Below is a list of the major changes to the five (5) existing CSF Functions from version 1.1:
Identify (ID):
Protect (PR):
Detect (DE):
Respond (RS):
Recover (RC):
The crosswalk between CSF 1.1 and CSF 2.0 is an Informative Reference. It can be consumed in multiple ways:
The numbering of the Subcategories is intentionally not sequential. Gaps in numbering indicate CSF v1.1 Subcategories that were relocated as part of the major update to CSF 2.0. Any Subcategory present in both CSF v1.1 and CSF 2.0 has a similar meaning in both.
During the CSF 2.0 development process, many Subcategories were added, changed, or deleted from CSF 1.1. For example, PR.DS-3 from CSF v1.1 was moved to ID.AM-08 in CSF 2.0. As such, the PR.DS-3 Subcategory identifier was not reused in CSF 2.0 to avoid confusion - PR.DS-3 would detail an entirely different outcome in CSF v1.1 than in CSF 2.0.
This downloadable PDF contains a comprehensive depiction of all withdrawn CSF v1.1 elements.
The CSF helps manage and reduce cybersecurity risks with a taxonomy of high-level outcomes that any organization can use to understand, assess, prioritize, and communicate its cybersecurity efforts. It also links to resources that provide additional guidance on practices and controls for achieving security outcomes. Among other things, the CSF fosters risk and cybersecurity management communications between and among internal and external stakeholders.
The NIST Framework website has many resources to help organizations implement the Framework. The Framework Quick Start Guide Repository provides direction and guidance to those seeking to improve cybersecurity risk management via utilization of the NIST Cybersecurity Framework. The Resource Repository includes approaches, methodologies, implementation guides, mappings to the Framework, case studies, educational materials, Internet resource centers (e.g., blogs, document stores), example profiles, and other Framework document templates.
NIST is not a regulatory agency, and most organizations use the CSF on a voluntary basis. However, Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, made the Framework mandatory for U.S. Federal Government agencies, and some companies require the CSF for their customers or within their supply chain.
No. The CSF provides a series of outcomes to prioritize and address cybersecurity risks but does not specify actions for meeting those outcomes.
For the past 10 years, NIST has collaborated with stakeholders in industry, academia, government, and international forums to develop the CSF. Thousands of detailed comments and suggestions from users around the world have helped shape the CSF you see today.
NIST routinely engages users through three primary activities:
More information on the development of the CSF can be found in the Development Archive.
NIST does not offer certifications or endorsements of CSF-related products, implementations, or services, and there are no plans to develop a conformity assessment program.
However, NIST does share resources that demonstrate the CSF’s real-world applications and benefits. By sharing your organization’s experiences and successes, you can inspire new use cases and help others understand the CSF. To contribute to these resources, contact cyberframework [at] nist.gov (cyberframework[at]nist[dot]gov).
In general, NIST publications, are in the public domain and not subject to copyright in the United States. Permission to reprint or copy from them is therefore not required. Permission for reuse outside of the U.S. is often granted upon written request to the cyberframework [at] nist.gov (cyberframework[at]nist[dot]gov). Content using NIST materials should credit the original source and include this recommended text: “Reprinted courtesy of the National Institute of Standards and Technology, U.S. Department of Commerce. Not copyrightable in the United States.”
When using the CSF Six Functions Graphic (the sixcolor wheel) the credit line should also include N.Hanacek/NIST.
Public domain official writing that is published in copyrighted books and periodicals may be reproduced in whole or in part without copyright limitations; however, the source should be credited.
No. Many organizations in the private and public sectors (including federal agencies) use the CSF as a tool to manage cybersecurity risks.
Any organization — whether its cybersecurity program is new or mature — can use the CSF to manage cybersecurity risks. How you use the CSF will vary depending on your current state and priorities.
Organizations are using the CSF in a variety of ways, including:
The NIST CSF website also provides specific examples of how organizations have used the Framework.
The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references. It consists of six concurrent and continuous Functions:
The Framework Core then identifies underlying key Categories and Subcategories for each Function and matches them with example Informative References, such as existing standards, guidelines, and practices for each Subcategory.
How your organization addresses the Category and Subcategory outcome statements in each function will provide a high-level, strategic, and life-cycle view of your cybersecurity risk management program. You can then share those outcomes and expectations with executives, implementation and operations personnel, partners, suppliers, and customers.
