Cybersecurity Framework

What is the NIST Cybersecurity Framework?

The baseline every regulator, insurer, and auditor eventually maps to — and the cleanest way to answer the question "what should a small business actually be doing?"

The Short Version

The NIST Cybersecurity Framework (CSF) is a voluntary framework published by the National Institute of Standards and Technology. CSF 2.0, released February 2024, is the current version. It isn't a law, and it doesn't impose requirements — but it has become the de facto baseline for US cybersecurity expectations.

Cyber insurers ask about it. Government contractors need to align with it. State privacy laws reference it as the standard for "reasonable security." If you want one framework to organize everything else around, this is it.

Who Uses NIST CSF?

  • Federal contractors and subcontractors (required under FAR / DFARS)
  • State and local government vendors
  • Critical infrastructure operators (energy, water, healthcare, finance)
  • Any business being vetted by enterprise customers — procurement teams ask about it
  • Insurance applicants — cyber insurance underwriting increasingly maps to CSF
  • Small businesses looking for a structured starting point
  • Regulated industries using it as the umbrella over HIPAA / PCI / GLBA specifics

The Six Functions of CSF 2.0

CSF organizes cybersecurity work into six top-level functions. Everything rolls up under one of them:

  • Govern: New in 2.0. Policies, roles, risk tolerance, legal and regulatory context, and supply chain management. The "someone is actually in charge" layer.
  • Identify: Asset inventory, risk assessment, data classification. You can't protect what you don't know about.
  • Protect: Access controls, encryption, training, patching, backup, secure configuration. The preventive layer.
  • Detect: Monitoring, logging, alerting, anomaly detection. The "we'd know if something happened" layer.
  • Respond: Incident response plan, communications, analysis, containment, and recovery planning. The "we know what to do when" layer.
  • Recover: Recovery plan, improvements, coordination with stakeholders and insurers. The "back to business" layer.

Each function contains categories and subcategories — over 100 discrete outcomes in total. You don't need all of them. You need the ones your business size and risk profile demand.

How CSF Is Actually Used

  • Current profile: What your organization does today across the six functions
  • Target profile: Where you need to be, based on risk tolerance and obligations
  • Gap analysis: The delta — the roadmap for what to build or improve
  • Implementation tiers (1-4): Partial, Risk-Informed, Repeatable, Adaptive — a maturity scale
  • Mapping: CSF maps to HIPAA, PCI, ISO 27001, CIS, SOC 2 — so the work you do for one framework counts for others
  • Reporting: CSF gives executives a clean vocabulary to talk about cybersecurity without jargon

Why Not "Just Buy Security Tools"?

Most small businesses have antivirus, a firewall, and maybe MFA — and assume that's cybersecurity. CSF exposes what's missing:

  • No Govern: No written policy, no designated owner, no risk register
  • No Identify: No asset inventory, no data map, no vendor list
  • Partial Protect: Antivirus yes, but no patching discipline, no backup verification, no access reviews
  • No Detect: No log aggregation, no alerting, no one watching
  • No Respond: No incident response plan, no contact list, no tabletop exercise
  • No Recover: No tested restore, no communication plan for customers and insurers

A $40,000 ransomware incident at a 15-person business isn't rare — it's typical. The businesses that survive it are the ones with work done across all six functions, not just one.

How Digital Armor Helps

We use CSF as our organizing framework for every client engagement:

  • Current profile assessment — where you are across the six functions
  • Target profile aligned to your industry and regulatory obligations
  • Prioritized roadmap — fix the highest-risk gaps first
  • Govern layer — policies, responsibilities, risk register
  • Identify — asset inventory, data map, vendor list maintained
  • Protect — access controls, MFA, encryption, patching, backup
  • Detect — logging, monitoring, alerting tuned for small business
  • Respond — written incident response plan, tabletop exercises
  • Recover — tested restore procedures, communications playbook
  • Annual reassessment and roadmap update

Where Does Your Business Actually Sit on CSF?

We'll do a real assessment — not a spreadsheet, not a questionnaire. Actual review of systems, processes, and gaps mapped to CSF 2.0. You'll leave knowing exactly where you stand and what comes next.

Book Your Assessment