NIST Cybersecurity Framework Explained for Beginners (CSF 2.0)
- Nas Belfon
- 1 day ago
- 4 min read
What it is, how the 6 functions work, and why understanding it could land you your first security job Most small businesses have never heard of NIST CSF. But it's the most widely used cybersecurity framework in the world — and understanding it could land you your first security job.
If you've been studying for the CISSP, Security+, or any governance or risk certification, you've almost certainly come across NIST. But it can feel overwhelming. Six functions. Categories and subcategories. Implementation Tiers. Profiles. Where do you even start?
In this post, I'm going to break down the NIST Cybersecurity Framework 2.0 in plain English. No jargon. No fluff. Just what it is, how it works, who uses it, and why it matters for your career.
What Is the NIST Cybersecurity Framework?
NIST stands for the National Institute of Standards and Technology — a US government agency that creates standards and guidelines used across industries. The Cybersecurity Framework (CSF) was originally released in 2014, following an executive order directing NIST to develop a voluntary framework for critical infrastructure organisations.
Here's the keyword: voluntary. NIST CSF isn't a law. It isn't a regulation. It's a best-practice framework that organisations choose to adopt because it works.
In February 2024, NIST released CSF 2.0 — a significant update that added a brand-new sixth function, GOVERN, and expanded guidance on supply chain risk and AI. That's the version we're covering here.
Why CSF 2.0 Matters
CSF 2.0 is the most current version — and the one that appears on your certification exams.
The addition of GOVERN reflects a major shift: cybersecurity is now viewed as a business governance issue, not just an IT problem.
Understanding this shift is exactly the kind of thinking that gets you promoted from analyst to manager.
How Does It Work? The 6 Core Functions
Think of the CSF as a lifecycle — not a checklist. It describes what a mature cybersecurity program looks like across six interconnected functions. CSF 2.0 arranged them so that GOVERN sits at the centre, supporting everything else.
Code | Function | What It Means |
GV | GOVERN | Set the strategy: define roles, policies, and risk tolerance. This is the foundation on which everything else rests. |
ID | IDENTIFY | Know your assets, your risks, and the business context you're trying to protect. |
PR | PROTECT | Put safeguards in place — access controls, training, data security, and infrastructure resilience. |
DE | DETECT | Build your ability to spot cybersecurity events and anomalies through continuous monitoring. |
RS | RESPOND | Have a plan to act when an incident occurs — manage, analyse, communicate, and contain it. |
RC | RECOVER | Restore your operations after an incident and communicate what happened. |
Here's an analogy to make it stick: imagine a hospital. GOVERN is the leadership setting the safety strategy. IDENTIFY is knowing which patients and equipment are on site. PROTECT is the locked medication cabinets and access badges. DETECT is the alarm system. RESPOND is the emergency response when something goes wrong. RECOVER is getting back to normal operations.
Implementation Tiers: Where Does Your Organisation Sit?
The CSF uses four tiers to describe the maturity of an organisation's cybersecurity risk management practices. Tiers are descriptive — they tell you where you are, not where you must be.
Tier 1 — Partial: Ad-hoc and reactive. No formal risk management. Limited cybersecurity awareness.
Tier 2 — Risk Informed: Some risk practices exist, but not on an organisation-wide basis. Leadership has some awareness.
Tier 3 — Repeatable: Formal, documented processes applied consistently across the organisation.
Tier 4 — Adaptive: Proactive and continuously improving. Real-time risk-based decisions. Lessons learned feed back into the program.
Who Uses NIST CSF and Why?
Originally designed for US critical infrastructure (energy, healthcare, financial services), CSF has been adopted far beyond its original scope. Today it's used by organisations of every size across virtually every sector — including governments outside the US.
Why? Because it's flexible. It doesn't prescribe exactly what controls you must implement. It describes what outcomes you should achieve. That means a small business and a Fortune 500 company can both use CSF at appropriate levels.
Who Uses NIST CSF in Practice
Federal agencies: required by FISMA to align with NIST standards
Healthcare organisations often use CSF alongside HIPAA compliance programmes
Financial services: banks and insurers use CSF as a governance overlay
Technology companies: SaaS and cloud providers adopt CSF to meet customer requirements
Small businesses: start with basic hygiene using CSF as a guiding structure
Why Should You Care as Someone Entering Cybersecurity?
NIST CSF shows up everywhere. It appears on the CISSP exam (Domain 1: Security and Risk Management). It's referenced in the Security+ exam objectives. It's the language CISOs and compliance teams use when discussing risk programmes.
More importantly, understanding CSF gives you a mental model for the entire field of cybersecurity. Every control you implement, every policy you write, every incident you respond to — it all maps back to one of these six functions. Once you have that map in your head, everything else starts to click.
Nas's Note
When I was preparing for the CISSP, the NIST CSF was the framework that tied everything together for me.
Domain 1 is heavy on risk management and governance — exactly what GOVERN and IDENTIFY cover.
If you can explain CSF clearly in an interview, you stand out from every candidate who just memorized definitions.
How CSF 2.0 Relates to Other Frameworks
ISO 27001: CSF GOVERN and IDENTIFY map closely to ISO 27001 Clauses 4–6. PROTECT aligns with Annex A controls.
SOC 2: CSF PROTECT and DETECT map to SOC 2's Security (Common Criteria) requirements.
CIS Controls: CIS Controls v8 Implementation Groups map directly to CSF functions — IG1 covers basic PROTECT and IDENTIFY.
NIST AI RMF: The AI RMF's GOVERN-MAP-MEASURE-MANAGE functions were designed to complement CSF.
Want to go deeper on NIST CSF 2.0?
Download the NIST CSF 2.0 Quick Reference Card — all 6 functions, categories, and implementation tiers on one printable page. Perfect for exam prep and desk reference.
Summary: What You Should Remember
NIST CSF 2.0 has 6 functions: GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER
GOVERN is new in 2.0 and sits at the centre of the framework
Tiers (1–4) describe your maturity level — Tier 4 is the goal
CSF is voluntary, flexible, and applies to any organisation size or sector
It maps to ISO 27001, SOC 2, CIS Controls, and NIST AI RMF
Understanding CSF fluently is a genuine career differentiator
$50
Product Title
Product Details goes here with the simple product description and more information can be seen by clicking the see more button. Product Details goes here with the simple product description and more information can be seen by clicking the see more button
$50
Product Title
Product Details goes here with the simple product description and more information can be seen by clicking the see more button. Product Details goes here with the simple product description and more information can be seen by clicking the see more button.
$50
Product Title
Product Details goes here with the simple product description and more information can be seen by clicking the see more button. Product Details goes here with the simple product description and more information can be seen by clicking the see more button.
Comments