What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework gives organizations a roadmap to mitigate risk and protect against digital threats. Explore key details and learn how they apply in real-world use cases.
By: James M. Tobin, Edited by: Rebecca Munday
Published: September 22, 2025
In the 21st century, the National Institute of Standards and Technology (NIST) Cybersecurity Framework has emerged as an important model for organizations and agencies seeking to augment their digital defenses.
Learn about core elements of the NIST Cybersecurity Framework (CSF), compare various implementation tiers, and learn how to implement the system in your organization.
History of the NIST Cybersecurity Framework
CSF originated in 2013, with the issuance of Executive Order 13636. The order specified multiple strategic objectives in support of a national cybersecurity framework, establishing a standardized model designed to protect critical infrastructure from cyberattacks.
Since then, the framework has evolved across multiple iterations. As of September 2025, CSF 2.0, released in February 2024, is the most recent update. The framework remains subject to regular review and will likely be comprehensively updated again.
Implementation tiers for the cybersecurity framework
Phase 1 - Partial
At this implementation tier, an organization has only limited awareness of the specific cybersecurity threats it faces. It is defined by a general lack of cohesive organizational cybersecurity policy and instead addresses risks through reflexive responses to particular incidents.
Phase 1 - Partial
At this implementation tier, an organization has only limited awareness of the specific cybersecurity threats it faces. It is defined by a general lack of cohesive organizational cybersecurity policy and instead addresses risks through reflexive responses to particular incidents.
Steps to implement a cybersecurity framework
1. Prioritize and scope
Organizations can adopt cybersecurity frameworks of variable scopes: For example, the framework could cover an organization's entire operating profile, or limit itself only to areas with higher security vulnerabilities, such as payment processing, consumer information databases, or banking.
At this stage, organizations define the scope of their framework and prioritize various implementation areas.
2. Orient
This step focuses on research and documentation. It entails reviewing cybersecurity fundamentals and relevant organizational policies, such as:
- Risk profiles
- Risk management strategies
- Business impact assessments
- Functional cybersecurity requirements
3. Create a current profile
The current profile defines and describes the present state of the organization's cybersecurity posture. It indicates where the organization currently stands with respect to the NIST cybersecurity framework's core functions and outcomes.
4. Conduct a risk assessment
Based on its current profile, the organization then conducts a comprehensive but high-level review of the cybersecurity risks it presently faces. Risk assessments typically evaluate the potential impacts of cybersecurity breaches on the organization's function, mission, reputation, and public image.
5. Create a target profile
This step defines organizational goals regarding cybersecurity. It identifies a desirable, goal-oriented result of adopting a cybersecurity framework.
6. Determine, analyze, and prioritize gaps
Equipped with both a current and a target profile, the organization can proceed to perform a systematic analysis of the gaps separating the current profile from the target profile. This stage typically culminates in a formal report on the analysis's outcomes.
7. Implement action plan
Based on the gap analysis results, the organization develops an action plan for advancing toward the target profile and implementing that plan. The action plan may include specific deadlines for meeting the organization's cybersecurity objectives.