up:: Doing the Work MOC

NIST Cybersecurity Framework (CSF)

The NIST Cybersecurity Framework (CSF) is a voluntary framework that organizes cybersecurity risk-management outcomes into six high-level functions, Govern, Identify, Protect, Detect, Respond, and Recover, so that any organization can understand, assess, prioritize, and communicate its cybersecurity work in a common language. It describes what good cybersecurity looks like as a set of outcomes, and it deliberately leaves how to achieve them to the organization. Its current version, CSF 2.0, was published by NIST as CSWP 29 on February 26, 2024.

The short version:

  • The CSF is a shared vocabulary for cybersecurity outcomes, built around six functions that read as plain verbs: Govern, Identify, Protect, Detect, Respond, Recover.
  • It’s voluntary and deliberately generic, meant to be tailored by any organization regardless of its size, sector, or maturity.
  • It describes outcomes rather than controls. It tells you what to accomplish and links out to other guidance for how.
  • Version 2.0 (2024) added Govern as the anchoring function and dropped the old “critical infrastructure” scope, so it now speaks to every organization.
  • For quantum readiness, it’s the scaffolding the whole program hangs on. Quantum risk lands under Govern (risk strategy and supply-chain risk) and Identify (a cryptographic inventory is asset management), which gives a team an existing language to slot post-quantum work into.

Think of the CSF like the framing and floor plan of a house rather than the building code for the wiring. The framing tells you there’s a kitchen, a bedroom, and a bathroom, and roughly how they connect, without dictating which brand of pipe goes where. The CSF names the rooms of a security program and how they fit together; the specific controls, the wiring, come from other standards you slot into that structure.

What is the NIST Cybersecurity Framework?

The CSF is a taxonomy of high-level cybersecurity outcomes, published and maintained by the U.S. National Institute of Standards and Technology, that an organization uses to understand, assess, prioritize, and communicate its cybersecurity efforts. NIST states the point plainly in the CSF 2.0 abstract: the framework offers “a taxonomy of high-level cybersecurity outcomes that can be used by any organization” regardless of its size, sector, or maturity, “to better understand, assess, prioritize, and communicate its cybersecurity efforts,” and it “does not prescribe how outcomes should be achieved.”

That last clause is the essence of it. Rather than a controls catalog or a compliance checklist, the CSF is a structure that organizes outcomes and then links out to the detailed guidance, the controls and practices, that other documents provide. It gives executives, managers, and practitioners one vocabulary to talk about security across the whole organization.

Source: NIST, “The NIST Cybersecurity Framework (CSF) 2.0,” NIST CSWP 29, February 26, 2024, abstract, nvlpubs.nist.gov.

What are the six CSF functions?

The CSF Core is organized, at its highest level, into six functions that group cybersecurity outcomes. NIST defines each one in a single sentence, and every one of the six reads as an ordinary verb a non-specialist understands. Here they are with NIST’s own one-line descriptions.

FunctionNIST’s one-line definitionWhat it covers
Govern (GV)“The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.”Organizational context, risk-management strategy, roles and authorities, policy, oversight, and cybersecurity supply-chain risk management
Identify (ID)“The organization’s current cybersecurity risks are understood.”Asset management, risk assessment, and improvement, understanding the estate of data, hardware, software, systems, and suppliers
Protect (PR)“Safeguards to manage the organization’s cybersecurity risks are used.”Identity, authentication and access control, awareness and training, data security, platform security, and infrastructure resilience
Detect (DE)“Possible cybersecurity attacks and compromises are found and analyzed.”Continuous monitoring and adverse-event analysis
Respond (RS)“Actions regarding a detected cybersecurity incident are taken.”Incident management, analysis, reporting, communication, and mitigation
Recover (RC)“Assets and operations affected by a cybersecurity incident are restored.”Incident recovery-plan execution and recovery communication

Beneath the six functions, the Core nests two more layers. Each function breaks into Categories (for example, Identify contains Asset Management, ID.AM), and each category breaks into Subcategories, the specific outcome statements (for example, ID.AM-02, “Inventories of software, services, and systems managed by the organization are maintained”). Functions, categories, and subcategories are the three layers of the Core, and NIST is explicit that their order and size don’t imply a sequence or a ranking of importance.

Source: NIST, “The NIST Cybersecurity Framework (CSF) 2.0,” NIST CSWP 29, February 26, 2024, §2 and Table 1, nvlpubs.nist.gov.

Why does the CSF matter?

