The NIST CSF Protect Function

NIST CSF 2.0 Protect Function: Safeguards to manage the organization's cybersecurity risks are used.

Source: NIST CSF 2.0

The NIST CSF 2.0's Protect Function is all about safeguarding your data and systems against online attacks. It is similar to erecting a barrier around the private data that belongs to your organization. This method helps you put protections in place to stop unwanted access and guarantee the confidentiality, availability, and integrity of your data, entailing steps like establishing security controls and mechanisms that will quickly detect and address cybersecurity breaches. The Protect Function aids in the development of a robust defense against cyberattacks and ensures the security of your organization's assets.

The goals of the Protect Function are:

• Implementing proactive security measures
• Enhancing employee awareness and training
• Securing data integrity

The Protect Function has five Categories:

1. Identity Management, Authentication, and Access Control (PR.AA)
2. Awareness and Training (PR.AT)
3. Data Security (PR.DS)
4. Platform Security (PR.PS)
5. Technology Infrastructure Resilience (PR.IR)

Each Category has multiple Subcategories.

1. Identity Management, Authentication, and Access Control (PR.AA)

This Category focuses on securing sensitive data and important assets through management of user identities, implementation of access controls, and enforcement of authentication procedures. It includes steps for confirming the identity of people and devices using the systems and resources of the company and making sure that only authorized entities are given adequate access privileges. Organizations may lower their risk of insider threats, unauthorized access, and data breaches by introducing granular access controls, robust authentication procedures, and efficient identity management. This will improve their overall cybersecurity posture.

The Subcategories of PR.AA are:

• PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization.

  This Subcategory ensures that organizations effectively manage identities, credentials, and access privileges for users, services, and hardware to prevent unauthorized access.

  These actionable steps can help you comply with this Subcategory:

  • Define and enforce policies for creating, managing, and revoking user and service identities based on the principle of least privilege.
  • Require multi-factor authentication (MFA) for all users, especially for privileged accounts and remote access.
  • Periodically review and audit user accounts, roles, and permissions to ensure only authorized individuals have access to critical systems.
  • Deploy solutions such as Active Directory, single sign-on (SSO), or cloud-based identity and access management (IAM) platforms to streamline identity management and reduce risks.
  • Require complex passwords, enforce expiration policies, and implement credential rotation to minimize the risk of credential-based attacks.
• PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions.

  This Subcategory ensures that user identities are proofed and securely linked to their credentials based on the level of risk associated with their interactions.

  These actionable steps can help you comply with this Subcategory:

  • Require users to provide valid government-issued IDs, biometric data, or multi-step identity verification before granting access to sensitive systems.
  • Enforce MFA to ensure credentials are linked to verified identities, reducing the risk of credential theft and unauthorized access.
  • Assign permissions based on verified user roles and responsibilities, ensuring only authorized personnel access sensitive data.
  • Use identity proofing solutions that integrate with IAM platforms to continuously validate user identities.
  • Periodically review and update user credentials and permissions to remove outdated or unauthorized accesses.
• PR.AA-03: Users, services, and hardware are authenticated.

  This Subcategory ensures that only authorized entities—whether human users, system services, or devices—can access resources within an organization.

  These actionable steps can help you comply with this Subcategory:

  • Require MFA for all user logins—especially for privileged accounts and remote access—to enhance security beyond just passwords.
  • Enforce complex passwords, mandate periodic password changes, and prohibit password reuse.
  • Require digital certificates or SSH keys for authenticating servers, applications, and IoT devices instead of just passwords.
  • Use IAM solutions such as Active Directory, Okta, or Entra ID (formerly Azure AD ) to manage user, service, and hardware authentication across the organization.
  • Continuously log and analyze authentication events using a security information and event management (SIEM) solution to detect unauthorized access attempts and unusual authentication patterns.
• PR.AA-04: Identity assertions are protected, conveyed, and verified.

  This Subcategory ensures that identity assertions—claims made about a user's identity (e.g., authentication tokens, certificates, or credentials)—are securely transmitted, validated, and protected from tampering or misuse.

