Protect

Download free policy and standard templates for the NIST CSF 2.0 Protect Core Function, which focuses on proactive safeguards designed to limit or contain the impact of potential cybersecurity events.

Protect Function Background

The Protect Function defines the necessary safeguards to manage an organization’s cybersecurity risks. After identifying and prioritizing assets and risks, this function focuses on securing those assets to reduce the likelihood and impact of adverse cybersecurity events while enhancing opportunities for success. Key outcomes of the Protect function include identity management, authentication, and access control; security awareness and training; data protection; platform security (securing hardware, software, and services for both physical and virtual platforms); and the resilience of technology infrastructure. The Protect Function is comprised of Categories. These Categories break down the Function into more specific outcomes and activities, providing a structured approach for organizations to manage and implement cybersecurity practices.

Protect Policy Templates

The following policy and standard templates help ensure that the NIST CSF Protect categories are adequately addressed, including Identity Management, Authentication, and Access Control; Awareness and Training; Data Security; Platform Security; and Technology Infrastructure Resilience:

Visit Template Instructions for help completing these templates and the Implementation Guide for tips on how to implement these policies and standards once the templates are completed.

802.11 Wireless Network Security Standard

Description: The 802.11 Wireless Network Security Standard establishes controls for 802.11 wireless networks in order to minimize risks to the confidentiality, integrity and availability of information and to support secure access to resources and services over wireless networks.
Document Link: 80211-Wireless-Network-Security-Standard.docx
Primary NIST CSF 2.0 Category: Technology Infrastructure Resilience

Access Control Policy

Description: The Access Control Policy ensures that access controls are implemented and in compliance with IT security policies, standards, and procedures.
Document Link: Access-Control-Policy.docx
Primary NIST CSF 2.0 Category: Identity Management, Authentication, and Access Control

Account Management Access Control Standard

Description: The Account Management Access Control Standard establishes the rules and processes for creating, maintaining and controlling the access of a digital identity to an entity’s applications and resources for means of protecting their systems and information.
Document Link: Account-Management-Access-Control-Standard.docx
Primary NIST CSF 2.0 Category: Identity Management, Authentication, and Access Control

Authentication Tokens Standard

Description: The Authentication Tokens Standard lists the appropriate authentication tokens that can be used with systems developed or operated that require authenticated access depending on the Authenticator Assurance Level. This document also provides the requirements for management of those authentication devices.
Document Link: Authentication-Tokens-Standard.docx
Primary NIST CSF 2.0 Category: Identity Management, Authentication, and Access Control

Encryption Standard

Description: The Encryption Standard defines the organizational use of encryption. Encryption is a cryptographic operation that is used to enhance security and protect the electronic data (“data”) by transforming readable information (“plaintext”) into unintelligible information (“ciphertext”). Encryption is an effective tool in mitigating the threat of unauthorized access to data.
Document Link: Encryption-Standard.docx
Primary NIST CSF 2.0 Category: Data Security

Identification and Authentication Policy

Description: The Identification and Authentication Policy ensures that only properly identified and authenticated users and devices are granted access to Information Technology resources in compliance with IT security policies, standards, and procedures.
Document Link: Identification-and-Authentication-Policy.docx
Primary NIST CSF 2.0 Category: Identity Management, Authentication, and Access Control

Information Classification Standard

Description: The Information Classification Standard outlines a classification process and provides procedures for classifying information in a manner that uniformly protects information entrusted to the entity.
Document Link: Information-Classification-Standard.docx
Primary NIST CSF 2.0 Category: Data Security

Media Protection Policy

Description: The Media Protection Policy ensures that Information Technology (IT) controls access to and disposes of media resources in compliance with IT security policies, standards, and procedures.
Document Link: Media-Protection-Policy.docx
Primary NIST CSF 2.0 Category: Data Security

Mobile Device Security Standard

Description: The Mobile Device Security Standard outlines the additional protections required for the use of mobile devices. Mobile devices often need additional protection because their nature generally places them at higher exposure to threats than other client devices that are only used within an entity’s facilities and on the entity’s networks.
Document Link: Mobile-Device-Security.docx
Primary NIST CSF 2.0 Category: Platform Security

Patch Management Standard

Description: The Patch Management Standard outlines how to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. By applying security related software or firmware updates (patches) to applicable IT systems, the expected result is reduced time and money spent dealing with exploits by reducing or eliminating the related vulnerability.
Document Link: Patch-Management-Standard.docx
Primary NIST CSF 2.0 Category: Platform Security