Because it gives an organization one language for cybersecurity that reaches from the practitioner up to the board. A migration, a control, or a risk described only in technical terms tends to stall at the boundary between the security team and the people who fund the work. The CSF’s value is that its six functions are legible to a non-specialist, so a technical finding can be located inside a structure an executive already recognizes and a regulator already references.

NIST designed the framework to be usable “regardless of the maturity level and technical sophistication” of a program, and to serve “executives, managers, and practitioners, regardless of their cybersecurity expertise.” That shared vocabulary is what lets a security team say “this is a gap in our Identify function, specifically our cryptographic asset management” and have it mean the same thing to the CISO, the auditor, and the board. The framework has become a common reference point across industry, government, and regulators precisely because it’s outcome-based and vendor-neutral.

Source: NIST, “The NIST Cybersecurity Framework (CSF) 2.0,” NIST CSWP 29, February 26, 2024, §1, nvlpubs.nist.gov.

What changed in CSF 2.0?

Two changes stand out, and both matter for how the framework is used today. The first is the addition of Govern as a function. Earlier versions of the framework anchored on five functions, Identify, Protect, Detect, Respond, and Recover; CSF 2.0 foregrounds Govern as the sixth, and NIST describes it as the function that “provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder expectations.” Govern is where cybersecurity strategy, roles, policy, oversight, and supply-chain risk management now live, which pulls governance from an implicit assumption into an explicit, first-class part of the model.

The second change is scope. Before version 2.0, the framework was titled “Framework for Improving Critical Infrastructure Cybersecurity,” and NIST notes that “this title is not used for CSF 2.0.” The 2.0 revision drops the critical-infrastructure framing and speaks to every organization, which is why the abstract now reaches “any organization” regardless of its size, sector, or maturity. The framework grew from a sector-specific tool into a general-purpose one.

Source: NIST, “The NIST Cybersecurity Framework (CSF) 2.0,” NIST CSWP 29, February 26, 2024, Note to Readers and §2, nvlpubs.nist.gov.

What are CSF Profiles and Tiers?

They’re the two mechanisms the framework gives you for tailoring it and for gauging how rigorously you run it. A CSF Organizational Profile describes an organization’s cybersecurity posture in terms of the Core’s outcomes, and it comes in two states: a Current Profile, which captures the outcomes you’re achieving now, and a Target Profile, which captures the outcomes you’ve decided you want. The gap between the two is, in effect, your roadmap, and NIST frames profile creation as the mechanism for understanding, tailoring, assessing, and prioritizing your outcomes.

CSF Tiers are the second mechanism. They characterize the rigor of an organization’s cybersecurity risk-governance and risk-management practices along a four-step progression: Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3), and Adaptive (Tier 4). NIST describes the Tiers as “a progression from informal, ad hoc responses to approaches that are agile, risk-informed, and continuously improving.” The Tiers aren’t a maturity grade you’re required to maximize; they’re context for how an organization views and manages its risks, and a team applies them to its Profiles to set the overall tone.

Source: NIST, “The NIST Cybersecurity Framework (CSF) 2.0,” NIST CSWP 29, February 26, 2024, §3.1 and §3.2, nvlpubs.nist.gov.

How does the CSF relate to quantum readiness?

The CSF is the governance scaffolding a post-quantum program hangs on, because quantum risk isn’t a new kind of cyber risk so much as a new instance of an existing one, and the framework already has homes for it. Two functions carry most of the load.

  1. Govern is where the quantum risk strategy lives. The decision to treat quantum-vulnerable cryptography as an enterprise risk, to assign an owner, to set policy and oversight, and to press the supply chain for post-quantum roadmaps all map onto the Govern function’s categories, including Cybersecurity Supply Chain Risk Management (GV.SC). This is the same ownership and prioritization work covered in Own Your Quantum Risk and Why Post-Quantum Migrations Stall, expressed in the framework’s own terms.
  2. Identify is where the cryptographic inventory lives. The Identify function’s Asset Management category (ID.AM) is about maintaining inventories of hardware, software, systems, data, and supplier services, which is exactly the job a cryptographic inventory does for the crypto layer. You can’t govern or migrate cryptography you haven’t found, and the CSF already frames “find your assets” as a named outcome. A CBOM is asset management applied to the algorithms, keys, and certificates hiding across the estate.

The practical upshot is that a team doesn’t need a separate “quantum framework” to organize its readiness work. It can slot post-quantum cryptography into the CSF it already uses: the inventory under Identify, the strategy and supply-chain pressure under Govern, the deployment of new algorithms under Protect. The framework won’t tell you how to migrate, but it gives the program a structure a board and an auditor already recognize, which is half the battle when a technical finding needs to become a funded decision, the translation covered by FAIR and Brief Your Board.

