Measure security maturity

Operationalize NIST CSF across Identify, Protect, Detect, Respond, and Recover

episki translates CSF categories into action plans with real-time scoring and executive reporting.
Start NIST CSF trialBook a demo

What is NIST CSF?

The NIST Cybersecurity Framework (NIST CSF) is a voluntary, outcome-based set of cybersecurity guidelines published by the National Institute of Standards and Technology. The NIST Cybersecurity Framework gives organizations a shared vocabulary and a prioritized structure for managing cybersecurity risk, measuring program maturity, and communicating security posture to executives, boards, regulators, customers, and insurers.

NIST CSF is not a certification, a control catalog, or a compliance standard. It is a framework — a model that organizes cybersecurity activities into functions, categories, and subcategories so that any organization can describe its current cybersecurity posture, describe its target cybersecurity posture, identify and prioritize opportunities for improvement, assess progress, and communicate cybersecurity risk in a consistent way. Because NIST CSF is technology- and sector-neutral, it has become one of the most widely adopted cybersecurity frameworks in the world, used by Fortune 500 companies, federal contractors, critical infrastructure operators, state and local governments, startups, nonprofits, and multinational enterprises.

NIST origin and Executive Order 13636

The NIST Cybersecurity Framework was created in response to a growing wave of attacks against United States critical infrastructure. In February 2013, President Barack Obama signed Executive Order 13636 — Improving Critical Infrastructure Cybersecurity, which directed NIST to work with industry, academia, and other government agencies to develop a voluntary cybersecurity framework for critical infrastructure operators. The executive order explicitly called for a flexible, repeatable, performance-based, and cost-effective approach that could scale from small municipal utilities to the largest financial institutions.

NIST published version 1.0 of the NIST Cybersecurity Framework in February 2014 after a year of public workshops, industry comment periods, and collaboration with more than three thousand individuals and organizations. The first version of NIST CSF introduced the five core functions — Identify, Protect, Detect, Respond, and Recover — along with the concept of framework profiles and implementation tiers. Even though NIST CSF was designed for critical infrastructure, organizations in every sector quickly adopted it because it filled a gap that prescriptive standards did not: a business-friendly model for talking about cybersecurity risk.

The evolution of NIST CSF

In April 2018, NIST released NIST CSF version 1.1. This incremental update clarified existing guidance, added a new Supply Chain Risk Management category (ID.SC), improved the self-assessment language, and added authentication and identity proofing subcategories. NIST CSF 1.1 contained 108 subcategories grouped under 23 categories across the five functions, and it remained the dominant version of the NIST Cybersecurity Framework for six years.

In February 2024, NIST published NIST CSF 2.0 — the first major revision of the NIST Cybersecurity Framework. NIST CSF 2.0 expanded the scope of the framework beyond critical infrastructure, added a brand-new sixth function called Govern, reorganized several categories, and introduced a richer set of implementation resources including quick-start guides, informative references, and community profiles.

NIST CSF 2.0 changes

The jump from NIST CSF 1.1 to NIST CSF 2.0 is the most significant update the NIST Cybersecurity Framework has ever received. The changes are not cosmetic — they reshape how organizations are expected to structure and govern their cybersecurity programs.

Highlights of NIST CSF 2.0:

  • A sixth function — Govern (GV) — elevates cybersecurity governance from a sub-category under Identify to a standalone top-level function covering organizational context, risk management strategy, roles and responsibilities, policy, oversight, and cybersecurity supply chain risk management.
  • Explicit scope expansion — NIST CSF 2.0 applies to organizations of any size, sector, or maturity level, not just critical infrastructure. Small-business quick-start guides, community profiles, and sector-specific profiles make the NIST Cybersecurity Framework accessible to organizations that previously found NIST CSF 1.1 too enterprise-centric.
  • Stronger supply chain focus — GV.SC expands the NIST CSF treatment of third-party risk, supplier due diligence, and software supply chain security, reflecting the lessons of SolarWinds, Kaseya, Log4j, and MOVEit.
  • Improved implementation guidance — NIST CSF 2.0 ships with a companion CSF Reference Tool, searchable informative references mapping NIST CSF subcategories to NIST SP 800-53, ISO 27001, CIS Controls, SOC 2, and more.
  • Refreshed implementation tiers — the four-tier maturity model (Partial, Risk-Informed, Repeatable, Adaptive) now explicitly incorporates governance and supply chain considerations.