Physical and Environmental Protection Policy

Description: The Physical and Environmental Protection Policy ensures that Information Technology resources are protected by physical and environmental security measures that prevent physical tampering, damage, theft, or unauthorized physical access.
Document Link: Physical-and-Environmental-Protection-Policy.docx
Primary NIST CSF 2.0 Category: Awareness and Training

Remote Access Standard

Description: The Remote Access Standard establishes authorized methods for remotely accessing resources and services securely.
Document Link: Remote-Access-Standard.docx
Primary NIST CSF 2.0 Category: Identity Management, Authentication, and Access Control

Sanitization and Secure Disposal Standard

Description: The Sanitization and Secure Disposal Standard outlines applicable media that needs special disposition, and how that media will be disposed, in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality.
Document Link: Sanitization-Secure-Disposal-Standard.docx
Primary NIST CSF 2.0 Category: Data Security

Security Awareness and Training Policy

Description: The Security Awareness and Training Policy ensures that the appropriate level of information security awareness training is provided to all Information Technology users.
Document Link: Security-Awareness-and-Training-Policy.docx
Primary NIST CSF 2.0 Category: Awareness and Training

System and Communications Protection Policy

Description: The System and Communications Protection Policy establishes guidelines for system and communications protection for Information Technology (IT) resources and information systems.
Document Link: System-and-Communications-Protection-Policy.docx
Primary NIST CSF 2.0 Category: Platform Security

System and Information Integrity Policy

Description: The System and Information Integrity Policy ensures that Information Technology resources and information systems are established with system integrity monitoring to include areas of concern such as malware, application and source code flaws, industry supplied alerts and remediation of detected or disclosed integrity issues.
Document Link: System-and-Information-Integrity-Policy.docx
Primary NIST CSF 2.0 Category: Data Security

Secure Coding Standard

Description: The Secure Coding Standard ensures that code written is resilient to high-risk threats and to avoid the occurrence of the most common coding errors which create serious vulnerabilities in software. While it is impossible to write code that is completely impervious to all possible attacks, implementing these coding standards throughout information systems will significantly reduce the risk of disclosure, alteration or destruction of information due to software vulnerabilities.
Document Link: Secure-Coding-Standard.docx
Primary NIST CSF 2.0 Category: Platform Security

NIST CSF 2.0 Protect Categories

The Protect Categories are designed to establish proactive measures that reduce the likelihood of a cybersecurity incident and mitigate potential impact. Key components include access control, data security, awareness and training, and protective technologies to ensure that both technical and organizational safeguards are in place. By strengthening these Categories, organizations can implement robust defenses that prevent unauthorized access, reduce vulnerabilities, and protect sensitive data from both internal and external threats. A list and description of each specific Protect Category can be found below:

Identity Management, Authentication, and Access Control

Description: Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access
NIST CSF 2.0 Identifier: PR.AA

Awareness and Training

Description: The organization’s personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks
NIST CSF 2.0 Identifier: PR.AT

Data Security

Description: Data are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information
NIST CSF 2.0 Identifier: PR.DS

Platform Security

Description: The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization’s risk strategy to protect their confidentiality, integrity, and availability
NIST CSF 2.0 Identifier: PR.PS

Technology Infrastructure Resilience

Description: Security architectures are managed with the organization’s risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience
NIST CSF 2.0 Identifier: PR.IR

Implementation Tasks

Access Control: Manage who has access to systems and data, ensuring the principle of least privilege.
Data Security: Implement measures to protect data at rest and in transit, such as encryption and tokenization.
Awareness and Training: Conduct regular training to ensure employees understand cybersecurity risks and best practices.
Protective Technology: Deploy technologies such as firewalls, intrusion detection systems, and endpoint protection.

References

National Institute of Standards and Technology. The NIST Cybersecurity Framework (CSF) 2.0, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf.
NIST CSF Protect Function Explained, ManageEngine Log360, https://www.manageengine.com/log-management/compliance/nist-csf-protect-function.html. Accessed 5 Nov. 2024.
“NIST Cybersecurity Framework 2.0: Small Business Quick-Start Guide Overview.” NIST Cybersecurity Framework 2.0, National Institute of Standards and Technology, Feb. 2024, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf.
“Protect - CSF Tools.” CSF Tools - The Cybersecurity Framework for Humans, 29 May 2021, https://csf.tools/reference/nist-cybersecurity-framework/v1-1/pr.
“Protect.” NIST, National Institute of Standards and Technology, 4 May 2021, https://www.nist.gov/cyberframework/protect.

PreviousIdentify NextDetect

Last updated 26 days ago