In this article

NIST Cybersecurity Framework


November 28, 2022
Last Updated: January 15, 2024
Share on:

The NIST Cybersecurity Framework (CSF) provides guidance on how to manage and mitigate security risks in your IT infrastructure. CSF consists of standards, practices, and guidelines that can be used to prevent, detect, and respond to cyberattacks.

The National Institute of Standards and Technology (NIST) created the CSF to help US civilian organizations create a roadmap for securing critical infrastructure. It has been translated into other languages and is used by other governments and by organizations around the world.

NIST CSF is most useful for small or less regulated organizations, especially those looking to raise security awareness. This framework might be less useful for large organizations that already have a significant IT security program.

This framework is a voluntary initiative in which private companies and governments work together. NIST has designed a flexible and cost-effective framework with prioritizable elements. The framework is available in spreadsheet or PDF format (see the official framework documents).

This is part of an extensive series of guides about information security.

NIST CSF Mapping Made Easy with

The Cyber Defense Matrix

  • Align your security strategy with NIST CSF
  • Find & fix holes in your security program
  • Identify gaps and overlaps in your security stack

Uses and Benefits of the NIST Cybersecurity Framework

The CSF provides a common language and a systematic approach to managing cybersecurity risks. Its core includes activities integrated into a cybersecurity plan that may be tailored to the needs of any organization. The framework is not intended to replace, only complement, an organization’s risk management and cybersecurity programs and processes.

Framework Profiles

CSF provides the concept of Framework Profiles, which combine business objectives and the threat landscape with cybersecurity requirements and controls. This reflects the company’s organizational needs, risk management, and the coordination of resources needed to meet both.

A Framework Profile contains current (and desired) cybersecurity activities mapped to the core competencies. Organizations can use it to select their Implementation Tier (see below), check it against the Profile, and determine what they still need to achieve.

CSF includes the process for creating a Framework Profile for the specific organization implementing the standard. These Profiles help identify areas where the organization can improve existing processes or implement new ones. This can provide significant benefits:

  • Comparing the current state of a network security policy with a desired target state. 
  • Revealing strategic gaps and blind spots in risk management goals. 
  • Making it easier to formulate policies and procedures across the organization.
  • Combining these Profiles with the framework’s easy-to-understand language can improve an organization’s communication. 
  • Combining a Framework Profile with an implementation plan to enable cost-effective activity prioritization and improved communication between the organization’s stakeholders. 
  • Framework Profiles and implementation plans can serve as important resources for demonstrating that the organization has robust security standards.

Implementation Tiers

The CSF provides Implementation Tiers, which can help organizations by adding context to cybersecurity risk management. They create a hierarchy that guides organizations when determining the right level of rigor in their cybersecurity programs. Hierarchies can be used as communication tools to discuss task priorities, risk preferences, and budgets.

This helps inform key decisions about risk management processes at all levels of the organization, from the implementation, operations, and business and process level to senior management.

Built-in customization

The CSF can be tailored for use by any organization using built-in mechanisms – such as Framework Profiles, Implementation Tiers, and even the framework’s Core, all of which can be customized.

Extensibility is made possible because the framework is results-driven, and does not dictate how organizations need to achieve these results. Whether it is adopted by a small organization with a tight security budget or a large company with a larger budget, staff can find a viable way to handle cybersecurity concerns.

5 Core Functions of the NIST Cybersecurity Framework

The Framework’s core consists of five elements that work together to achieve desired cybersecurity outcomes. Each of these five functions has a set of actions that can be included in the organization’s cybersecurity policy.

Identify

This function lays the foundation for a robust cybersecurity program. It helps organizations improve their understanding of cybersecurity risk management with regard to people, systems, assets, and data. 

To help organizations prioritize and focus their efforts based on risk management strategies and business requirements, this function analyzes the business environment, the resources supporting critical functions, and associated cybersecurity risks. 

