What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework (CSF) was originally developed in 2014 by the US National Institute of Standards and Technology in response to an executive order on improving critical infrastructure cybersecurity. CSF 2.0, released in February 2024, is the most significant update since the framework's launch — expanding scope from critical infrastructure to all organisations and adding a new Govern function.
NIST CSF 2.0 Functions
- Govern — (New in 2.0) Establishing cybersecurity risk management strategy, expectations, and policy.
- Identify — Understanding the organisation's assets, risks, and cybersecurity posture.
- Protect — Implementing safeguards to ensure delivery of critical services.
- Detect — Identifying cybersecurity events in a timely manner.
- Respond — Taking action regarding a detected cybersecurity event.
- Recover — Restoring capabilities or services impaired by a cybersecurity event.
Who Benefits from NIST CSF Alignment?
- US federal contractors and suppliers to US government agencies
- Organisations pursuing CMMC (Cybersecurity Maturity Model Certification)
- Multinationals seeking a universal cybersecurity baseline
- Organisations using NIST CSF as the basis for board-level cybersecurity reporting
- Companies that need NIST alignment alongside ISO 27001 or SOC 2
NIST CSF and ISO 27001
NIST CSF and ISO 27001 share significant conceptual overlap but serve different purposes — NIST CSF is a voluntary risk management framework while ISO 27001 is a certifiable management system standard. BALTUM provides integrated assessments that map your NIST CSF profile to ISO 27001 Annex A controls, enabling a single implementation effort that satisfies both frameworks.