NIST Cybersecurity Framework — Technology Wiki

Overview

Direct Answer

The NIST Cybersecurity Framework is a voluntary, standards-based guidance document published by the US National Institute of Standards and Technology that provides organisations with a structured approach to identifying, assessing, and managing cybersecurity risk. It offers a common taxonomy and set of practices applicable across sectors and organisational sizes.

How It Works

The framework organises cybersecurity activities into five core functions—Identify, Protect, Detect, Respond, and Recover—each containing categories and subcategories that map to specific outcomes. Organisations assess their current state against these functions, establish a target profile reflecting their risk tolerance and business objectives, and execute an action plan to close gaps, often iterating across multiple maturity levels.

Why It Matters

Adoption reduces fragmentation in cybersecurity programme design, enables consistent risk communication across boards and stakeholders, and streamlines compliance mapping to regulatory requirements. Many government contractors and critical infrastructure operators face contractual or regulatory expectations to demonstrate alignment with the framework.

Common Applications

Financial institutions use it to structure governance and incident response protocols; healthcare organisations leverage it to manage patient data protection; manufacturing and energy sectors employ it to secure operational technology environments.

Key Considerations

The framework is guidance rather than prescriptive regulation, requiring organisations to interpret and contextualise its functions to their unique threat landscape and resources. Implementation depth and cost vary significantly depending on organisational maturity and sector-specific regulatory mandates.

Cross-References(1)

Cybersecurity

Related in Security Governance

Information Security

The practice of protecting information by mitigating information risks including unauthorised access, use, and disruption.

Security Audit

A systematic evaluation of an organisation's information system security by measuring compliance with established criteria.

Compliance Framework

A structured set of guidelines and best practices for meeting regulatory requirements and industry standards.

ISO 27001

An international standard for information security management systems specifying requirements for establishing and maintaining security.

SOC 2

An auditing framework that evaluates the security, availability, processing integrity, confidentiality, and privacy of service organisations.

Cyber Insurance

Insurance coverage protecting organisations against financial losses from cyberattacks, data breaches, and related incidents.

Threat Modelling

A structured approach for identifying, quantifying, and addressing security threats to a system or application.

Security by Design

An approach that integrates security considerations into every stage of the software development lifecycle.

DevSecOps

An approach integrating security practices within the DevOps process, making security a shared responsibility.

Software Supply Chain Security

Practices and tools that protect the integrity of software components, dependencies, build pipelines, and distribution channels from compromise and tampering.

Cloud Security Posture Management

Automated tools that continuously assess cloud infrastructure configurations against security best practices and compliance requirements, identifying and remediating misconfigurations.

More in Cybersecurity

Blue Team

Offensive Security

A group of security professionals who defend against both real attackers and simulated attacks from red teams.

Secrets Management

Identity & Access

The secure storage, distribution, rotation, and auditing of sensitive credentials such as API keys, tokens, passwords, and certificates used by applications and services.

Next-Generation Firewall

Defensive Security

An advanced firewall that goes beyond traditional packet filtering to include application awareness and intrusion prevention.

Extended Detection and Response

Offensive Security

A unified security platform that integrates multiple security tools and data sources for comprehensive threat detection.

Purple Team

Offensive Security

A collaborative security approach combining red team attack knowledge with blue team defensive capabilities.

Attack Vector

Offensive Security

The specific path, method, or scenario used by an attacker to gain unauthorised access to a system.

End-to-End Encryption

Data Protection

A communication system where only the communicating users can read the messages, with encryption at both endpoints.

Attack Surface Management

Offensive Security

The continuous discovery, inventory, classification, and monitoring of all external-facing digital assets to identify and reduce an organisation's exposure to cyber threats.