  These actionable steps can help you comply with this Subcategory:

  • Use TLS 1.2 or higher for encrypting identity-related communications, such as authentication tokens and certificates.
  • Require MFA for all users to add an additional layer of verification beyond just usernames and passwords.
  • Adopt industry-standard identity protocols such as SAML, OAuth 2.0, or OpenID Connect.
  • Ensure that applications and systems verify the validity of authentication tokens before granting access to resources.
  • Implement logging and monitoring of authentication processes to detect suspicious activities, such as token misuse or session hijacking.
• PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties.

  These actionable steps can help you comply with this Subcategory:

  • Establish a formal policy outlining access control rules, including role-based access control (RBAC).
  • Restrict user permissions to only the resources necessary for their job and regularly audit access levels.
  • Ensure critical tasks (e.g., financial transactions, system administration) require multiple users to prevent fraud or abuse.
  • Perform periodic access audits to validate that permissions are appropriate.
  • Use IAM tools to streamline access provisioning, enforcement, and revocation.
• PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk.

  This Subcategory ensures that physical access to critical assets—such as data centers, server rooms, and networking equipment—is strictly controlled, monitored, and managed based on risk levels.

  These actionable steps can help you comply with this Subcategory:

  • Use keycard access, biometric authentication, or PIN-based locks to restrict entry to critical infrastructure areas.
  • Deploy security cameras and maintain access logs to track and review entry and exit activity.
  • Allow only authorized personnel to access sensitive areas based on job roles and responsibilities.
  • Periodically review access logs, verify security camera footage, and update access control lists.
  • Educate staff on the importance of securing physical assets and reporting suspicious activity.

2. Awareness and Training (PR.AT)

This Category highlights the significance of staff education and empowerment in order to successfully reduce cybersecurity threats. It includes initiatives to educate staff members on cybersecurity rules, procedures, and best practices.

Organizations may improve their workforce's capacity to identify and address cyber risks by offering extensive training and instructional materials. This will strengthen the organization's overall security posture.

The Subcategories of PR.AT are:

• PR.AT-01: Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind.

  This Subcategory emphasizes the importance of cybersecurity awareness and training for all personnel to ensure they understand security risks and can perform their tasks securely.

  These actionable steps can help you comply with this Subcategory:

  • Organize mandatory cybersecurity training sessions covering phishing, password hygiene, social engineering, and data protection best practices.
  • Run periodic phishing simulations to test employees' awareness and provide additional training based on results.
  • Provide clear cybersecurity guidelines and policies that all employees must follow, such as acceptable use policies and incident reporting procedures.
  • Tailor training programs based on job roles (e.g., IT staff should receive advanced threat detection training, while HR personnel should learn about secure handling of PII).
  • Assess employee knowledge through quizzes, security drills, and feedback surveys to ensure continuous improvement in cybersecurity awareness.
• PR.AT-02: Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind.

  This Subcategory emphasizes that individuals in specialized roles—such as system administrators, SOC analysts, developers, and network engineers—must receive cybersecurity training tailored to their responsibilities.

  These actionable steps can help you comply with this Subcategory:

  • Create tailored cybersecurity training for each specialized role, covering threat detection, secure coding, network security, and incident response.
  • Schedule frequent training sessions, workshops, or online courses to keep employees updated.
  • Assess personnel with periodic exams, phishing simulations, or hands-on exercises to ensure they can apply security measures effectively.
  • Maintain training logs, certifications, and attendance records to demonstrate compliance.

3. Data Security (PR.DS)

This Category is devoted to protecting confidential information from unwanted access, disclosure, or modification. It includes a variety of safeguards and actions intended to guarantee the confidentiality, availability, and integrity of data assets. PR.DS aims to secure sensitive data by identifying it, categorizing it according to its level of sensitivity, and putting in place the necessary controls for securing it. Data loss prevention (DLP) techniques, encryption, access restrictions, and safe data disposal procedures are a few examples of these measures.

The Subcategories of PR.DS are:

• PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected.

  This Subcategory addresses the crucial elements of confidentiality, integrity, and availability with a focus on protecting data while it's at rest.

