What is the purpose of the Protect function in the NIST CSF, and what are typical outcomes?
Protect implements safeguards that limit or contain the impact of potential cybersecurity events and secure the delivery of critical services.
This is the classic "defensive controls" function — but note the wording: it aims to limit or contain impact, not promise prevention. Modern security assumes some attacks will get through.
Example outcomes:
- Data Security — protecting the confidentiality, integrity, and availability (the CIA triad) of information
- Protective Technology — technical controls ensuring systems' security and resilience (firewalls, hardening, endpoint protection)
- Awareness and Training — empowering staff, because humans are part of the defense, not just a weakness
Its categories: Identity Management & Access Control (PR.AC), Awareness & Training (PR.AT), Data Security (PR.DS), Information Protection Processes & Procedures (PR.IP), Maintenance (PR.MA), Protective Technology (PR.PT).
Tip: Protect is the largest function (6 categories) — historically where most security budgets go. The CSF's point is that the other four deserve investment too.