Primary identification activities include:

  • Identifying software and physical assets to form the basis of your asset management plan
  • Identifying the organization’s business environment, including its place within the supply chain
  • Identifying policies that make up the organization’s governance programs, regulations, and legal requirements
  • Identifying activities to evaluate asset vulnerabilities, identify threats to external and internal resources, and respond to threats
  • Creating a risk management strategy that includes identification of risk tolerance
  • Determining supply chain risk management strategies, including the constraints, priorities, assumptions, and risk tolerances that inform risk-related decisions

Protect

This function helps the organization take steps to reduce the number of possible attacks, intrusions, or breaches, and limit the damage that can be done if an attack is successful. This involves developing and implementing safeguards to ensure the organization is ready for an attack and has a plan in case safeguards fail.

Primary activities in this function include:

  • Implementing identity and access management (IAM)
  • Implementing data encryption and cloud data loss prevention (DLP)
  • Performing regular backups
  • Protecting devices with firewalls, regular updates, and other endpoint security
  • Performing staff cybersecurity training 

Note that some of the best practices recommended by NIST overlap with HIPAA and other security regulations.

Detect

This function helps organizations implement appropriate measures to quickly identify cybersecurity incidents. It requires a continuous monitoring solution to detect anomalous activity and other threats to the continuity of operations. 

Organizations need network visibility to predict network events and have all actionable information that security teams can react to. Continuous monitoring and threat hunting are effective ways to analyze and prevent cyber incidents. 

Primary activities in this function include:

  • Reliably detecting events and anomalies and understanding their impact level
  • Continuously monitoring security events using automated and accurate mechanisms
  • Validating the effectiveness of each protective measure, including cyber and physical activity

NIST CSF Mapping Made Easy with

The Cyber Defense Matrix

  • Align your security strategy with NIST CSF
  • Find & fix holes in your security program
  • Identify gaps and overlaps in your security stack

Respond

This function helps contain and minimize the impact of potential cybersecurity incidents by taking appropriate response actions when an incident is detected. 

Primary activities in this function include:

  • Ensuring that the response planning process is carried out during and after each incident
  • Managing communication with external and internal stakeholders during and after the event
  • Analyzing incidents to ensure an effective response and support recovery activities such as forensic analysis and incident impact determination
  • Taking steps to prevent incident escalation, and resolve incidents as quickly as possible
  • Implementing improved processes based on the lessons learned from past detection and response activities

Recover

This function helps the organization restore a function or service affected by cybersecurity incidents to normal operations. A timely recovery is critical to mitigating the impact of cybersecurity incidents. 

Primary activities in this function include:

  • Ensuring the organization has recovery planning procedures for recovering systems and assets impacted by a cybersecurity incident.
  • Improving processes based on reviews of existing strategies and lessons learned.
  • Coordinating external and internal communications during the recovery process and after restoring normal operations.

NIST Cybersecurity Framework Implementation Tiers

The Framework’s implementation tiers help organizations assess cybersecurity risks and create contingency strategies to mitigate these risks. Higher tiers in the NIST CSF correspond to increased sophistication and rigor in the cybersecurity risk management approach. 

You can choose a tier according to your organization’s goals, legal requirements, acceptable risk level, and ease of implementation. Progress to higher tiers only if a cost-benefit analysis indicates it can feasibly reduce cybersecurity risk.

Tier 1: Partial

Tier 1 applies to organizations that can manage risk ad-hoc without implementing standardized risk management practices. This tier indicates the organization has a limited cybersecurity risk awareness, typically resulting in reactive or case-by-case risk management. 

Organizations in tier 1 typically do not understand their role in the software supply chain and do not collaborate with others to improve security. These organizations are not aware of the supply chain risks associated with the products they use or provide.

Tier 1 organizations should be more informed on cybersecurity risks to shift their standing into tier 2. Not all organizations require rigorous cybersecurity policies, but all businesses should have a baseline awareness of their cybersecurity standing.

Tier 2: Risk-Informed

This tier applies to organizations that are aware of their cybersecurity risks, have created mitigation strategies for breach incidents, and have acquired the resources needed to promote cybersecurity measures. 