  These actionable steps can help you comply with this Subcategory:

  • Guarantee that only authorized users may access and decipher sensitive information, which may include using encryption technology.
  • Use digital signatures, checksums and other data integrity systems that can identify and stop unwanted changes to stored data.
  • Set up strong authentication and access controls to manage who may access data at rest depending on user roles, permissions, and business needs.

  ManageEngine Log360 is a unified SIEM solution with DLP capabilities that secures data at rest. Log360 helps avoid data exposure by blocking high-risk file copy activities to USB devices and across local and network shares.

• PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected.

  This Subcategory highlights how having strong security measures in place to guard private data against illegal access, alteration, or transmission interception is critical.

  These actionable steps can help you comply with this Subcategory:

  • Encrypt data in transit using encryption techniques like Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
  • Implement robust authentication measures in place, including certificate-based authentication or mutual authentication.
  • Use data integrity measures, such as digital signatures or message authentication codes (MACs).
  • Routinely monitor and document network traffic.

  Log360 helps prevent files containing highly sensitive data from being shared via email as attachments. Log360 also allows the tracking of data sharing patterns via web apps like SharePoint, Exchange, OneDrive, Dropbox, and more with details on who made the request, when, and from where.

• PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected.

  This essential Subcategory highlights how important it is for businesses to have strong security measures in place to safeguard data that is actively being accessed, modified, or processed by users or apps.

  These actionable steps can help you comply with this Subcategory:

  • Use encryption techniques such as Intel SGX or AMD SEV to protect data while it is being processed in memory.
  • Implement RBAC and the priciple of least privilege.
  • Deploy hardware-based trusted execution environments to isolate sensitive data from the rest of the system.
  • Use security monitoring tools like SIEM to track and log all access and modifications to data-in-use, detecting anomalies and potential unauthorized activities.
  • Use endpoint protection solutions to detect and prevent memory-based attacks, and deploy anti-tampering protections to safeguard against unauthorized data manipulation.

  Leverage Log360 to monitor and report on a wide range of file activities, including create, delete, modify, overwrite, rename, move, read, etc., in real time. Also gather details on all file activities via browsers, such as potential upload and download actions by employees.

• PR.DS-11: Backups of data are created, protected, maintained, and tested.

  This Subcategory ensures that organizations must create regular backups, protect them from unauthorized access, and test their integrity to ensure successful restoration.

  These actionable steps can help you comply with this Subcategory:

  • Define backup frequency (e.g., daily, weekly), retention periods, and storage locations (on-premises, cloud, or hybrid).
  • Secure backups using encryption and limit access to authorized personnel.
  • Maintain three copies of data—two on different storage types and one offsite (e.g., cloud or secure remote location) to ensure redundancy.
  • Regularly test backup restoration processes to confirm data integrity and ensure backups are not corrupted or incomplete.
  • Continuously monitor backup processes, review logs for failures, and promptly address any issues.

4. Platform Security (PR.PS)

This Category is responsible for protecting the hardware, software, and firmware components of the organization from cybersecurity threats. PR.PS highlights how crucial it is to have strong security measures in place to safeguard the underlying platforms that underpin vital business processes. The Category covers a range of components, such as cloud infrastructure, mobile devices, servers, and endpoints, all of which need to be actively protected against vulnerabilities and attacks. In order to reduce platform-related risks, PR.PS places a strong emphasis on the use of security measures such as encryption, patch management, access restrictions, and secure settings. Organizations can reduce the chance and consequences of cyberattacks, data breaches, and system intrusions by properly safeguarding their platforms.

The PR.PS Category is essential to maintaining the integrity, availability, and confidentiality of the company's platforms and related data as well as strengthening its overall cybersecurity posture.

The Subcategories of PR.PS are:

• PR.PS-01: Configuration management practices are established and applied.

  This Subcategory ensures that configuration management practices are established and consistently applied to maintain a secure and controlled IT environment.

