NIST CSF stands for the National Institute of Standards and Technology Cybersecurity Framework. The NIST CSF consists of best practices, standards, and guidelines to manage cybersecurity risk. The voluntary framework was created through collaboration between industry and government as a result of Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity issued in February, 2013. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.

 The framework is divided into three primary parts: the framework core, profile, and tiers. 

The NIST CSF core comprises five functions, which are further broken down into categories and subcategories. There are currently 23 categories and 108 subcategories in the NIST CSF. 

The list below provides a quick reference on the NIST Cybersecurity Framework functions and categories:

  • Identify – The risk to information systems, people, assets, and data
      • Asset Management
      • Business Environment
      • Governance
      • Risk Assessment
      • Risk Management Strategy


  • Protect – Critical services delivery
      • Identity Management and Access Control
      • Awareness and Training
      • Data Security
      • Information Protection Process and Procedures
      • Maintenance
      • Protective Technology


  • Detect – The occurrence of a cybersecurity event
      • Anomalies and Events
      • Security Continuous Monitoring
  • Detection Process
  • Respond Take action in the event of a cybersecurity event
  • Response Planning
  • Communications
  • Analysis
  • Mitigation
  • Improvements
  • Recover – Maintain plans to restore capabilities to impacted services
  • Recovery Planning
  • Improvements
  • Communications

Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization. For additional information, visit

The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management. There are four primary Tiers:

  • Tier 1 : Partial
  • Tier 2 : Risk Informed
  • Tier 3 : Repeatable
  • Tier 4 : Adaptive

The Tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.

For more detail on the CSF categories and framework tiers, read on NIST CSF Categories & Framework Tiers.

How to Upgrade Your Cyber Risk
Management Program with NIST