NIST has designed the CSF to be as flexible as possible. Outcomes are non-prescriptive and can be accomplished through any number of activities, whereas a specific process is inherently limiting. The outcomes you select from the Core’s Categories and Subcategories are the “what.” The CSF Informative References, Implementation Examples, Quick Start Guides, and other resources help your organization figure out the “how.”
An Organizational CSF Profile describes an organization’s current and target cybersecurity posture. It will help you understand, tailor, assess, prioritize, and communicate Core outcomes based on your organization’s specific mission objectives, stakeholder expectations, threat landscape, requirements, and leading practices.
There are two primary types of Organizational Profiles:
Community Framework Profiles offer cybersecurity risk management guidance for multiple organizations to address a sector, technology, or challenge. These profiles differ from Organizational Framework Profiles which are generally not shared publicly. Community profiles reflect a consensus point of view about cybersecurity risk management and may be used as the basis of, or to inform, Organizational Target Profiles.
Implementation Tiers inform Organizational Profiles by describing how cybersecurity risks will be managed with a range of outcomes:
The Tiers reflect a progression from informal, ad hoc responses to approaches that are agile, risk-informed, and continuously improving.
Informative References provide an easy way to link CSF outcomes statements to specific recommendations by showing the relationships between organizational concepts in Focal Documents and specific sections, sentences, or phrases in Reference Documents. The discrete concepts of the Focal Document are called Focal Document elements, and the specific sections, sentences, or phrases of the Reference Document are called Reference Document elements. Many Informative References are contained in the OLIR catalog.
Implementation Examples are concise, action-oriented suggestions for achieving the outcomes of CSF Subcategories. They complement the guidance provided by Informative References. The examples are not a comprehensive list of all actions that could be taken by an organization to achieve an outcome, nor do they represent a baseline of required actions to address cybersecurity risk.
The CSF Core is composed of Functions, Categories, and Subcategories. Implementation Examples help users understand possible ways to fulfill aspects of the Core. Informative References help users learn more on a given outcome in the Core. Neither Implementation Examples nor Informative References are meant to be the only ways to fulfill outcomes in the Core, and they are not an exhaustive or complete listing.
Yes. Your organization should use the CSF to identify activities that are most important to your mission, prioritize expenditures, and consider the impacts of the investment.
Yes. The Functions, Categories, and Subcategories of the Framework Core are applicable whether you are operating your own assets or another party is operating assets as a service for you. In fact, CSF 2.0 has been revised to emphasize supply chain considerations and can be used as evaluation criteria for selecting among multiple product and service providers. The CSF can also help you state your expected outcomes and activities with external suppliers, services providers, and system integrators.
The full benefits of the CSF’s guidance can only be realized if it is deployed within the broader context of your organization’s enterprise risk management (ERM) program rather than isolated to the IT department. The Function, Category, and Subcategory levels of the CSF apply to all levels of the organization, from executive leadership to individual operating units and supply chain partners.
The CSF enables senior leaders to better understand, direct, and manage cybersecurity risks to the organization by increasing awareness, enabling prioritization, improving communications among leadership (e.g., CIO, CEO, Executive Board, etc.), and placing cybersecurity considerations in the context of broader enterprise risks.
The CSF’s effectiveness depends on your organization’s goals, so measuring that effectiveness is left to your discretion. While NIST does not recommend a specific model for measuring effectiveness, you may want to consider the following:
No. While some organizations leverage the expertise of external experts and organizations, they are not required to implement the CSF. NIST does not provide recommendations for consultants or assessors.
No. The CSF is designed to be flexible and work with the products and services you choose to acquire and use. It encourages technological innovation and keeping up with the dynamic cybersecurity landscape by aiming for strong cybersecurity protection without being tied to specific offerings or current technology.
Cyber resiliency is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources, regardless of the source (NIST SP 800-160, Volume 2). Cyber resiliency has a strong relationship to cybersecurity but — like privacy — represents a distinct problem domain and solution space. Cyber resiliency supports mission assurance for missions that depend on IT and OT systems in a contested environment.