  These actionable steps can help you comply with this Subcategory:

  • Define and document configuration standards for systems, networks, and applications.
  • Require all system and software changes to go through a formal approval and documentation process before deployment.
  • Use automated tools to monitor configurations continuously and conduct periodic audits.
  • Restrict configuration changes to authorized personnel only, using RBAC to prevent unauthorized modifications.
  • Keep detailed records of configuration changes, including version histories, and ensure secure backups are available for quick restoration in case of errors or security incidents.
• PR.PS-02: Software is maintained, replaced, and removed commensurate with risk.

  This Subcategory emphasizes that organizations must proactively manage software lifecycles based on security risks.

  These actionable steps can help you comply with this Subcategory:

  • Implement a patch management process to apply security updates and software patches as soon as they are released.
  • Maintain an up-to-date inventory of all installed software and identify any outdated or unsupported applications.
  • Decommission and replace obsolete software that is no longer supported by vendors with secure alternatives.
  • Implement application allow listing and endpoint security controls to prevent employees from installing unapproved software.
• PR.PS-03: Hardware is maintained, replaced, and removed commensurate with risk.

  This S ubcategory ensures that hardware within an organization is properly maintained, securely replaced, and safely removed based on risk levels to prevent unauthorized access and data exposure.

  These actionable steps can help you comply with this Subcategory:

  • Keep a detailed inventory of all hardware assets, including their usage, security status, and lifecycle stage.
  • Conduct periodic security checks and maintenance on critical hardware components to ensure they meet security and operational standards.
  • Use certified data-wiping tools or physical destruction methods to securely decommission and dispose of old or compromised hardware.
  • Develop a hardware replacement plan to swap out outdated devices before they become security risks.
• PR.PS-04: Log records are generated and made available for continuous monitoring.

  This essential Subcategory emphasizes the need to keep thorough records of security-related events and activities throughout an organization's IT infrastructure.

  These actionable steps can help you comply with this Subcategory:

  • Turn on logging for servers, network devices, applications, databases, and security tools (e.g., firewalls, antivirus, and IDS/IPS).
  • Use a SIEM solution or a centralized log management solution to collect and store logs from various sources.
  • Define a log retention policy (e.g., keep security logs for 1 year and critical logs for longer) and securely store logs to prevent tampering.
  • Set up automated alerts for suspicious activities (e.g., multiple failed login attempts, privilege escalations) and integrate with SOC or IT teams for quick response.
  • Schedule daily automated scans and weekly/monthly manual reviews of logs to detect anomalies, ensuring compliance with security policies and regulations.

  Log360 automatically discovers the Windows and syslog devices on your network and ingests log data. It also automatically imports log data at regular time intervals from applications such as vulnerability scanners and databases. With features such as custom log parsing, real-time analytics, secure log archival, and automated workflows, Log360 bolsters your organization's cybersecurity.

• PR.PS-05: Installation and execution of unauthorized software are prevented.

  This Subcategory highlights how crucial it is to put precautions in place to prevent the installing and running of unauthorized software on platforms used by organizations.

  These actionable steps can help you comply with this Subcategory:

  • Use Group Policy Objects (GPOs) or endpoint management solutions to prevent standard users from installing software.
  • Deploy application control/whitelisting solutions such as Microsoft AppLocker or Windows Defender Application Control (WDAC) to allow only approved applications to run.
  • Configure antivirus/EDR solutions to block execution of unauthorized software. Set up real-time monitoring to detect and alert on any unapproved software installation attempts.
  • Establish a software installation policy that defines approved software and installation processes.

  Log360, with its complex log collection capabilities, uses both agent-based and agentless log collection methods to leave no entity or abnormal behavior unnoticed. Its UEBA capabilities also provides insights into unauthorized or abnormal software installations or executions within your network.

• PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle.

  Secure software development practices ensure that security is embedded into every phase of the software development life cycle (SDLC), from design to deployment.

  These actionable steps can help you comply with this Subcategory:

  • Implement secure coding guidelines (such as OWASP Secure Coding Practices) to prevent common vulnerabilities.
  • Perform static and dynamic application security testing throughout the SDLC to identify and fix security flaws.
  • Integrate automated security tools in CI/CD pipelines to scan for vulnerabilities in source code and dependencies.
  • Require peer reviews that specifically check for security issues before merging code into production.

