NIST Cybersecurity Framework — Voluntary Standards for Managing Cyber Risk

The NIST Cybersecurity Framework (CSF) is the U.S. government's primary voluntary cybersecurity guidance for organizations managing cyber risk — developed by the National Institute of Standards and Technology (NIST) under executive order and congressional directive. First published in 2014 (version 1.0) in response to Executive Order 13636, updated in 2018 (version 1.1), and comprehensively revised in 2024 (version 2.0), the CSF provides a structured approach for any organization — from critical infrastructure operators to small businesses — to understand, assess, and manage cybersecurity risks. While the CSF is voluntary for private sector organizations, it has become the de facto standard for cybersecurity programs across industries. Federal agencies must follow the related but distinct NIST SP 800-53 security controls under FISMA (see FISMA). For federal contractors handling Controlled Unclassified Information (CUI), NIST SP 800-171 and the Cybersecurity Maturity Model Certification (CMMC) program make specific NIST controls mandatory. The CSF is organized around six core functions: Govern, Identify, Protect, Detect, Respond, and Recover — providing a common language for cybersecurity that bridges technical teams, management, and boards of directors.

Current Law (2026)

Parameter	Value
Publisher	National Institute of Standards and Technology (NIST)
Current version	CSF 2.0 (February 2024)
Legal status	Voluntary for private sector; mandatory elements for federal agencies and contractors
Scope	All organizations — critical infrastructure, businesses, nonprofits, government
Core functions	Govern, Identify, Protect, Detect, Respond, Recover
Related mandates	FISMA (federal agencies — NIST SP 800-53); CMMC (defense contractors — NIST SP 800-171); SEC cyber disclosure rules
Key statute	Cybersecurity Enhancement Act of 2014 (15 U.S.C. § 272) — directed NIST to develop the framework
Adoption	Used by ~50% of U.S. organizations; widely adopted internationally

Legal Authority

15 U.S.C. § 272 — NIST authorities, including cybersecurity standards development (as amended by the Cybersecurity Enhancement Act of 2014)
Executive Order 13636 (2013) — Improving Critical Infrastructure Cybersecurity (directed NIST to develop the CSF)
Cybersecurity Enhancement Act of 2014 — Codified NIST's role in developing voluntary cybersecurity standards
NIST SP 800-171 — Protecting Controlled Unclassified Information in Nonfederal Systems (mandatory for defense contractors)
32 C.F.R. Part 170 — CMMC program (DoD final rule, 2024)

How It Works

CSF 2.0 organizes cybersecurity activities into six core functions: Govern (new in 2.0 — establish and monitor cybersecurity risk management strategy and oversight), Identify (understand assets, business environment, and cyber risk), Protect (implement safeguards — access controls, encryption, training, data security), Detect (monitor for cybersecurity events — anomaly detection, continuous assessment), Respond (contain, analyze, communicate, and mitigate incidents), and Recover (restore capabilities — recovery planning, improvements, communications). Each function contains categories and subcategories mapped to specific security outcomes, with each subcategory referencing existing standards (NIST SP 800-53, ISO 27001, CIS Controls, COBIT). The CSF also defines four implementation tiers reflecting cybersecurity maturity: Tier 1 (Partial — ad hoc, reactive); Tier 2 (Risk Informed — management-approved but not organization-wide); Tier 3 (Repeatable — formal, organization-wide, regularly updated); Tier 4 (Adaptive — proactive, continuously improving). Organizations choose a target tier based on risk tolerance, resources, and mission — tiers are not a mandatory progression.

