picture.
Frequently asked questions
What is the NIST Cybersecurity Framework?
It is a voluntary framework from NIST for organizing and improving cybersecurity risk management, structured around six core functions — Govern, Identify, Protect, Detect, Respond, and Recover — that form a continuous risk-management lifecycle.
What changed in NIST CSF 2.0?
The 2024 release added a sixth function, Govern, broadened the framework’s intended audience to all organizations rather than primarily critical infrastructure, and expanded guidance on supply-chain risk and implementation.
Is the NIST CSF mandatory?
No — it is voluntary for most organizations, though some US federal contexts and sectors reference it in requirements. Many organizations adopt it by choice because of its flexibility and broad recognition.
How does the NIST CSF compare to ISO 27001?
The CSF is a flexible, voluntary framework for organizing activity, while ISO 27001 is a certifiable management-system standard. They are complementary: organizations often use the CSF to structure their program and ISO 27001 to certify it.