What is NIST CSF Core Functions?

The NIST CSF Core Functions are the six top-level activities of the NIST Cybersecurity Framework 2.0: Govern, Identify, Protect, Detect, Respond, and Recover. They organize a complete cybersecurity program at the highest level, breaking down into 22 categories and 106 subcategories of specific outcomes.

The functions give organizations a common language for cybersecurity. Govern (added in CSF 2.0, released February 2024) sets strategy, roles, and risk-management expectations; Identify builds understanding of assets and risks; Protect implements safeguards; Detect finds events; Respond contains incidents; and Recover restores operations. They are not sequential phases but concurrent, continuous activities you maintain at all times.

For example, a managed service provider might use the six functions to structure its whole security program — mapping each control it already runs (MFA, logging, incident response, backups) to a CSF subcategory — then using a Profile to show current versus target maturity to clients and insurers. Because CSF 2.0 is outcome-based and framework-agnostic, it maps cleanly onto ISO 27001, SOC 2, and other regimes.

A CSF toolkit with policies and a Profile/assessment workbook covering all 106 subcategories lets you document the program against the functions quickly rather than authoring everything from scratch. The templates speed up documentation; they do not make you secure or "CSF-compliant" on their own — the framework is voluntary guidance, so the value comes from actually implementing and assessing the controls.

Related terms: AI Risk Management · Security Control · Risk Assessment · Gap Analysis

Frequently asked questions

How many functions does the NIST CSF have, and did that change in version 2.0?
CSF 2.0 has six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Version 1.1 had five — the Govern function was added in CSF 2.0 (released February 2024) to emphasize cybersecurity governance and risk-management strategy.
Can you get certified against the NIST Cybersecurity Framework?
No. The NIST CSF is voluntary guidance with no formal certification body. You can self-assess your maturity, build Profiles, and use it to organize your program, but unlike ISO 27001 there is no accredited certificate to earn for CSF itself.
How does the CSF relate to ISO 27001 or SOC 2?
The CSF is a higher-level, outcome-focused framework that maps onto control frameworks like ISO 27001 Annex A and the SOC 2 Trust Services Criteria. Many organizations use the CSF functions to structure their program and then satisfy ISO or SOC 2 controls underneath.

Toolkits that cover NIST CSF Core Functions

NIST CSF 2.0

NIST CSF 2.0 Complete Toolkit

15 editable policies and plans covering all six CSF 2.0 functions, plus a Profile & Assessment workbook with every one of the 106 subcategories, a risk register, and an audit evidence checklist.

$7930% off with codeView toolkit
ISO/IEC 27001:2022

ISO 27001 Policy Pack — Core

16 editable ISO/IEC 27001:2022 policies plus the full 93-control Statement of Applicability — everything a small business needs to start its ISMS.

$5930% off with codeView toolkit
SOC 2 Trust Services Criteria

SOC 2 Policy Pack — Core

15 editable SOC 2 policies mapped to the Trust Services Criteria — the document set your auditor asks for first.

$5930% off with codeView toolkit

Learn more in our NIST CSF 2.0 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.