Though voluntary, the CSF has become the basis for mandatory requirements in multiple contexts: federal agencies must implement NIST SP 800-53 controls under FISMA; defense contractors handling Controlled Unclassified Information (CUI) must implement NIST SP 800-171's 110 security controls and achieve CMMC certification under 32 C.F.R. Part 170 (finalized 2024) — Level 1 (basic, self-assessment), Level 2 (advanced, third-party assessment for most CUI contractors), or Level 3 (expert, government-led assessment for highest-sensitivity programs) — before winning DoD contracts. The SEC's 2023 cyber disclosure rules require public companies to describe their cybersecurity risk management processes, and most reference CSF alignment. Cyber insurance underwriters increasingly use CSF maturity as a pricing and eligibility factor, further extending the framework's practical reach beyond its voluntary origins.

How It Affects You

If you lead or work at a business in any regulated sector: The "voluntary" label is practically misleading for most organizations. Financial services regulators (OCC, FDIC, NCUA), healthcare regulators (HHS/OCR under HIPAA), and energy regulators (FERC, NRC) all benchmark cybersecurity programs against the CSF — an ad hoc program that can't map to CSF functions will struggle in an examination. Cyber insurance underwriters increasingly use CSF alignment and implementation tier as underwriting factors: a Tier 1 (ad hoc) security posture can mean 30-50% higher premiums, sublimits on ransomware coverage, or outright exclusions. The SEC's 2023 cyber disclosure rules require publicly traded companies to describe their cybersecurity risk management processes (annual 10-K/20-F), with material cybersecurity incidents requiring 8-K disclosure within four business days of determining materiality. Ohio's safe harbor law (2018) provides litigation protection against negligence-based data breach claims for companies that implement and maintain a recognized framework — making CSF adoption a litigation hedge in that state.

If you're a defense contractor or handle federal Controlled Unclassified Information: NIST SP 800-171's 110 security controls are already contractually mandatory under DFARS clause 252.204-7012 — if you handle CUI and have a DoD contract, you're legally required to implement them and maintain a System Security Plan. The CMMC program (32 C.F.R. Part 170, final rule 2024) is making enforcement real: starting in 2025, DoD contracts will begin including CMMC requirements specifying what certification level bidders must achieve. Level 2 (most contractors with CUI) requires an assessment by a C3PAO (Certified Third-Party Assessment Organization) every 3 years. Implementation takes 12-18 months minimum — the most common gaps are access control (multi-factor authentication), audit and accountability (logging), and incident response (documented process). If you haven't started a gap assessment against SP 800-171's 110 controls, you're already behind for upcoming CMMC contract requirements.

If you're a board member or C-suite executive: The SEC's cyber disclosure rules specifically require boards to disclose their oversight role in cybersecurity risk management — meaning "the board reviews quarterly cyber reports" needs to be documented and accurate, not aspirational. CSF 2.0's new Govern function is the board's section of the framework: it addresses organizational context (what's the cybersecurity risk strategy, who's accountable), risk tolerance, and continuous improvement. A practical board-level cyber posture dashboard should map to the six CSF functions — not raw technical metrics, but outcomes: what percentage of critical assets are inventoried (Identify), what's the patch cadence (Protect), mean-time-to-detect for anomalies (Detect), tabletop exercise frequency (Respond), recovery time objective tested (Recover). Directors who can answer those questions at roughly the right order of magnitude have the oversight posture the SEC expects.

If you run a small business: NIST built a simplified version of the CSF specifically for you: the NIST Cybersecurity for Small Business guide (available at csrc.nist.gov/publications) distills the framework into accessible language and prioritized actions. The highest-ROI steps for most small businesses: (1) enable multi-factor authentication on email, banking, and cloud accounts — this single control stops the vast majority of credential-based attacks; (2) maintain offline or immutable backups of critical data, tested monthly (ransomware can't encrypt what it can't reach); (3) apply software updates and patches within 30 days of release; (4) train employees to recognize phishing — the starting point for 80%+ of ransomware incidents. CISA provides free cybersecurity assessments and resources for small businesses and critical infrastructure at cisa.gov/resources-tools. You don't need a full security team to achieve a defensible baseline — you need these four things done consistently.