When Implementing the CSF an organization can review their current state profile to help determine if cyber resiliency is adequately supported, whether additional elements are necessary, and how to close any gaps. Target states will likely require a combination of fault-tolerance, adversity-tolerance, and graceful degradation in relation to mission goals, and the CSF supports these high-level organizational discussions.
The CSF provides a flexible, risk-based approach to help your organization manage cybersecurity risks and achieve its cybersecurity objectives. Those objectives may be informed by and derived from organizational cybersecurity requirements and applicable laws, rules, and regulations.
The Framework’s Govern Function includes a subcategory (GV.OC-03) with a specific outcome statement relevant to compliance: “Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed.”
The CSF can help your organization align and prioritize its cybersecurity activities with its business and mission requirements, risk tolerances, and resources. For example, Current Profiles indicate the cybersecurity outcomes that are currently being achieved, while Target Profiles indicate the outcomes needed to achieve the desired cybersecurity risk management goals. Comparing these Profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives. An action plan to address these gaps and fulfill a given Category or Subcategory of the Framework Core can help you set priorities that consider your organization’s business needs and risk management processes. Additionally, the Framework Tiers can help your organization determine the extent to which cybersecurity risk management is informed by business needs and is integrated into overall risk management practices.
Understanding cybersecurity risk tolerance will help your organization prioritize cybersecurity activities and make informed decisions about cybersecurity expenditures. Your organization may choose to handle risk in different ways (e.g., mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk), depending on the potential impacts to the delivery of critical services.
Yes. The CSF was developed for organizations of any size, sector, or maturity. To assist smaller organizations, the CSF 2.0 Small Business Quick Start Guide helps small-to-medium sized businesses (SMB) kick-start their cybersecurity risk management strategy, specifically those who have modest or no cybersecurity plans in place. As more CSF 2.0 small business resources are created, they will be archived on the Cybersecurity Framework page of the NIST Small Business Cybersecurity Corner website.
Yes, since cybersecurity is a key element of information communication technology (ICT), implementation and improvement of an enterprise cybersecurity program through the CSF directly benefits overall ICT Risk Management (ICTRM).
The CSF provides a high-level method to determine enterprise objectives, identify and protect key resources, and collaborate on plans to detect, respond to, and recover from cyber incidents. ICTRM, as an integral part of Enterprise Risk Management (ERM), provides structured templates for prioritizing assets based on the business impacts of positive and negative risk, record and refine risk expectations, and register risk scenarios and treatment at all enterprise levels.
Through the holistic and common language of the CSF, paired with repeatable communications artifacts as described in SP 800-221, ICTRM in support of ERM is consistently and effectively maintained.
Yes. The 2017 Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure states:
Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order…and describe the agency’s action plan to implement the Framework.
NIST developed Interagency Report (IR) 8170, Approaches for Federal Agencies to Use the Cybersecurity Framework, to provide federal agencies with guidance on how the CSF can complement existing risk management practices and improve cybersecurity risk management programs.
NIST SP 800-39 is a complimentary resource to help CSF users better manage cybersecurity risks, providing guidance on a process to Frame, Assess, Respond, and Monitor risk and how to apply it across all levels of an organization.
Organizations can use the guidance from SP 800-39 to better understand key concepts introduced in the CSF, such as: governance, developing a risk management strategy, determining risk tolerance, conducting risk assessment, identifying and selecting appropriate risk responses, and monitoring risk at the organization, mission/business, and system levels. Note that SP 800-37 includes additional guidance primarily focused at the system level.
The Framework provides a common language and taxonomy to better manage cybersecurity risk at an enterprise (organization) level.
NIST SP 800-37 applies the (Frame, Assess, Respond and Monitor) concepts from SP 800-39 in a repeatable, flexible process to protect systems from information security and privacy risk. The process includes steps and tasks to prepare for risk management at all levels, but guidance is primarily focused at the system level. SP 800-37 provides a methodology to select CSF outcomes, and includes implementation guidance for how to prepare for risk management, categorize information and systems, select, implement and assess the appropriate [SP 800-53] controls to manage risk, authorize the system to operate, and continuously monitor the controls and system.
Mappings between the CSF Functions, Categories and Subcategories to the respective Steps and Tasks of SP 800-37 can be found at https://csrc.nist.gov/projects/olir/informative-reference-catalog#/.
