Skip to Content
Governance and Compliance

What Is the NIST CSF (Cybersecurity Framework)?

The NIST CSF (Cybersecurity Framework) is the cyber risk management framework maintained by the US standards institute (NIST), free and voluntary, used by organizations of any size and sector to organize their security posture around six functions: Govern, Identify, Protect, Detect, Respond and Recover. Version 2.0, published in February 2024, is the current one.

Zamak TechnologiesUpdated on July 10, 2026

How the NIST CSF organizes cybersecurity

The framework is not a shopping list of tools, it is a common language for mapping where a company stands and where it needs to go, built around six functions that support each other.

1

Govern sets the direction

Cyber risk strategy, roles, policy and oversight. It is the newest function (added in version 2.0) and the one that underpins all the others.

2

Identify maps what exists

Assets, data, vendors and the risks that threaten each one. You cannot protect what the company does not know it has.

3

Protect and Detect reduce and see the risk

Access controls, backup and training (Protect) work alongside continuous monitoring (Detect) to lower the odds of an incident and shorten the time to notice one.

4

Respond and Recover close the loop

A tested response plan (Respond) and a proven ability to get back to operating (Recover) turn an incident from a permanent crisis into a managed interruption.

Source: NIST Cybersecurity Framework 2.0 (National Institute of Standards and Technology, Feb. 2024).

The 6 functions of NIST CSF 2.0

  • Govern Cyber risk strategy, roles and policy. The new function in version 2.0.
  • Identify Inventory of assets, data and vendor risk.
  • Protect Access control, backup, training, technical safeguards.
  • Detect Continuous monitoring to find anomalies and incidents.
  • Respond The action plan for when an incident happens.
  • Recover The ability to restore operations after the incident.

Why the CSF became a reference even though it is voluntary

6
functions in NIST CSF 2.0: Govern, Identify, Protect, Detect, Respond and Recover
22/106
categories and subcategories spread across the 6 functions
4
implementation Tiers, from Partial to Adaptive, that describe the rigor of risk management

The NIST CSF is not legally mandatory, but it became the common vocabulary among auditors, insurers and boards precisely because it is free, public and applicable to any sector. Version 2.0 widened that reach: it used to speak mostly to critical infrastructure, now it addresses organizations of any size, including small and mid-size businesses. The framework includes 22 categories and 106 subcategories spread across the 6 functions, and to describe the rigor of that risk management, NIST defines 4 implementation Tiers, from Partial (reactive, ad hoc) to Adaptive (proactive, continuously improving). Without that maturity picture, “we are secure” is an opinion, not a measurement.

How a company starts using the NIST CSF

The framework is flexible by design, but the starting point tends to be the same:

  1. Build the current profileAssess, function by function, where the company stands today. The point is not a perfect score on the first pass, it is an honest baseline.
  2. Set the target profileDecide, based on real business risk (not fear), how far each function needs to advance.
  3. Prioritize the gap, not everything at onceThe distance between the current and target profile becomes the investment roadmap, ordered by what reduces the most risk first.
  4. Review every cycleThe CSF is not a one-time project, it is a cycle. As the threat changes, the target profile has to change too.

In practice

The question the Govern function answers: if an incident happened today, does someone at the top of the company know, by heart, who decides what, or will that be figured out in the middle of the crisis?

How Zamak applies the NIST CSF

Zamak Technologies organizes its cybersecurity and compliance delivery around the 6 NIST CSF functions, from governance to recovery, within Governance and Compliance in the Zamak Method. The Compliance Audit Express uses the same kind of domain-by-domain read to show, in minutes, where the company is most exposed.

Frequently asked questions about the NIST CSF

Is the NIST CSF mandatory?
No, it is voluntary and free. But contracts, insurers and regulators increasingly use CSF language as a reference, even when they do not formally require the framework.
What is the difference between the NIST CSF and ISO 27001?
Both organize security risk management, but the CSF is free, more focused on risk and function (what to do), while ISO 27001 is a certifiable standard, with a management system auditable by an external body.
What changed between CSF 1.1 and 2.0?
Adding the Govern function is the central change, recognizing that strategy and risk oversight come before technical actions. Version 2.0 also widened the target audience, from critical infrastructure to any organization.
Can a small company use the NIST CSF?
Yes, and that is precisely one of the goals of version 2.0: giving a small company the same structured language a large corporation uses, at no license cost.
Are the implementation Tiers mandatory maturity levels?
They are neither mandatory nor a pass/fail scale. They are a way for a company to describe, to itself and to others, how integrated and proactive its risk management is, from Partial to Adaptive.
Does the NIST CSF replace a cyber maturity assessment?
No, it is the basis for one. The CSF's own implementation Tiers are already a type of maturity assessment, and other models, like C2M2, use the CSF as a reference.

Related terms

Endpoint and Identity
MFAPAM (privileged access)SSO (single sign-on)
Detection and Response
EDRMDRXDRMITRE ATT&CKSIEMSOC (security operations center)
Network and Access
ZTNAFirewallVPNSASE
Governance and Compliance
LGPDISO 27001SOC 2NIST CSFShadow ITCyber maturity assessmentHIPAAPCI DSSGDPRCMMCCIS ControlsISO 42001 (AI management)NIST AI RMFNIST 800-171FTC SafeguardsISO 27701 (privacy)FedRAMPGRC (governance, risk, compliance)vCIOvCISO
Concepts and Fundamentals
Deep webZero TrustDefense in depthAttack surfaceEndpointLeast privilege
AI and Security
Shadow AIAI governancePrompt injectionOWASP LLM Top 10Deepfake