For a deep dive into every structural and categorical change between NIST CSF 1.1 and NIST CSF 2.0, see our NIST CSF 2.0 changes guide.

The six core functions of NIST CSF 2.0

The NIST Cybersecurity Framework organizes cybersecurity activity into a small number of top-level functions. NIST CSF 1.1 defined five functions; NIST CSF 2.0 defines six. Each function represents a category of outcomes that a mature cybersecurity program must deliver, and each function decomposes into categories and subcategories that describe the outcomes in progressively more specific terms.

The six NIST CSF 2.0 functions are:

Govern (GV)

The Govern function — new in NIST CSF 2.0 — establishes, communicates, and monitors the organization's cybersecurity risk management strategy, expectations, and policy. Govern is the leadership and accountability layer of NIST CSF. It sits above the other five functions and informs everything the organization does to identify, protect, detect, respond, and recover. Deep dive: NIST CSF Govern function.

Identify (ID)

The Identify function develops an organizational understanding of cybersecurity risk to systems, people, assets, data, and capabilities. Identify is where you inventory what you have, understand the business context in which it operates, and decide what matters most. Without Identify, the rest of the NIST Cybersecurity Framework has nothing to act on. Deep dive: NIST CSF Identify function.

Protect (PR)

The Protect function implements safeguards to ensure delivery of critical services and limit or contain the impact of cybersecurity events. Protect encompasses identity and access management, awareness and training, data security, information protection processes, maintenance, and protective technology. Deep dive: NIST CSF Protect function.

Detect (DE)

The Detect function develops and implements appropriate activities to identify the occurrence of a cybersecurity event in a timely manner. Detect covers continuous monitoring, anomaly analysis, and detection processes — the telemetry, alerting, and threat-hunting capabilities that surface attacks as they happen. Deep dive: NIST CSF Detect function.

Respond (RS)

The Respond function contains activities to take action regarding a detected cybersecurity incident. Respond covers incident response planning, communications, analysis, containment, eradication, and lessons-learned improvements. A strong Respond capability is what separates a contained incident from a front-page breach. Deep dive: NIST CSF Respond function.

Recover (RC)

The Recover function contains activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Recover covers recovery planning, improvements, and communications. Recover is how organizations return to normal operations while capturing lessons learned to strengthen the program. Deep dive: NIST CSF Recover function.

Together, the six NIST CSF functions describe the complete cybersecurity lifecycle. Mature organizations operate all six functions simultaneously and continuously, not in a linear sequence.

NIST CSF implementation tiers

NIST CSF uses implementation tiers to describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the NIST Cybersecurity Framework. The four tiers are not a maturity scale in the traditional sense — NIST is careful to say that Tier 4 is not required for every organization. Instead, implementation tiers help organizations choose an appropriate level of rigor given their risk tolerance, mission, regulatory obligations, threat environment, and resources.

  • Tier 1 — Partial: Cybersecurity risk management is ad hoc and reactive. Policies are informal, risk awareness is limited, and supply chain considerations are rarely formalized.
  • Tier 2 — Risk-Informed: Risk management practices are approved by management but may not be established organization-wide. Cybersecurity activities consider organizational risk objectives.
  • Tier 3 — Repeatable: Formal policies exist and are applied consistently. The organization has the people, processes, and tooling to operate the NIST Cybersecurity Framework repeatably.
  • Tier 4 — Adaptive: The organization adapts its cybersecurity practices based on lessons learned, threat intelligence, and changes in the business environment. Cybersecurity risk management is part of the organizational culture.

For a complete walkthrough of each tier, including how to select a target tier and move between tiers, see our NIST CSF implementation tiers guide.