While the CSF and the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework were developed separately, each complements the other by describing a hierarchical approach to achieving cybersecurity goals.
Each of the Core Subcategory outcomes is accomplished as a task (or set of tasks) by someone in one or more work roles, and the NICE Framework (NIST Special Publication 800-181) describes a detailed set of work roles, tasks, and knowledge, skills, and abilities (KSAs) for performing those actions. From this perspective, the CSF provides the “what,” and the NICE Framework provides the “by whom.”
The NICE Framework was developed and is maintained by NICE, which is a partnership among government, academia, and the private sector with a mission to energize and promote a robust network and ecosystem of cybersecurity education, training, and workforce development.
The Privacy Framework follows the same risk- and outcome-based structure of the CSF and is composed of three parts: the Core, Profiles, and Implementation Tiers. The Frameworks are aligned to reduce complexity and address the full scope of privacy risks that arise from how organizations collect, store, use, and share information and how individuals interact with products and services.
Details about how the CSF and Privacy Framework functions align and intersect can be found in the Privacy Framework FAQs.
Each framework focuses on a specific set of guidelines for managing risks. There are similarities in each– and important differences, as well. Many stakeholders involved with designing, developing, deploying, and evaluating and monitoring AI as well as those who are affected by use of AI products and services called for specific guidance to manage the risks of AI across its lifecycle. That’s the focus of the AI RMF.
AI risks should not be considered in isolation. Treating AI risks along with other critical risks, such as cybersecurity, will yield a more integrated outcome and organizational efficiencies. NIST develops a wide array of cybersecurity standards, guidelines, best practices, and other resources. Those efforts complement and enhance NIST’s portfolio of AI activities to meet the needs of U.S. industry, federal agencies and the broader public.
Yes. Global alignment is integral to avoid confusion, the duplication of effort, and conflicting expectations in global business environments. NIST is actively engaged with international standards-developing organizations to promote consistent approaches, which have in turn been adopted by other countries and international entities. The CSF has also been translated to numerous other languages.
CSF 2.0 was designed to be applicable to a broad range of technologies, including the Internet of Things (IoT), supply chain management, and cloud services. NIST will continually evaluate the CSF and ensure that it evolves with emerging technologies to retain this critical alignment. NIST also welcomes observations from all parties regarding the CSF’s relevance to IoT and will vet those observations with the NIST Cybersecurity for IoT Program.
The Baldrige Cybersecurity Excellence Builder is an assessment tool that gives organizations a way to measure the effectiveness of their cybersecurity risk management efforts. It combines the systems perspective and business practices of the Baldridge Excellence Framework with the concepts, principles, and objectives of the CSF to identify opportunities to improve overall organizational performance.
Both types of frameworks are critical tools for making risk decisions and evaluating safeguards. Threat frameworks characterize malicious cyber activity in varying degrees of detail to help you understand and prioritize current and potential attacks against a given system, infrastructure, service, or organization. The CSF’s controls provide safeguards against many of those activities, including the risk of adversarial attack. As circumstances change and evolve, threat frameworks provide the basis for reevaluating and refining risk decisions using collected data, a common lexicon, and the CSF.
Example threat frameworks include the U.S. Office of the Director of National Intelligence (ODNI) Cyber Threat Framework (CTF), Lockheed Martin’s Cyber Kill Chain®, and the MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) model. Each threat framework depicts a progression of attack steps in which successive steps build on the last step. At the highest level of the model, the ODNI CTF relays this information using four Stages: Preparation, Engagement, Presence, and Consequence. These Stages are decomposed into a hierarchy of Objectives, Actions, and Indicators at three increasingly detailed levels of the CTF. The structure is similar to the Functions, Categories, and Subcategories of the CSF and empower professionals of varying disciplines to participate in identifying, assessing, and managing security controls. NIST recommends that organizations use a combination of cyber threat frameworks (e.g., ODNI Cyber Threat Framework) and cybersecurity frameworks (e.g., the CSF) to make risk decisions.
The CPRT provides a centralized, standardized, and modernized mechanism for managing reference datasets (and offers a consistent format for accessing reference data from various NIST cybersecurity and privacy standards, guidelines, and Frameworks). This data can be exported into different data formats so users can draw upon multiple NIST resources to build their own cybersecurity and privacy guidance.
