NIST Cyber Security Framework

NIST CSF core functions: Protect

Greg Belding
January 2, 2020 by
Greg Belding


The National Institute of Standards and Technology’s Cybersecurity Framework, or NIST CSF, was first published in 2014 to provide guidance for organizational cybersecurity defenses and risk management. This framework is renowned for its inherent flexibility and open-endedness to account for different organizational needs. 

At its center, NIST CSF comprises five core functions. This article will detail the second of these functions, Protect, and explore the Framework’s five core functions, what the Protect function is and the outcome categories and subcategory activities of this function.

What is the NIST CSF framework core?

The framework core is a set of recommended activities designed to achieve certain cybersecurity outcomes and serves as guidance, not intended to serve as a checklist. The core is composed of five functions that work together to achieve the outcomes mentioned above. These elements are:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

What is the Protect function?

NIST defines the purpose of the Protect function as “(to) develop and implement appropriate safeguards to ensure delivery of critical services.” Just as many experts have made the analogy that the previous function, Identify, was the foundation of the CSF core framework functions, the Protect function can be thought of as framing the rest of the functions yet to come.

Outcome categories and subcategory activities

Each Framework function is composed of outcome categories that describe the kinds of processes and tasks organizations should carry out for that Framework level. The Protect function contains six outcome categories, each of which in turn contains subcategory activities.

Identity Management, Authentication and Access Control

This category is defined as “access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.”

Subcategory activities

  • Credentials and identities are issued, verified, managed, audited and revoked for authorized devices, processes and users
  • Access (physical) to assets is protected and managed
  • Remote access is managed
  • Access authorizations and permissions are managed while incorporating principles of separation of duties and least privilege
  • Organization network integrity is protected
  • Identities are asserted, proofed and bound to credentials in interactions
  • Devices, users and other organization assets are authenticated commensurate with the relative risk of the transaction

Awareness and Training

NIST defines this category as “the organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.”

Subcategory activities

  • All users within the organization are informed and trained
  • Privileged users understand their respective responsibilities and roles
  • Third-party stakeholders understand their respective responsibilities and roles
  • Senior executives understand their respective responsibilities and roles
  • Cybersecurity and physical personnel understand their respective responsibilities and roles

Data Security

NIST defines this category as “information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.”

Subcategory activities

  • Data-at-rest is protected
  • Data-in-transit is protected
  • Assets are formally managed during transfers, removal and disposition
  • Sufficient capacity ensuring availability is maintained
  • Data leak protections are implemented
  • Mechanisms for checking integrity are used to verify information, software and firmware integrity
  • Environments are separate for development/testing and production environments
  • Integrity checking mechanisms very hardware integrity

Information Protection Processes and Procedures

NIST defines this category as “security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.”

Subcategory activities

  • An IT/ICS configuration baseline is created and maintained which incorporates applicable security principles (such as concept of least functionality)
  • System development life cycle is implemented to manage systems
  • Change control configuration processes are in place
  • Information backups are conducted, tested and maintained
  • Regulations and policy concerning the organizational asset physical operating environment are met
  • Data destruction is performed according to policy
  • Protection processes are improved
  • Protection technology effectiveness is shared
  • Recovery and response plans are implemented and managed
  • Recovery and response plans are tested
  • Human resource practices include cybersecurity (for example: personnel screening, deprovisioning)
  • A plan for vulnerability management is developed and implemented


NIST defines this category as “maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.”

Subcategory activities

  • Repair and maintenance of assets are both performed and logged, with controlled and approved tools
  • Remote asset maintenance is approved, performed and logged in a way that prevents unauthorized access

Protective Technology

NIST defines this category as “technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.”

Subcategory activities

  • Log/audit records are ascertained, implemented, documented and reviewed according to policy
  • Removable media is protected with restricted usage in accordance with policy
  • The least functionality principle is incorporated into information systems by configuring these systems to use only essential capabilities
  • Control networks and communications are protected
  • Resilience mechanisms, for both normal and adverse situations, are implemented to achieve respective resilience requirements for each type of situation


The Protect core framework function is the second function listed in the NIST CSF. This function serves as a frame for the remaining functions, similar to how the Identify function served as the foundation. By applying these outcome categories (and related subcategories) to your organization’s risk management posture, your organization will be well-positioned to execute the remaining functions of the NIST CSF. 

Get NIST CSF training

Get NIST CSF training

Build your understanding of the NIST Cyber Security Framework with seven courses taught by Ross Casanova.



  1. Framework for Improving Critical Infrastructure Cybersecurity, NIST
  2. NIST Cybersecurity Framework Series Part 2: Protect, Trend Micro
  3. The NIST Cybersecurity Framework – The Protect Function, Compass IT Compliance
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.