Download free policy and standard templates for the NIST CSF 2.0 Protect Core Function, which focuses on proactive safeguards designed to limit or contain the impact of potential cybersecurity events.
The Protect Function defines the necessary safeguards to manage an organization’s cybersecurity risks. After identifying and prioritizing assets and risks, this function focuses on securing those assets to reduce the likelihood and impact of adverse cybersecurity events while enhancing opportunities for success. Key outcomes of the Protect function include identity management, authentication, and access control; security awareness and training; data protection; platform security (securing hardware, software, and services for both physical and virtual platforms); and the resilience of technology infrastructure. The Protect Function is comprised of Categories. These Categories break down the Function into more specific outcomes and activities, providing a structured approach for organizations to manage and implement cybersecurity practices.
The following policy and standard templates help ensure that the NIST CSF Protect categories are adequately addressed, including Identity Management, Authentication, and Access Control; Awareness and Training; Data Security; Platform Security; and Technology Infrastructure Resilience:
- 802.11 Wireless Network Security Standard
- Access Control Policy
- Account Management Access Control Standard
- Authentication Tokens Standard
- Encryption Standard
- Identification and Authentication Policy
- Information Classification Standard
- Media Protection Policy
- Mobile Device Security Standard
- Patch Management Standard
- Physical and Environmental Protection Policy
- Remote Access Standard
- Sanitization and Secure Disposal Standard
- Security Awareness and Training Policy
- System and Communications Protection Policy
- System and Information Integrity Policy
- Secure Coding Standard
Visit Template Instructions for help completing these templates and the Implementation Guide for tips on how to implement these policies and standards once the templates are completed.
- Description: The 802.11 Wireless Network Security Standard establishes controls for 802.11 wireless networks in order to minimize risks to the confidentiality, integrity and availability of information and to support secure access to resources and services over wireless networks.
- Document Link: 80211-Wireless-Network-Security-Standard.docx
- Primary NIST CSF 2.0 Category: Technology Infrastructure Resilience
- Description: The Access Control Policy ensures that access controls are implemented and in compliance with IT security policies, standards, and procedures.
- Document Link: Access-Control-Policy.docx
- Primary NIST CSF 2.0 Category: Identity Management, Authentication, and Access Control
- Description: The Account Management Access Control Standard establishes the rules and processes for creating, maintaining and controlling the access of a digital identity to an entity’s applications and resources for means of protecting their systems and information.
- Document Link: Account-Management-Access-Control-Standard.docx
- Primary NIST CSF 2.0 Category: Identity Management, Authentication, and Access Control
- Description: The Authentication Tokens Standard lists the appropriate authentication tokens that can be used with systems developed or operated that require authenticated access depending on the Authenticator Assurance Level. This document also provides the requirements for management of those authentication devices.
- Document Link: Authentication-Tokens-Standard.docx
- Primary NIST CSF 2.0 Category: Identity Management, Authentication, and Access Control
- Description: The Encryption Standard defines the organizational use of encryption. Encryption is a cryptographic operation that is used to enhance security and protect the electronic data (“data”) by transforming readable information (“plaintext”) into unintelligible information (“ciphertext”). Encryption is an effective tool in mitigating the threat of unauthorized access to data.
- Document Link: Encryption-Standard.docx
- Primary NIST CSF 2.0 Category: Data Security
- Description: The Identification and Authentication Policy ensures that only properly identified and authenticated users and devices are granted access to Information Technology resources in compliance with IT security policies, standards, and procedures.
- Document Link: Identification-and-Authentication-Policy.docx
- Primary NIST CSF 2.0 Category: Identity Management, Authentication, and Access Control
- Description: The Information Classification Standard outlines a classification process and provides procedures for classifying information in a manner that uniformly protects information entrusted to the entity.
- Document Link: Information-Classification-Standard.docx
- Primary NIST CSF 2.0 Category: Data Security
- Description: The Media Protection Policy ensures that Information Technology (IT) controls access to and disposes of media resources in compliance with IT security policies, standards, and procedures.
- Document Link: Media-Protection-Policy.docx
- Primary NIST CSF 2.0 Category: Data Security
- Description: The Mobile Device Security Standard outlines the additional protections required for the use of mobile devices. Mobile devices often need additional protection because their nature generally places them at higher exposure to threats than other client devices that are only used within an entity’s facilities and on the entity’s networks.
- Document Link: Mobile-Device-Security.docx
- Primary NIST CSF 2.0 Category: Platform Security
- Description: The Patch Management Standard outlines how to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. By applying security related software or firmware updates (patches) to applicable IT systems, the expected result is reduced time and money spent dealing with exploits by reducing or eliminating the related vulnerability.
- Document Link: Patch-Management-Standard.docx
- Primary NIST CSF 2.0 Category: Platform Security
- Description: The Physical and Environmental Protection Policy ensures that Information Technology resources are protected by physical and environmental security measures that prevent physical tampering, damage, theft, or unauthorized physical access.
- Document Link: Physical-and-Environmental-Protection-Policy.docx
- Primary NIST CSF 2.0 Category: Awareness and Training
- Description: The Remote Access Standard establishes authorized methods for remotely accessing resources and services securely.
- Document Link: Remote-Access-Standard.docx
- Primary NIST CSF 2.0 Category: Identity Management, Authentication, and Access Control
- Description: The Sanitization and Secure Disposal Standard outlines applicable media that needs special disposition, and how that media will be disposed, in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality.
- Document Link: Sanitization-Secure-Disposal-Standard.docx
- Primary NIST CSF 2.0 Category: Data Security
- Description: The Security Awareness and Training Policy ensures that the appropriate level of information security awareness training is provided to all Information Technology users.
- Document Link: Security-Awareness-and-Training-Policy.docx
- Primary NIST CSF 2.0 Category: Awareness and Training
- Description: The System and Communications Protection Policy establishes guidelines for system and communications protection for Information Technology (IT) resources and information systems.
- Document Link: System-and-Communications-Protection-Policy.docx
- Primary NIST CSF 2.0 Category: Platform Security
- Description: The System and Information Integrity Policy ensures that Information Technology resources and information systems are established with system integrity monitoring to include areas of concern such as malware, application and source code flaws, industry supplied alerts and remediation of detected or disclosed integrity issues.
- Document Link: System-and-Information-Integrity-Policy.docx
- Primary NIST CSF 2.0 Category: Data Security
- Description: The Secure Coding Standard ensures that code written is resilient to high-risk threats and to avoid the occurrence of the most common coding errors which create serious vulnerabilities in software. While it is impossible to write code that is completely impervious to all possible attacks, implementing these coding standards throughout information systems will significantly reduce the risk of disclosure, alteration or destruction of information due to software vulnerabilities.
- Document Link: Secure-Coding-Standard.docx
- Primary NIST CSF 2.0 Category: Platform Security
The Protect Categories are designed to establish proactive measures that reduce the likelihood of a cybersecurity incident and mitigate potential impact. Key components include access control, data security, awareness and training, and protective technologies to ensure that both technical and organizational safeguards are in place. By strengthening these Categories, organizations can implement robust defenses that prevent unauthorized access, reduce vulnerabilities, and protect sensitive data from both internal and external threats. A list and description of each specific Protect Category can be found below:
- Description: Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access
- NIST CSF 2.0 Identifier: PR.AA
- Description: The organization’s personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks
- NIST CSF 2.0 Identifier: PR.AT
- Description: Data are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information
- NIST CSF 2.0 Identifier: PR.DS
- Description: The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization’s risk strategy to protect their confidentiality, integrity, and availability
- NIST CSF 2.0 Identifier: PR.PS
- Description: Security architectures are managed with the organization’s risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience
- NIST CSF 2.0 Identifier: PR.IR
- Access Control: Manage who has access to systems and data, ensuring the principle of least privilege.
- Data Security: Implement measures to protect data at rest and in transit, such as encryption and tokenization.
- Awareness and Training: Conduct regular training to ensure employees understand cybersecurity risks and best practices.
- Protective Technology: Deploy technologies such as firewalls, intrusion detection systems, and endpoint protection.
- National Institute of Standards and Technology. The NIST Cybersecurity Framework (CSF) 2.0, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf.
- NIST CSF Protect Function Explained, ManageEngine Log360, https://www.manageengine.com/log-management/compliance/nist-csf-protect-function.html. Accessed 5 Nov. 2024.
- “NIST Cybersecurity Framework 2.0: Small Business Quick-Start Guide Overview.” NIST Cybersecurity Framework 2.0, National Institute of Standards and Technology, Feb. 2024, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf.
- “Protect - CSF Tools.” CSF Tools - The Cybersecurity Framework for Humans, 29 May 2021, https://csf.tools/reference/nist-cybersecurity-framework/v1-1/pr.
- “Protect.” NIST, National Institute of Standards and Technology, 4 May 2021, https://www.nist.gov/cyberframework/protect.