CSRF protection is included in the standard BPS .htaccess code/files and WordPress itself. Is the HTML form outside of WordPress? Is it part of another website? WordPress has these Form checking conditions available that should be used in all plugins and theme Forms:
if (isset($_POST['blah']) && current_user_can('manage_options')) {
check_admin_referer( 'blah' );
and then in the Form a nonce is used to check the Referer: wp_nonce_field('blah');