NIST CSF framework profiles

A framework profile is the unique alignment of NIST CSF functions, categories, and subcategories with the organization's business requirements, risk tolerance, and resources. Profiles are the tool that turns the NIST Cybersecurity Framework from a generic model into a specific plan for a specific organization.

NIST CSF supports two kinds of profiles:

  • A Current Profile describes the cybersecurity outcomes the organization is achieving today.
  • A Target Profile describes the cybersecurity outcomes the organization wants to achieve.

The gap between the Current Profile and the Target Profile becomes a prioritized roadmap: which NIST CSF subcategories need investment, in what order, and at what cost. Community profiles published by NIST (for small business, healthcare, financial services, manufacturing, and others) give organizations a head start by providing pre-built Target Profiles tailored to specific sectors.

For a complete framework profiles walkthrough — including how to build your first profile, how to use community profiles, and how to link profiles to your control framework — see NIST CSF framework profiles.

NIST CSF categories and subcategories

Below the function layer, NIST CSF decomposes cybersecurity activity into categories and subcategories. Categories group related outcomes within a function (for example, Asset Management, Access Control, Continuous Monitoring), and subcategories express specific outcome statements that a mature program should achieve.

  • NIST CSF 1.1 defined 23 categories and 108 subcategories across the five original functions.
  • NIST CSF 2.0 reorganized the catalog around six functions. The total number of subcategories in NIST CSF 2.0 was restructured (and slightly reduced after consolidation) to roughly 106, grouped under 22 categories, with Govern contributing six new categories of its own.

Every NIST CSF subcategory is written as an outcome — for example, "PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization." NIST intentionally avoids prescribing specific technologies, controls, or implementation details. Instead, NIST CSF provides informative references that map each subcategory to specific controls in NIST SP 800-53, ISO 27001 Annex A, CIS Critical Security Controls, COBIT, and other authoritative sources. This outcome-first design is what makes NIST CSF work across industries, company sizes, and technology stacks.

Mapping NIST CSF to other frameworks

One of the most valuable properties of the NIST Cybersecurity Framework is its ability to act as a unifying layer across multiple compliance regimes. Organizations that need to satisfy SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, FedRAMP, CMMC, and NIST SP 800-171 at the same time can use NIST CSF as the "Rosetta Stone" that maps each requirement to a common set of outcomes.

For federal contractors in particular, NIST CSF acts as the governance umbrella above NIST SP 800-171 and CMMC, both of which are derived from the NIST family of publications. A NIST CSF Target Profile that references NIST SP 800-53 informative references can be reused — with minor adjustments — as an ISO 27001 Statement of Applicability, a SOC 2 Trust Services Criteria mapping, and a HIPAA Security Rule crosswalk.

For a detailed crosswalk between NIST CSF and the major compliance frameworks — including worked examples of how a single NIST CSF subcategory maps to multiple standards — see Mapping NIST CSF to other frameworks. If you are actively building that mapping into a live compliance program, our NIST CSF mapping compliance guide walks through the operational mechanics.

Who uses NIST CSF?

The NIST Cybersecurity Framework started as a voluntary framework for United States critical infrastructure. A decade later, NIST CSF is used by:

  • Critical infrastructure operators — energy, water, transportation, communications, healthcare, and financial services organizations that fall under the 16 critical infrastructure sectors originally targeted by Executive Order 13636.
  • Federal agencies and federal contractors — Executive Order 13800 required federal agencies to use NIST CSF to manage cybersecurity risk. Agencies and their contractors routinely use NIST CSF alongside NIST SP 800-171 and the CMMC program.
  • State, local, tribal, and territorial (SLTT) governments — many states have adopted NIST CSF as the baseline cybersecurity model for agencies and municipal systems.
  • Large enterprises — Fortune 500 companies use NIST CSF to communicate cybersecurity risk to boards, investors, insurers, and regulators.
  • Small and mid-sized businesses (SMBs) — especially after NIST CSF 2.0, which ships with SMB-specific quick-start guides and community profiles.
  • Non-US organizations — NIST CSF is widely used outside the United States as a practical cybersecurity model that complements ISO 27001 and other international standards.
  • Insurers and investors — cyber insurance carriers and private-equity diligence teams increasingly ask portfolio companies to report maturity against NIST CSF as evidence of disciplined cybersecurity risk management.

