Home / Resources / NIST CSF Functions
PR — Protect NIST CSF 2.0

NIST CSF 2.0 Protect Function:
Access Control, Training & Data Security

The Protect function implements the safeguards that limit or contain the impact of a cybersecurity event — from MFA and least privilege to encryption, patching, and resilience.

Of the six NIST CSF 2.0 functions, Protect is where the most day-to-day security work happens. It covers the controls your team operates continuously: who has access to what, whether that access is properly authenticated, how data is secured in motion and at rest, whether endpoints are patched, and whether your infrastructure can absorb disruption.

For SMBs, Protect is often where the largest gap between intent and reality exists. Organizations know they should have MFA, they know they should be encrypting laptops — but assessments routinely find these controls partially deployed or inconsistently applied. Protect maturity is measured not by whether a control exists, but by whether it’s applied uniformly across all users and systems.

Protect is also the function most directly scrutinized by cyber insurance underwriters and regulators. Expect specific questions about MFA coverage rates, encryption status, and patch cadence in every compliance questionnaire and insurance renewal. Gaps here cost real money.

The 5 Protect Categories

PR.AA
Identity Management, Authentication & Access Control
MFA, least privilege, privileged access management, remote access controls, and user lifecycle management.
PR.AT
Awareness & Training
Role-based security training, phishing simulations, and ensuring privileged users understand their heightened responsibilities.
PR.DS
Data Security
Data classification, encryption at rest and in transit, DLP controls, and secure data disposal and retention policies.
PR.PS
Platform Security
Hardened configurations, patch management, secure software development practices, and vulnerability management.
PR.IR
Technology Infrastructure Resilience
Backup strategies, redundant systems, network segmentation, and capacity planning to maintain operations under adverse conditions.

Common SMB Gaps in the Protect Function

Protect and Regulatory Compliance

PR.DS maps directly to HIPAA’s Technical Safeguards for ePHI encryption. PR.AA aligns with PCI-DSS cardholder data access control requirements. Building your Protect controls against NIST CSF subcategories lets you satisfy requirements across frameworks without duplicating documentation. See the HIPAA alignment guide for the full mapping.

HIPAA & NIST Alignment → Complete NIST CSF Guide → Get NIST Policy Package →

Frequently Asked Questions: NIST CSF Protect

What does the NIST CSF Protect function cover?
Protect encompasses the day-to-day safeguards that limit or contain cybersecurity event impact. It covers access control and identity management (PR.AA), security awareness training (PR.AT), data security and encryption (PR.DS), secure platform configuration and patching (PR.PS), and backup and infrastructure resilience (PR.IR).
Is MFA required under NIST CSF Protect?
NIST CSF doesn’t mandate specific controls, but MFA directly addresses PR.AA requirements and is expected at any maturity level above Partial. For regulated environments (HIPAA, PCI-DSS, federal contracts), MFA on all remote access and privileged accounts is effectively non-negotiable.
What is the biggest Protect gap for small businesses?
Shared credentials and missing MFA on cloud email (Microsoft 365, Google Workspace) are the entry points for over 80% of SMB breaches. The second most common gap is developers or contractors retaining production database access after projects end — a least-privilege failure under PR.AA.
How does NIST CSF Protect map to HIPAA?
PR.DS maps to HIPAA’s Technical Safeguards for ePHI encryption and transmission security. PR.AA maps to HIPAA’s Access Control requirements. PR.AT maps to HIPAA’s workforce training requirements. Using NIST CSF to structure your HIPAA program avoids duplicating control documentation across both frameworks.

Check Your Protect Readiness in 60 Seconds

Get a scored gap analysis across all 6 NIST CSF functions, including where your Protect controls stand today.

Take the Free Assessment → Get NIST Policy Package — from $299