State Variations

The NIST CSF is a federal voluntary standard, but states reference it:

Several states have enacted cybersecurity laws that reference or incorporate the NIST CSF (Ohio's safe harbor law provides legal protection for businesses that implement a recognized framework like the CSF)
New York's DFS Cybersecurity Regulation (23 NYCRR 500) for financial institutions aligns with NIST concepts
State data breach notification laws (all 50 states have them) create enforcement consequences that drive CSF adoption
State attorneys general increasingly evaluate cybersecurity practices against NIST standards in enforcement actions

Implementing Regulations

Note: The NIST Cybersecurity Framework (CSF) is a voluntary framework, not a regulation. However, multiple regulations reference or mandate its use for specific sectors or entity types:
32 CFR Part 170 — Cybersecurity Maturity Model Certification (CMMC) Program: the DoD's mandatory cybersecurity certification program for defense contractors and subcontractors handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI); finalized November 2024 (89 FR 89052). CMMC makes NIST SP 800-171's controls contractually mandatory and auditable for the first time. Key provisions:
- § 170.14 — CMMC Model (three levels): the CMMC Model incorporates security requirements from three sources: (1) 48 CFR 52.204-21 (basic safeguarding — 15 practices); (2) NIST SP 800-171 R2 (110 security requirements for protecting CUI — the full stack); and (3) NIST SP 800-172 (additional requirements for highest-risk programs — added on top of 800-171); the three levels (Level 1, 2, and 3) correspond to ascending security rigor and assessment intensity
- § 170.15 — Level 1 (Foundational): applies to contractors handling Federal Contract Information (FCI) but not CUI; requires implementation of the 17 basic safeguarding practices from 48 CFR 52.204-21 (access control, media protection, password management, etc.); compliance is demonstrated through annual self-assessment and a senior official affirmation uploaded to SPRS (Supplier Performance Risk System); Level 1 is the minimum for any contractor in the DoD supply chain
- §§ 170.16–170.17 — Level 2 (Advanced): applies to contractors handling Controlled Unclassified Information (CUI); requires implementation of all 110 security requirements from NIST SP 800-171 R2 across 17 security domains (access control, audit and accountability, configuration management, incident response, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, system and information integrity, and others); two pathways:
  - Level 2 Self-Assessment (§ 170.16): annual self-assessment and affirmation for programs where information is not subject to the highest risk — contractor assesses its own compliance and submits score to SPRS
  - Level 2 Certification Assessment (§ 170.17): for programs handling CUI at higher risk — third-party assessment by a C3PAO (CMMC Third-Party Assessment Organization) every 3 years; C3PAOs must be accredited by the CMMC Accreditation Body (Cyber AB); the C3PAO assessment produces a certification that goes into SPRS
- § 170.18 — Level 3 (Expert): applies to the highest-sensitivity programs handling CUI — requires Level 2 compliance plus additional enhanced requirements from NIST SP 800-172; assessment is conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) — government-led rather than third-party; Level 3 is reserved for companies supporting the most critical DoD programs and represents less than 1% of the contractor base
- §§ 170.10–170.13 — Assessment ecosystem (CAICO, CCA, CCP): the CMMC Assessor and Instructor Certification Organization (CAICO) trains, tests, and certifies CMMC assessors; CMMC Certified Assessors (CCAs) conduct Level 2 certification assessments on behalf of C3PAOs; CMMC Certified Professionals (CCPs) provide pre-assessment consulting to defense contractors; the CAICO/CCA/CCP ecosystem was created to build a qualified assessor workforce before CMMC requirements appear in contracts
CMMC implementation timeline: the final rule was effective December 16, 2024. DoD began including CMMC requirements in new contracts in 2025; phased implementation is expected to make CMMC requirements universal across DoD contracts by 2027. The DFARS clause 252.204-7021 (CMMC Requirements) will appear in solicitations and contracts specifying the required CMMC level. Contractors without the required certification level will be ineligible to compete. The compliance challenge is significant: NIST SP 800-171's 110 controls typically require $200,000–$2 million+ to implement fully for a small or medium defense contractor, and the L2 certification assessment adds additional cost and time. Gaps in access control (multi-factor authentication), audit logging, and incident response are the most common NIST 800-171 deficiencies among assessed contractors.
6 CFR Part 27 — DHS Chemical Facility Anti-Terrorism Standards (CFATS), which reference NIST cybersecurity standards for chemical facilities' cybersecurity site security plans
12 CFR Part 30 Appendix B — OCC heightened cybersecurity standards for large banks and federal thrifts, which align with the NIST CSF functions as a baseline for enterprise-wide risk management
Executive Order 13636 (2013) and subsequent executive orders (including EO 14028, 2021) direct federal agencies to use the NIST CSF and related NIST standards for federal information systems and critical infrastructure cybersecurity

