A German mid-market company wants to present its cybersecurity programme to the supervisory board, without prior knowledge at the board, without consulting jargon, without Excel sheets with 200 rows. The CISO team picks the NIST Cybersecurity Framework as the narrative scaffold: six functions, a maturity bar from 1 to 4 for each, one-page board report. Three months later, the supervisory board decides on the security budget for the next fiscal year — based on that single page. What does not fit into the framework does not reach the board. NIST CSF is today the most widely used leadership-language framework for cybersecurity worldwide.
The NIST Cybersecurity Framework was developed in 2014 by the US National Institute of Standards and Technology on behalf of the US President, originally for critical infrastructure operators and now used globally. It is free to use, technology-neutral and not certifiable. The current version 2.0 was released in February 2024 and introduced the Govern function as its headline change.
What does the standard cover?
The framework is structured into three components: the Core (six functions with categories and subcategories), the Implementation Tiers (maturity scale) and the Profiles (target-to-current comparison per organisation).
The six functions (CSF 2.0)
- Govern (GV). Cybersecurity strategy, roles, risk appetite, supply chain governance, legal and regulatory requirements. New in version 2.0 and positioned before Identify because governance precedes all other functions.
- Identify (ID). Asset management, business environment, risk assessment, risk management strategy. What actually needs to be protected?
- Protect (PR). Identity and access management, awareness and training, data security, platform security, resilience architecture. Safeguards for the identified assets.
- Detect (DE). Continuous monitoring, detection of anomalies and incidents. How quickly is an attack or disruption noticed?
- Respond (RS). Response planning, communication, analysis, containment, improvement. What happens once something has been detected?
- Recover (RC). Recovery planning, improvements, communication. How does the business carry on after an incident?
Each function breaks down into categories (for example ID.AM for asset management) and subcategories (for example ID.AM-01: hardware inventory is maintained). CSF 2.0 has 22 categories and around 100 subcategories.
Implementation Tiers — maturity scale
| Tier | Label | Characteristic |
|---|---|---|
| Tier 1 | Partial | Ad-hoc, reactive, without organisation-wide steering |
| Tier 2 | Risk Informed | Risk awareness exists, steering is ad-hoc |
| Tier 3 | Repeatable | Established processes, organisation-wide, regularly reviewed |
| Tier 4 | Adaptive | Continuous improvement based on experience and threat landscape |
The Tiers are not a maturity ranking in the sense of “Tier 4 is better” — the right level depends on the business model and threat landscape. A bakery gets by with Tier 2, whereas a bank needs Tier 3 or 4.
Profiles — target vs. current
A Current Profile describes today’s state per subcategory, a Target Profile the desired state. The gap between them yields the roadmap. Profiles are the actual working instrument in day-to-day operations.
Application in practice
NIST CSF is typically used in one of three modes:
Maturity assessment. An organisation rates each subcategory against the current Tier (1-4), defines the target and produces a prioritised roadmap. Consulting firms offer standardised assessments with workshops and heatmaps.
Overarching structuring grid. Existing measures (for example from ISO 27001) are mapped to CSF subcategories to provide a uniform reporting language to the supervisory board or to US business partners.
Supplier assessment. Some large enterprises require suppliers to self-assess against NIST CSF, without external assessment but with documented profiles.
Mapping to other standards
| Standard | Relation to NIST CSF |
|---|---|
| ISO/IEC 27001 | Structurally similar; official mappings assign ISO controls to each subcategory |
| NIST SP 800-53 | Detailed US control catalogue; CSF maps to SP 800-53 as an Informative Reference |
| NIST SP 800-171 | Protection of unclassified, controlled US federal information; based on SP 800-53 |
| CIS Controls | Concrete technical measures; CIS mapping tables to CSF subcategories are available |
| BSI IT-Grundschutz | Overlaps in content; BSI has published its own mapping aids |
| DORA | NIST CSF works well as an organising grid for the DORA requirements on ICT risk management |
| CMMC (Cybersecurity Maturity Model Certification) | Mandatory US DoD standard for defence suppliers, based on NIST SP 800-171 |
Implementation effort
Initial maturity assessment: 4-8 weeks with external support, depending on organisation size and data availability. Workshops with 4-8 key people, analysis and preparation as a supervisory board report.
Building a CSF-based programme (SME): 6-12 months, then 0.2-0.5 FTE for ongoing maintenance of profiles and maturity updates.
Building a CSF-based programme (mid-market and up): 12-24 months for the initial roadmap implementation, then 1-3 FTEs for ongoing operation (often combined with the ISMS function).
Recurring costs: annual maturity updates, external validation (optional, typically every 2-3 years), training, tooling for profile maintenance. The NIST documents themselves are free.
Related standards
- ISO/IEC 27001: certifiable ISMS standard; combines well with CSF as a reporting layer.
- CIS Controls: concrete technical implementation of NIST CSF subcategories.
- BSI IT-Grundschutz: detailed measure catalogues with CSF mapping aids.
- DORA: European ICT resilience regulation; CSF serves well as a structuring grid.
Sources
- NIST Cybersecurity Framework 2.0 — official page with all documents
- NIST CSF 2.0 — Final Document (PDF) — authoritative version
- NIST CSF Quick Start Guides — entry-level guidance for SMEs, supply chains, privacy
- NIST SP 800-53 Rev. 5 — detailed control catalogue