NIST Cybersecurity Framework 2.0: A Practical Guide for Certification Exams

What Is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (CSF) is a voluntary guidance document published by the National Institute of Standards and Technology that helps organizations of all sizes manage and reduce cybersecurity risk. Originally released in 2014 following Executive Order 13636, the framework was significantly updated with Version 2.0 in February 2024.

NIST CSF is the most widely adopted cybersecurity framework in the United States and is increasingly used internationally. Understanding it is essential for multiple certification exams.

CSF 2.0: What Changed

The major update in version 2.0 added a sixth core function — Govern — and expanded the framework's scope beyond critical infrastructure to all organizations. Key changes include:

New Govern function: Establishes cybersecurity as an enterprise risk, not just a technical issue

Expanded scope: Now explicitly designed for all organizations, not just critical infrastructure

Improved guidance: Better integration with other frameworks (ISO 27001, CIS Controls, COBIT)

Supply chain focus: Enhanced supply chain risk management throughout the framework

The Six Core Functions

1. GOVERN (GV) — New in 2.0

Establish and monitor the organization's cybersecurity risk management strategy, expectations, and policies. Govern is the foundation that informs all other functions.

Key activities: Organizational context, risk management strategy, cybersecurity supply chain risk management, roles and responsibilities, policies, oversight

Exam relevance: CISM (Domain 1: Governance), CISSP (Domain 1: Security & Risk Management)

2. IDENTIFY (ID)

Understand the organization's current cybersecurity risks by identifying assets, vulnerabilities, threats, and the business environment.

Key activities: Asset management, risk assessment, improvement planning

Exam relevance: CISSP (Domain 1), CISM (Domain 2: Risk Management), Security+ (Domain 5: Governance)

3. PROTECT (PR)

Implement safeguards to ensure delivery of critical services and limit the impact of potential cybersecurity events.

Key activities: Identity management & access control, awareness training, data security, platform security, technology infrastructure resilience

Exam relevance: CISSP (Domains 3, 5, 8), Security+ (Domains 2, 3), CySA+

4. DETECT (DE)

Develop and implement activities to identify cybersecurity events in a timely manner.

Key activities: Continuous monitoring, adverse event analysis

Exam relevance: CySA+ (primary focus), CISSP (Domain 6), Security+ (Domain 4)

5. RESPOND (RS)

Develop and implement activities to take action regarding a detected cybersecurity event.

Key activities: Incident management, incident analysis, incident response reporting, mitigation

Exam relevance: CISSP (Domain 7), CISM (Domain 4: Incident Management), GCIH

6. RECOVER (RC)

Develop and implement activities to maintain resilience and restore any capabilities impaired by a cybersecurity event.

Key activities: Incident recovery plan execution, communication

Exam relevance: CISSP (Domain 7: BCP/DRP), CISM (Domain 4)

Implementation Tiers

NIST CSF defines four implementation tiers that describe the degree of rigor in an organization's cybersecurity practices:

Tier 1 — Partial: Ad hoc, reactive risk management. No formal processes.

Tier 2 — Risk Informed: Risk management approved by management but not organization-wide policy.

Tier 3 — Repeatable: Formal, organization-wide risk management policies. Regularly updated.

Tier 4 — Adaptive: Organization adapts practices based on lessons learned and continuous improvement.

Exam tip: Tiers are not maturity levels. NIST explicitly states there is no requirement to reach Tier 4. Organizations should target the tier that meets their risk tolerance and business needs.

Framework Profiles

A Framework Profile represents an organization's alignment of their cybersecurity activities with business requirements, risk tolerance, and resources. Two types:

Current Profile: Where the organization is now

Target Profile: Where the organization wants to be

Gap analysis between current and target profiles drives security improvement planning.

NIST CSF on Certification Exams

CISSP

NIST CSF appears primarily in Domain 1 (Security & Risk Management). Questions test understanding of the framework structure, its relationship to risk management, and how it integrates with other standards. Know the six functions, tiers, and profiles.

Security+

The SY0-701 exam references NIST CSF in Domain 5 (Security Program Management & Oversight). Expect questions on identifying which function applies to a given scenario.

CISM

CISM heavily tests governance and risk frameworks. NIST CSF is a key framework alongside ISO 27001 and COBIT. Questions focus on how to use CSF to build and manage security programs.

CISA

CISA tests NIST CSF from an audit perspective — how to evaluate an organization's security program against the framework.

Study Tips for NIST CSF Questions

1. Memorize the six functions and their order: Govern, Identify, Protect, Detect, Respond, Recover

2. Understand the purpose of each function — not just definitions but how they relate to each other

3. Know the difference between tiers and maturity levels — exams often test this distinction

4. Practice mapping scenarios to functions: "An analyst reviews firewall logs" = Detect. "The CISO reports cyber risk to the board" = Govern.

5. Remember CSF is voluntary — it's a framework for guidance, not a regulatory requirement (unless contractually required)

Practice NIST CSF Questions

CyberCertPrep includes NIST CSF questions across CISSP, Security+, CISM, and CISA practice exams. Test your ability to map real-world scenarios to the correct CSF functions.