Pending Legislation

Legislation to codify NIST CSF requirements for critical infrastructure has been proposed. See CISA Cybersecurity for related legislative activity in the 119th Congress.

Recent Developments

CSF 2.0 (February 2024) was the framework's most significant update — adding the Govern function (elevating cybersecurity governance to a core function), expanding applicability beyond critical infrastructure to all organizations, improving supply chain risk management guidance, and enhancing alignment with international standards. The CMMC program's final rule (2024) marked the transition from voluntary to mandatory NIST-based cybersecurity for the defense industrial base. The SEC's cyber disclosure rules (2023) drove publicly traded companies to formalize their cybersecurity governance and risk management — most referencing the CSF. Zero trust architecture (NIST SP 800-207) has become the primary cybersecurity paradigm for federal agencies, with mandates for implementation under Executive Order 14028 (2021).

Salt Typhoon and critical infrastructure cybersecurity (2024-2025): The Salt Typhoon Chinese state-sponsored cyber intrusion — which compromised major U.S. telecommunications carriers including AT&T and Verizon and accessed call records and communications of senior government officials — demonstrated the gap between NIST CSF adoption and actual security outcomes. CISA issued emergency guidance directing telecom carriers to implement NIST CSF controls, particularly in the Detect and Respond functions. Congress held multiple hearings on critical infrastructure cybersecurity failures; the incidents accelerated legislative interest in mandatory (not voluntary) cybersecurity standards for telecommunications and other critical sectors.
Trump cybersecurity executive order and DOGE tensions (2025): Trump's cybersecurity executive order (January 2025) directed agencies to accelerate zero trust implementation and improve visibility into federal networks — largely continuing the Biden-era EO 14028 priorities. However, DOGE's actions created cybersecurity paradoxes: DOGE's access to federal agency IT systems without normal security vetting (bypassing standard access controls) violated zero trust principles that NIST SP 800-207 mandates. CISA — which is responsible for monitoring federal network security — faced pressure from DOGE to grant access while its own frameworks require limiting privileged access.
CMMC implementation — defense contractor compliance: The Cybersecurity Maturity Model Certification (CMMC) program's final rule (November 2024) requires Department of Defense contractors to meet specific NIST SP 800-171 controls as a condition of federal contract award. CMMC Level 2 (handling Controlled Unclassified Information) requires third-party assessment by an accredited C3PAO (Certified Third-Party Assessment Organization). The supply chain security focus — assessing whether contractors' subcontractors also meet NIST standards — has created compliance pressure throughout the defense industrial base. Companies with current DoD contracts face compliance deadlines beginning in 2025-2026.
AI and cybersecurity framework evolution: NIST published its AI Risk Management Framework (AI RMF 1.0) in January 2023 and a companion Cybersecurity and Privacy profile in 2024. The intersection of AI security (securing AI systems from adversarial manipulation, data poisoning, and model theft) with traditional cybersecurity (protecting the infrastructure on which AI runs) is creating demand for integrated framework guidance. NIST's AI RMF "Govern" function mirrors the CSF 2.0 Govern addition — signaling that governance and accountability are the primary gaps in both cybersecurity and AI risk management across organizations.