Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Frequently Asked Questions

Framework Basics

What is the Framework, and what is it designed to accomplish?

Where do I get started?

Is my organization required to use the Framework?

See all questions

Framework Users

Does the Framework apply only to critical infrastructure companies?

Does the Framework benefit organizations that view their cybersecurity programs as already mature?

See all questions

Framework Components

What is the Framework Core and how is it used?

What are Framework Profiles and how are they used?

What are Framework Implementation Tiers and how are they used?

See all questions

Using the Framework

Does the Framework address the cost and cost-effectiveness of cybersecurity risk management?

Can the Framework help manage risk for assets that are not under my direct management? How can the Framework help an organization with external stakeholder communication?

Should the Framework be applied to and by the entire organization or just to the IT department?

See all questions

Small Business Use

Does the Framework apply to small businesses?

Will NIST provide guidance for small businesses? Is there a starter kit or guide for organizations, just getting started with cybersecurity?

See all questions

U.S. Federal Agency Use

Are U.S. Federal agencies required to apply the Framework to Federal information systems?

What is the relationship between the Framework and NIST's Managing Information Security Risk: Organization, Mission, and Information System View (Special Publication 800-39)?

What is the relationship between the Framework and NIST's Guide for Applying the Risk Management Framework to Federal Information Systems (SP 800-37)?

See all questions

Relationship Between the Framework and Other Approaches and Initiatives

What is the relationship between the Cybersecurity Framework and the NICE Cybersecurity Workforce Framework?

What is the relationship between the Cybersecurity Framework and the NIST Privacy Framework?

Is the Framework being aligned with international cybersecurity initiatives and standards?

See all questions


What is the difference between a translation and adaptation of the Framework?

See all questions

Updates to the Cybersecurity Framework

Why is NIST deciding to update the Framework now toward CSF 2.0?

How can I engage in the Framework update process?

Should I use CSF 1.1 or wait for CSF 2.0?

See all questions

Communicating with NIST

Does NIST encourage translations of the Cybersecurity Framework? If so, is there a procedure to follow?

Who can answer additional questions regarding the Framework?

How can I engage with NIST relative to the Cybersecurity Framework?

See all questions

Created February 11, 2015, Updated January 6, 2023