Organizations do not need to have completed the implementation of cybersecurity measures to be classified into tier 2. However, their cybersecurity prioritization must be informed by the organization’s threat environment, business objectives, and risk assessments. Additionally, tier 2 organizations must understand their role in the software supply chain.

Tier 3: Repeatable

Organizations classified within tier 3 have implemented cybersecurity standards across the entire organization and can consistently respond to cyberattacks and breaches. These organizations have trained employees to properly use security policies, ensuring they are informed on cybersecurity risks.

Tier 4: Adaptive

The adaptive tier represents a complete adoption of NIST CSF. It applies to organizations that can proactively predict issues and detect cybersecurity threats according to their existing IT architecture and current trends. Additionally, tier 4 organizations understand their dependencies and dependents within the larger ecosystem. 

Other NIST Frameworks

NIST, a non-regulated body of the U.S. Department of Commerce, publishes thousands of standards, frameworks, and guidelines for use in information technology, engineering, nanoscience and technology, and many other fields. These include:

NIST Incident Response

The NIST Computer Security Incident Handling Guide 800-61, 2nd Edition, published in 2012, provides incident management guidance in the form of a cybersecurity framework for cyber incident response.

NIST Incident Response Guidelines include templates for business and law enforcement, as well as incident management guidelines, which specify how to analyze data related to cybersecurity incidents and determine the appropriate response to each incident. The NIST Incident Management Template takes a pragmatic approach to defining post-cyber incident procedures and establishes responsibilities. Learn more in our detailed guide to NIST incident response.

NIST Risk Assessment

The NIST Risk Management Framework (RMF) is a comprehensive guide to applying risk management best practices in the present era. Integrating RMF with the system development lifecycle also contributes to improved management of information security risk. Each RMF task is aligned with various parts of the NIST CSF to facilitate migration to the broader framework. Learn more in our detailed guide to NIST risk assessment (coming soon)

NIST Privacy Framework

The NIST Privacy Framework can be used to measure and improve an organization’s privacy program. A set of controls that help organizations identify privacy risks in their processing environment, prioritize them, and allocate resources to mitigate those risks. 

Privacy regulations also include technical and security elements, and the NIST Privacy Framework borrows controls from the NIST CSF where applicable. This helps companies already compliant with the NIST CSF to easily adopt the NIST Privacy Framework controls.

NIST Cyber Supply Chain Risk Management (C-SCRM)

The C-SCRM program helps organizations manage the growing risk of cybersecurity-related supply chain breaches, regardless of whether they are intentional.

This program involves the identification, assessment, and mitigation of risks associated with the decentralized and interconnected supply chain of ICT/OT services and products. It encompasses the entire system lifecycle, including design, build, deployment, maintenance, and retirement.

NIST Risk Management Framework (NIST RMF)

The risk management framework provides a process for integrating security, privacy, and cyber supply chain risk management practices into the system development lifecycle. A risk-based approach to selecting controls and specifications takes into account the constraints put into place by applicable laws, directives, executive orders, policies, standards, or regulations. 

Managing risk in your organization is critical to an effective information security and privacy program. The RMF approach can be applied to existing or new systems, any type of system or technology (IoT, control systems, etc.), and any organization size or sector.

Cynet’s 24/7 Incident Response Team: Supporting NIST Incident Response Processes

Cynet has an outsourced incident response team that anyone can use, including small, medium, and large organizations. The incident response team provides professional security staff who are equipped to carry out fast, effective incident response activities. 

Cynet can deploy the Cynet security platform in just minutes across hundreds to thousands of endpoints. They can scan, identify, analyze and attend to threats before any harm is done. The Cynet incident response team can assist with: 

  • 24/7 incident response—such as identification, containment, eradication, and recovery
  • Deep forensic investigations—collecting data to determine the scope of an attack and who is accountable
  • Threat hunting—analyze security data to proactively identify advanced threats

How would you rate this article?

Let’s get started!

Ready to extend visibility, threat detection and response?

Get a Demo

Search results for: