Protect
Last updated
Was this helpful?
Last updated
Was this helpful?
Download free policy and standard templates for the Protect Core Function, which focuses on proactive safeguards designed to limit or contain the impact of potential cybersecurity events.
The Protect Function defines the necessary safeguards to manage an organization’s cybersecurity risks. After identifying and prioritizing assets and risks, this function focuses on securing those assets to reduce the likelihood and impact of adverse cybersecurity events while enhancing opportunities for success. Key outcomes of the Protect function include identity management, authentication, and access control; security awareness and training; data protection; platform security (securing hardware, software, and services for both physical and virtual platforms); and the resilience of technology infrastructure. The Protect Function is comprised of . These Categories break down the Function into more specific outcomes and activities, providing a structured approach for organizations to manage and implement cybersecurity practices.
The following policy and standard templates help ensure that the NIST CSF Protect categories are adequately addressed, including ; ; ; ; and :
Description: The 802.11 Wireless Network Security Standard establishes controls for 802.11 wireless networks in order to minimize risks to the confidentiality, integrity and availability of information and to support secure access to resources and services over wireless networks.
Description: The Access Control Policy ensures that access controls are implemented and in compliance with IT security policies, standards, and procedures.
Description: The Account Management Access Control Standard establishes the rules and processes for creating, maintaining and controlling the access of a digital identity to an entity’s applications and resources for means of protecting their systems and information.
Description: The Authentication Tokens Standard lists the appropriate authentication tokens that can be used with systems developed or operated that require authenticated access depending on the Authenticator Assurance Level. This document also provides the requirements for management of those authentication devices.
Description: The Encryption Standard defines the organizational use of encryption. Encryption is a cryptographic operation that is used to enhance security and protect the electronic data (“data”) by transforming readable information (“plaintext”) into unintelligible information (“ciphertext”). Encryption is an effective tool in mitigating the threat of unauthorized access to data.
Description: The Identification and Authentication Policy ensures that only properly identified and authenticated users and devices are granted access to Information Technology resources in compliance with IT security policies, standards, and procedures.
Description: The Information Classification Standard outlines a classification process and provides procedures for classifying information in a manner that uniformly protects information entrusted to the entity.
Description: The Media Protection Policy ensures that Information Technology (IT) controls access to and disposes of media resources in compliance with IT security policies, standards, and procedures.
Description: The Mobile Device Security Standard outlines the additional protections required for the use of mobile devices. Mobile devices often need additional protection because their nature generally places them at higher exposure to threats than other client devices that are only used within an entity’s facilities and on the entity’s networks.
Description: The Patch Management Standard outlines how to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. By applying security related software or firmware updates (patches) to applicable IT systems, the expected result is reduced time and money spent dealing with exploits by reducing or eliminating the related vulnerability.
Description: The Physical and Environmental Protection Policy ensures that Information Technology resources are protected by physical and environmental security measures that prevent physical tampering, damage, theft, or unauthorized physical access.
Description: The Remote Access Standard establishes authorized methods for remotely accessing resources and services securely.
Description: The Sanitization and Secure Disposal Standard outlines applicable media that needs special disposition, and how that media will be disposed, in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality.
Description: The Security Awareness and Training Policy ensures that the appropriate level of information security awareness training is provided to all Information Technology users.
Description: The System and Communications Protection Policy establishes guidelines for system and communications protection for Information Technology (IT) resources and information systems.
Description: The System and Information Integrity Policy ensures that Information Technology resources and information systems are established with system integrity monitoring to include areas of concern such as malware, application and source code flaws, industry supplied alerts and remediation of detected or disclosed integrity issues.
Description: The Secure Coding Standard ensures that code written is resilient to high-risk threats and to avoid the occurrence of the most common coding errors which create serious vulnerabilities in software. While it is impossible to write code that is completely impervious to all possible attacks, implementing these coding standards throughout information systems will significantly reduce the risk of disclosure, alteration or destruction of information due to software vulnerabilities.
The Protect Categories are designed to establish proactive measures that reduce the likelihood of a cybersecurity incident and mitigate potential impact. Key components include access control, data security, awareness and training, and protective technologies to ensure that both technical and organizational safeguards are in place. By strengthening these Categories, organizations can implement robust defenses that prevent unauthorized access, reduce vulnerabilities, and protect sensitive data from both internal and external threats. A list and description of each specific Protect Category can be found below:
Description: Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access
NIST CSF 2.0 Identifier: PR.AA
Description: The organization’s personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks
NIST CSF 2.0 Identifier: PR.AT
Description: Data are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information
NIST CSF 2.0 Identifier: PR.DS
Description: The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization’s risk strategy to protect their confidentiality, integrity, and availability
NIST CSF 2.0 Identifier: PR.PS
Description: Security architectures are managed with the organization’s risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience
NIST CSF 2.0 Identifier: PR.IR
Access Control: Manage who has access to systems and data, ensuring the principle of least privilege.
Data Security: Implement measures to protect data at rest and in transit, such as encryption and tokenization.
Awareness and Training: Conduct regular training to ensure employees understand cybersecurity risks and best practices.
Protective Technology: Deploy technologies such as firewalls, intrusion detection systems, and endpoint protection.
Visit for help completing these templates and the for tips on how to implement these policies and standards once the templates are completed.
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
Document Link:
Primary NIST CSF 2.0 Category:
National Institute of Standards and Technology. The NIST Cybersecurity Framework (CSF) 2.0, .
NIST CSF Protect Function Explained, ManageEngine Log360, . Accessed 5 Nov. 2024.
“NIST Cybersecurity Framework 2.0: Small Business Quick-Start Guide Overview.” NIST Cybersecurity Framework 2.0, National Institute of Standards and Technology, Feb. 2024, .
“Protect - CSF Tools.” CSF Tools - The Cybersecurity Framework for Humans, 29 May 2021, .
“Protect.” NIST, National Institute of Standards and Technology, 4 May 2021, .