5. Technology Infrastructure Resilience (PR.IR)

Assuring the resilience of an organization's technological assets against interruptions is the main goal of this Category. PR.IR includes plans and actions for preserving the functioning, availability, and integrity of vital parts of the technological infrastructure, such as data, systems, networks, and apps.

Organizations may lessen the effects of interruptions like cyberattacks, natural catastrophes, or system failures by putting strong resilience measures in place. This will help them maintain operations and meet business continuity goals.

The Subcategories of PR.IR are:

• PR.IR-01: Networks and environments are protected from unauthorized logical access and usage.

  This Subcategory emphasizes the significance of protecting networks and environments against illegal logical access and usage.

  These actionable steps can help you comply with this Subcategory:

  • Use role-based access control and the principle of least privilege.
  • Require MFA for all remote access, privileged accounts, and sensitive systems to prevent unauthorized logins, even if credentials are compromised.
  • Use network segmentation (e.g., VLANs, firewalls, and zero trust architecture) to separate sensitive environments (such as databases, internal systems, and cloud services) from general access areas.
  • Deploy SIEM solutions to log and analyze access attempts, detecting unauthorized or suspicious activities in real time.

  Log360 with threat intelligence and advanced threat analytics capabilities help secure networks from malicious accesses. By tracking malicious IP addresses attempting to access your company's vital resources and assisting with the analysis of users accessing unsafe and banned websites, the solution will aid in both threat detection and mitigation.

• PR.IR-02: The organization’s technology assets are protected from environmental threats.

  This Subcategory ensures that an organization's technology assets—such as servers, network equipment, and storage systems—are safeguarded against environmental threats like fire, flooding, extreme temperatures, and power outages.

  These actionable steps can help you comply with this Subcategory:

  • Deploy temperature, humidity, and water leakage sensors in data centers and server rooms.
  • Use uninterruptible power supplies (UPS) and backup generators to prevent downtime due to power outages.
  • Install fire suppression systems, such as FM-200 or CO₂ systems, to protect IT infrastructure from fire hazards.
  • Ensure that critical equipment is housed in climate-controlled, secured areas with proper ventilation and protection against floods and other natural disasters.
  • Conduct routine drills and testing of disaster recovery and business continuity plans to ensure rapid response to environmental threats.
  • PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations.

  This Subcategory highlights the need of establishing safeguards that guarantee the IT infrastructure of an organization is resilient in both favorable and unfavorable circumstances.

  These actionable steps can help you comply with this Subcategory:

  • Configure regular, encrypted backups of critical data and systems. Store backups in multiple locations (on-premise and cloud).
  • Set up redundant network infrastructure and critical servers. Implement automatic failover to secondary systems during outages.
  • Conduct regular recovery drills and test restoration procedures. Document and update business continuity plans based on test results.
  • Deploy real-time monitoring and response tools like SIEM to detect and mitigate cyber threats.

  With Log360's intuitive correlation dashboard, you can view a summary of all detected security threats, including ransomware attacks, file integrity threats, and database and web server threats, malicious use of command line tools, suspicious process spawning, and exploitation of built-in binary tools and utilities.

• PR.IR-04: Adequate resource capacity to ensure availability is maintained.

  PR.IR-04 ensures that an organization has sufficient IT and security resources—such as computing power, storage, network bandwidth, and security personnel—to maintain system availability and prevent service disruptions.

  These actionable steps can help you comply with this Subcategory:

  • Regularly assess system performance, network bandwidth, and storage capacity to anticipate future growth and avoid resource shortages.
  • Use cloud-based auto-scaling solutions and load balancers to dynamically allocate resources based on demand and prevent system overload.
  • Deploy monitoring tools to track CPU, memory, disk usage, and network performance, setting up alerts for any capacity-related issues.
  • Implement redundant systems, backup power supplies, and failover strategies.
  • Regularly conduct stress testing and disaster recovery drills to evaluate infrastructure resilience and identify capacity bottlenecks.