The common thread is that NIST CSF works for any organization that needs to manage cybersecurity risk and communicate that risk to non-technical stakeholders. That is essentially every organization.

NIST CSF vs NIST SP 800-53 vs NIST SP 800-171

NIST publishes dozens of cybersecurity documents, and three of them — NIST CSF, NIST SP 800-53, and NIST SP 800-171 — are often confused. Here is how they differ and how they fit together.

  • NIST CSF (Cybersecurity Framework) is an outcome-based framework. It defines what cybersecurity outcomes to achieve (the subcategories) but does not tell you exactly how to achieve them. NIST CSF is voluntary, technology-neutral, and applies to any organization.
  • NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations) is a comprehensive control catalog. SP 800-53 contains more than one thousand security and privacy controls organized into families such as Access Control (AC), Audit and Accountability (AU), and System and Communications Protection (SC). NIST SP 800-53 is mandatory for US federal information systems under FISMA and the Risk Management Framework (RMF).
  • NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) is a derived subset of NIST SP 800-53 focused on protecting Controlled Unclassified Information (CUI) in nonfederal systems. SP 800-171 is mandatory for any organization that handles CUI on behalf of the federal government and forms the basis for CMMC.

The relationship between the three is straightforward: NIST CSF describes the outcomes, NIST SP 800-53 and NIST SP 800-171 describe the controls that deliver those outcomes, and the NIST CSF informative references tell you which 800-53 and 800-171 controls satisfy each NIST CSF subcategory. Organizations use NIST CSF to frame the strategy and use NIST SP 800-53 or NIST SP 800-171 to implement the controls.

Federal contractors that handle CUI will typically use all three: NIST CSF for executive communication and maturity scoring, NIST SP 800-171 as the binding control baseline, and NIST SP 800-53 as the deeper reference catalog.

Getting started with NIST CSF

Implementing the NIST Cybersecurity Framework does not require a multi-year consulting engagement. A typical first NIST CSF implementation follows a repeatable pattern:

  1. Scope and prioritize — decide which parts of the organization are in scope for this iteration of NIST CSF. Startups often scope the entire company. Enterprises may scope a business unit, a product line, or a critical system.
  2. Build a Current Profile — score the organization's current performance against each NIST CSF subcategory. Be honest. Many organizations discover that half of their NIST CSF subcategories are informal or partially implemented.
  3. Build a Target Profile — decide what level of NIST CSF maturity the organization needs. Community profiles and sector profiles published by NIST are excellent starting points.
  4. Perform a gap analysis — the delta between Current and Target is your NIST CSF roadmap. Prioritize by business impact, risk, and cost.
  5. Select implementation tiers — match each part of the program to an appropriate tier. Not every subcategory needs to be Tier 4.
  6. Execute and measure — track initiatives, re-score the NIST CSF profile quarterly, and report progress to leadership.
  7. Map to other frameworks — reuse the NIST CSF profile as the source of truth for SOC 2, ISO 27001, HIPAA, and CMMC evidence.

episki was built for exactly this workflow. episki turns NIST CSF into a live scorecard: you import or build a Current Profile, choose a Target Profile, and episki generates the initiatives, tasks, and evidence collection needed to close the gap — all mapped to your other frameworks automatically. If you are starting from scratch or migrating from NIST CSF 1.1 to NIST CSF 2.0, episki can help you skip the spreadsheet phase entirely.

Ready to operationalize the NIST Cybersecurity Framework? Start a trial, import your controls, and share a NIST CSF scorecard with leadership the same day.

