Photo from NIST.

U.S. Federal Cybersecurity Compliance Part II

Cybersecurity Framework (CSF)

You can find Part I here.

If you are just getting started in Cybersecurity, regardless of your organization size, this is one of the first frameworks I would recommend to start with. It provides guidance and best practices for organizations to start understanding and managing their cybersecurity risk. It is also important to keep in mind that the CSF is designed to be used in conjunction with other cybersecurity frameworks, standards, and guidance. However, familiarizing yourself with it, is a great first step.

At the time of this writing, the Cybersecurity Framework version was 1.1. I have decided to go over the framework’s overview using the latest draft version 2.0, which is set to be published in early 2024.

There are three important components to keep in mind when using this framework:

Core functions

As NIST describes it, the core functions are a “set of cybersecurity outcomes.1 You can think of the outcomes as activities needed to be implemented within the organization, to fulfill any particular control(s). These outcomes will change depending on your organization and use cases.

NIST CSF 2.0 image

The following are the six core functions of the Cybersecurity Framework 2.0:

  • Govern (GV), function introduced in this new version
  • Identify (ID)
  • Protect (PR)
  • Detect (DE)
  • Respond (RS), and
  • Recover (RC)

The CSF functions image depicts them in the wheel shape, because they all relate to one another.


Profiles are mechanisms created to “understand, assess, prioritize, and tailor the sector- and technology-neutral Core outcomes based on an organization’s mission objectives, stakeholder expectations, threat environment, and requirements and leading practices…”1

The following are the two types of Profiles:

  • A Current Profile: think of this as the profile of where your organization currently stands.
  • A Target Profile: this is the profile you would want to use to set organizational goals and where you want to improve your organization’s cybersecurity posture.


Tiers are generally used to “capture an organization’s outcomes over a range…”1 Profiles and Tiers can be used to help evaluate the level or risk within your organization.

The following are the four tier ranges:

  • Partial (Tier 1)
  • Risk Informed (Tier 2)
  • Repeatable (Tier 3)
  • Adaptive (Tier 4)