NIST Cybersecurity Framework — Technology Wiki

Overview

Direct Answer

The NIST Cybersecurity Framework is a voluntary, standards-based guidance document published by the US National Institute of Standards and Technology that provides organisations with a structured approach to identifying, assessing, and managing cybersecurity risk. It offers a common taxonomy and set of practices applicable across sectors and organisational sizes.

How It Works

The framework organises cybersecurity activities into five core functions—Identify, Protect, Detect, Respond, and Recover—each containing categories and subcategories that map to specific outcomes. Organisations assess their current state against these functions, establish a target profile reflecting their risk tolerance and business objectives, and execute an action plan to close gaps, often iterating across multiple maturity levels.

Why It Matters

Adoption reduces fragmentation in cybersecurity programme design, enables consistent risk communication across boards and stakeholders, and streamlines compliance mapping to regulatory requirements. Many government contractors and critical infrastructure operators face contractual or regulatory expectations to demonstrate alignment with the framework.

Common Applications

Financial institutions use it to structure governance and incident response protocols; healthcare organisations leverage it to manage patient data protection; manufacturing and energy sectors employ it to secure operational technology environments.

Key Considerations

The framework is guidance rather than prescriptive regulation, requiring organisations to interpret and contextualise its functions to their unique threat landscape and resources. Implementation depth and cost vary significantly depending on organisational maturity and sector-specific regulatory mandates.

Cross-References(1)

Cybersecurity

Related in Security Governance

Information Security

The practice of protecting information by mitigating information risks including unauthorised access, use, and disruption.

Security Audit

A systematic evaluation of an organisation's information system security by measuring compliance with established criteria.

Compliance Framework

A structured set of guidelines and best practices for meeting regulatory requirements and industry standards.

ISO 27001

An international standard for information security management systems specifying requirements for establishing and maintaining security.

SOC 2

An auditing framework that evaluates the security, availability, processing integrity, confidentiality, and privacy of service organisations.

Cyber Insurance

Insurance coverage protecting organisations against financial losses from cyberattacks, data breaches, and related incidents.

Threat Modelling

A structured approach for identifying, quantifying, and addressing security threats to a system or application.

Security by Design

An approach that integrates security considerations into every stage of the software development lifecycle.

DevSecOps

An approach integrating security practices within the DevOps process, making security a shared responsibility.

Software Supply Chain Security

Practices and tools that protect the integrity of software components, dependencies, build pipelines, and distribution channels from compromise and tampering.

Cloud Security Posture Management

Automated tools that continuously assess cloud infrastructure configurations against security best practices and compliance requirements, identifying and remediating misconfigurations.

More in Cybersecurity

Data Loss Prevention

Data Protection

Technology and processes that prevent sensitive data from being lost, misused, or accessed by unauthorised users.

Endpoint Detection and Response

Defensive Security

Security technology that monitors endpoint devices to detect, investigate, and respond to cyber threats.

Blue Team

Offensive Security

A group of security professionals who defend against both real attackers and simulated attacks from red teams.

Cybersecurity

Offensive Security

The practice of protecting systems, networks, and programs from digital attacks, unauthorised access, and data breaches.

Penetration Testing

Offensive Security

A simulated cyberattack against a system to evaluate the security of its defences and identify exploitable vulnerabilities.

Spear Phishing

Offensive Security

A targeted phishing attack directed at specific individuals or organisations using personalised deceptive content.

Threat Hunting

Defensive Security

The proactive search for cyber threats within an organisation's environment that have evaded automated detection, using hypotheses, threat intelligence, and advanced analytics.

Phishing-Resistant Authentication

Identity & Access

Authentication methods such as FIDO2 passkeys and hardware security keys that are immune to phishing attacks because credentials are cryptographically bound to the legitimate service.