Informative References for the CSF are populated by mapped content from the National Online Informative References (OLIR) Program, which is a NIST effort to facilitate subject-matter experts (SMEs) in defining standardized Online Informative References (OLIRs) between elements of their cybersecurity, privacy, and workforce documents and elements of other cybersecurity, privacy, and workforce documents, like the CSF.
This stage of the OLIR Program’s evolution has primarily focused on relationships to cybersecurity and privacy documents. By following this approach, cybersecurity practitioners can use the OLIR Program as a mechanism for communicating with owners and users of other cybersecurity documents. OLIRs use a simple standard format and are searchable in a centralized repository at https://csrc.nist.gov/projects/olir/informative-reference-catalog.
NIST Interagency or Internal Report (NIST IR) 8278 and IR 8278A provide more details the OLIR program. IR 8278 focuses on the OLIR program overview and uses, while IR 8278A provides submission guidance for OLIR developers. NIST is happy to aid in this process and can be contacted at olir [at] nist.gov (olir[at]nist[dot]gov).
Yes. Global alignment is integral to avoid confusion, the duplication of effort, and conflicting expectations in global business environments. NIST is actively engaged with international standards-developing organizations to promote consistent approaches, which have in turn been adopted by other countries and international entities. The CSF has also been translated to numerous other languages.
NIST engages with international government and industry stakeholders throughout the world on the CSF and other NIST cybersecurity and privacy resources. NIST works closely with the State Department, the International Trade Administration, and other U.S. government agencies as well as with industry partners to identify and engage in opportunities internationally to share information on the CSF. As a result of this direct engagement and participation in various multinational forums, the CSF is used widely internationally; versions 1.1 and 1.0 have been translated into 13 languages, and NIST expects that CSF 2.0 also will be translated by volunteers around the world. Those translations will be added to NIST’s expanding portfolio of CSF resources. These translations as well as other international adaptations of the CSF can be found on the NIST International Cybersecurity and Privacy Resources website. NOTE: The CSF and NIST publications are generally in the public domain and not subject to copyright in the U.S. If you have developed a translation of the CSF, please reach out to cyberframework [at] nist.gov (cyberframework[at]nist[dot]gov) and someone will contact you regarding the process for granting permission to use the CSF outside of the U.S.
NIST also engages with Standards Developing Organizations (SDOs) on efforts related to cybersecurity and privacy such as the CSF to promote a standards-based approach to these areas that scale internationally. Over the last 11 years, NIST’s work with the International Organization for Standardization (ISO), in conjunction with the International Electrotechnical Commission (IEC) has helped to align multiple cybersecurity documents. ISO/IEC resources now allow organizations to build cybersecurity frameworks and organize controls using the CSF Functions. NIST plans to continue working with ISO/IEC to continue this international alignment.
NIST encourages international participation on the CSF and welcomes conversation with international stakeholders. To submit ideas or questions or to discuss opportunities to engage, contact us at cyberframework [at] nist.gov (cyberframework[at]nist[dot]gov).
A translation is considered a direct, literal translation of the language of a version of the CSF. No content or language is altered in a translation. Current translations can be found on the Translations of NIST Cybersecurity and Privacy Frameworks page.
In contrast, an adaptation is considered a version of the CSF that substantially references language and content but incorporates new, original content. An adaptation can be in any language. Current adaptations can be found on the International Resources page.
Yes. NIST encourages translations of CSF 2.0. After an independent check, NIST will typically post links to translations on external websites. These links appear on NIST’s Translations of NIST Cybersecurity and Privacy Resources page.
Review the NIST Cybersecurity Framework web page for more information and if you still have questions, please contact NIST via email at cyberframework [at] nist.gov (cyberframework[at]nist[dot]gov).
Sign up for NIST email alerts to receive updates on the NIST Cybersecurity Framework. The sign-up box is located at the bottom-right hand side on each CSF web page or on the left-hand side of other NIST pages. Once you enter your email address and set up a password, select “Cybersecurity Framework” under the “Subscription Topics” to begin receiving updates on the CSF.
There are many ways to engage with NIST about the CSF, such as:
NIST values all contributions through these processes, and our work products are stronger as a result. If you develop additional resources, NIST welcomes considering them for inclusion on the Resources page.