NIST CSF is a specification for an information security management system (ISMS).

What is it?

This is a framework of policies and procedures that includes all legal, physical and technical controls that are involved in an organization’s information risk management. Under the standard, an organization systematically examines the risks, while taking account of the threats, vulnerabilities and impacts. Additionally, it ensures that the organization enforce a management process to make sure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.

What NIST CSF Consists Of

The NIST CSF voluntary framework contains standards and guidelines that will aid an organization in protecting business operations and data against cybersecurity-related risks. While the framework is voluntary, cybersecurity can be a key component to an organization’s critical infrastructure and risk management.

According to the U.S. Patriot Act of 2001, critical infrastructures are “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating effect on national security and other national matters.”

The critical infrastructure community includes public and private owners and operators, and other entities with a role in securing the nation’s infrastructure. Although the framework was designed around the critical infrastructure community, other organizations use the framework and its Tiers to implement and document risk management practices, as well as strengthen any current cybersecurity practices. The intention behind the framework is to be useful to organizations regardless of their focus or size.

What are the elements of NIST CSF?

The framework consists of 5 elements - identify, protect, detect, respond and recover. When considered together, these functions provide a high-level view of an organization’s management of cybersecurity risks. The 5 functions are better described below:

  • IDENTIFY: This is a framework of policies and procedures that includes all legal, physical and technical controls that are involved in an organization’s information risk management and develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data and capabilities
  • PROTECT: Develop and implement appropriate safeguards to ensure delivery of critical services. Limit or contain the impact of a potential cybersecurity event.
  • DETECT: Develop and implement appropriate activities to identify occurrence of a cybersecurity event
  • RESPOND: Develop and implement appropriate activities to take action regarding a a detected cybersecurity event.
  • RECOVER: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities/ services that were impaired due to a cybersecurity incident.

In addition to the 5 elements, NIST CSF uses 4 Tiers to provide context on how an organization views cybersecurity risk and the process in place to manage the risk. The tiers are described as:


  • cogwheelTIER 1: PARTIAL
    • Information practices exist
    • Limited awareness
    • No cybersecurity coordination


  • balanceTIER 2: RISK INFORMED
    • Manage approved processes and prioritization, but not developed organization-wide
    • High-level awareness exists
    • Adequate resources provided
    • Information sharing and coordination


  • 047-safe copyTIER 3: REPEATABLE
    • Formal policy that defines risk management practices
    • Organization-wide approach with implemented processes
    • Regular formal coordination


  • 031-tabletTIER 4: ADAPTIVE
    • Practices actively adapt based on lessons learned and predictive indicators
    • Active risk management and information information sharing

Learn more about other NIST Compliances:

NIST Compliance Overview

NIST 800-171

NIST 800-53