NIST CSF topics

Deep-dive into specific NIST CSF compliance topics.
NIST CSF Detect Function
A complete guide to the NIST CSF Detect function — continuous monitoring, adverse event analysis, and detection processes that surface attacks in time to respond.
NIST CSF Five Functions
A detailed exploration of the five core functions of the NIST Cybersecurity Framework -- Identify, Protect, Detect, Respond, and Recover.
NIST CSF Framework Profiles
How to use NIST CSF framework profiles to assess your current cybersecurity posture, define target states, perform gap analysis, and customize the framework.
NIST CSF Govern Function
A complete guide to the NIST CSF 2.0 Govern function — its six categories (OC, RM, RR, PO, OV, SC), why NIST added it, and how to implement it.
NIST CSF Identify Function
A complete guide to the NIST CSF Identify function — asset management, business environment, governance, risk assessment, risk management strategy, and supply chain risk.
NIST CSF Implementation Tiers
A guide to the four NIST CSF implementation tiers, how to assess your current tier, and strategies for progressing to higher tiers.
Mapping NIST CSF to Other Frameworks
How the NIST Cybersecurity Framework maps to SOC 2, ISO 27001, HIPAA, and PCI DSS, enabling efficient multi-framework compliance.
NIST CSF Protect Function
A complete guide to the NIST CSF Protect function — identity and access, awareness and training, data security, platform security, and technology infrastructure resilience.
NIST CSF Recover Function
A complete guide to the NIST CSF Recover function — recovery planning, recovery execution, improvements, and communications after a cybersecurity incident.
NIST CSF Respond Function
A complete guide to the NIST CSF Respond function — incident management, analysis, mitigation, reporting, and communications during a cybersecurity event.
NIST CSF 2.0 Changes
An overview of the key changes in NIST Cybersecurity Framework 2.0, including the new Govern function, expanded scope, and supply chain focus.

NIST CSF outcomes with episki

Quantify the impact security and compliance brings to your business.
Live maturity score
Automated scoring by category, tier, and business unit.
Unified risk register
Link risks to CSF categories with AI-prioritized remediation.
Executive-ready
Dashboards turn security work into business milestones.

Why teams choose episki for NIST CSF

Framework-specific automation, collaboration, and reporting in one workspace.
Tailored CSF roadmap
Start with opinionated baseline controls, then layer your own.
  • Gap analysis highlights missing outcomes
  • Auto-generated improvement initiatives
  • Budget impact estimates for leadership
Continuous monitoring and AI ops
Stream alerts, detections, and incidents into CSF context.
  • Connect SIEM, EDR, and cloud posture tools
  • AI summarizes incidents for exec updates
  • Workflows escalate unreviewed alerts
Board and customer alignment
Share progress externally with confidence.
  • Customizable scorecards for customers or partners
  • Trend lines show quarter-over-quarter improvements
  • Trust room access with expiring links

NIST CSF launch guide

Use episki’s free trial to benchmark, prioritize, and communicate fast.

Plug episki into your stack and work directly from this checklist during the free trial.

  • Baseline maturity assessment
  • Control library mapped to CSF categories
  • Initiative tracker with due dates and owners
  • Risk register tied to CSF outcomes
  • Executive report template
NIST CSF toolset

NIST CSF toolset

Everything you need to show measurable progress.
Quarterly business review pack
Slides with KPIs, upcoming initiatives, and resource needs.
Customer assurance brief
Explains how NIST CSF maps to their requirements.
Automation cookbook
Step-by-step instructions for connecting your tooling.

NIST CSF frequently asked questions

Related terms

What is Access Control?What is Business Continuity?What is Continuous Monitoring?What is a Control Framework?What is Data Classification?What is Disaster Recovery?What is a Firewall?What is a Framework?What is GRC?What is Incident Response?What is Least Privilege?What is Log Management?What is Malware?What is Monitoring?What is Multi-Factor Authentication?What is Network Security?What is NIST?What is Operational Risk?What is Penetration Testing?What is a Risk Register?What is a Risk Treatment Plan?What is Third-Party Risk?What is Vendor Risk Management?What is Vulnerability Management?What is Web Application Security?

Other compliance frameworks

CMMCHIPAAISO 27001PCI DSSSOC 2 Type I/II

See your NIST CSF score in episki

Start the trial, import controls, and share a scorecard the same day.
Start free trialBook a walkthrough