Source: NIST, “The NIST Cybersecurity Framework (CSF) 2.0,” NIST CSWP 29, February 26, 2024, Table 1 (GV.SC, ID.AM) and §2.1, nvlpubs.nist.gov.

How is the CSF different from a controls catalog?

The CSF tells you what outcomes to achieve; a controls catalog like NIST SP 800-53 tells you which specific controls achieve them. NIST is explicit that the Core’s outcomes “are not a checklist of actions to perform” and that the framework “does not prescribe how outcomes should be achieved.” Instead, the CSF links to Informative References, mappings that connect each subcategory to the detailed guidance in other standards. So the two are complementary layers, the CSF as the organizing structure, the controls catalog as the implementation detail you plug into it. A program uses the CSF to decide what matters and a controls framework to decide exactly what to configure.

Source: NIST, “The NIST Cybersecurity Framework (CSF) 2.0,” NIST CSWP 29, February 26, 2024, §2 and §4, nvlpubs.nist.gov.

Common misconceptions

  1. “The CSF is a checklist you comply with.” It’s a taxonomy of outcomes, and NIST states directly that the Core “is not a checklist of actions to perform.” You tailor it to your own risks; there’s no pass-or-fail box to tick.
  2. “The CSF is mandatory.” It’s voluntary. NIST calls it a flexible framework “intended to be tailored for use by all organizations regardless of size.” Some regulators and contracts reference it, but the framework itself imposes no obligation.
  3. “The CSF is only for critical infrastructure.” That was the old scope. CSF 2.0 dropped the “Framework for Improving Critical Infrastructure Cybersecurity” title and now addresses any organization regardless of sector.
  4. “The CSF tells you which tools and controls to buy.” It’s deliberately vendor-neutral and control-agnostic. It names the outcomes and links to other guidance for the how; it never prescribes a product.
  5. “Higher CSF Tiers are always the goal.” Tiers describe the rigor of your risk practices, not a grade to maximize. NIST frames them as context for how you view risk, and the right tier is the one that fits your risk appetite, not automatically Tier 4.
  6. “Quantum readiness needs its own framework.” Quantum risk maps onto the CSF you already run, the inventory under Identify, the strategy under Govern, so it slots into existing governance rather than requiring a parallel structure.

Questions people ask

Is the NIST CSF mandatory? No, it’s voluntary. NIST designed it to be tailored by any organization, and the framework itself creates no obligation. That said, it’s widely referenced in contracts, sector regulations, and audits, so many organizations adopt it as a practical baseline even though nothing forces them to.

What are the six CSF functions in order? Govern, Identify, Protect, Detect, Respond, and Recover. NIST is careful to note that this order doesn’t imply a sequence you execute step by step; the functions run continuously and concurrently, with Govern informing and prioritizing the other five.

When was CSF 2.0 released, and what version came before it? CSF 2.0 was published as NIST CSWP 29 on February 26, 2024. It succeeds the earlier framework versions, which were built around five functions and titled the “Framework for Improving Critical Infrastructure Cybersecurity,” a title CSF 2.0 retired.

Does the CSF replace NIST SP 800-53 or ISO 27001? No, it sits above them. The CSF organizes cybersecurity outcomes and then links, through its Informative References, to detailed control catalogs like SP 800-53. You use the CSF to decide what matters and a controls framework to implement it, so they operate together rather than in competition.

Where does quantum risk fit in the CSF? Primarily under Govern and Identify. The risk strategy, ownership, oversight, and supply-chain pressure live in Govern; the cryptographic inventory, a CBOM, is asset management under Identify. Deploying post-quantum algorithms then falls under Protect. The framework gives quantum readiness a home without a separate model.

Do I need to reach Tier 4 to be “compliant”? No. There’s no compliance bar in the CSF, and Tiers aren’t a scorecard. They describe how rigorous and adaptive your risk practices are, and the appropriate tier depends on your organization’s risk appetite and resources, not on maximizing the number.

Is the CSF only useful for large organizations? No. NIST explicitly scopes it to any organization “regardless of its size, sector, or maturity,” and provides Quick Start Guides and Community Profiles aimed at smaller organizations. The framework scales down as readily as it scales up.


Everything here is the map, given freely. When your team needs a post-quantum program actually built into the governance framework you already run, owned, prioritized, and defensible to your board and your regulator, that’s the work I do, and there’s an alignment briefing for it.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.