What is the NIST CSF?
The Cybersecurity Framework (CSF) is a collection of standards, guidelines and best practices created and published by the National Institute of Standards & Technology (NIST).
It consists of three components: Implementation Tiers, the Core and Profiles.
Implementation Tiers help organizations determine their current and target level of risk management controls.
The Core consists of five functions that help reduce risk by offering a set of activities and outcomes to support an organization’s risk management objectives.
Lastly, Profiles are a way to perform a gap analysis between an organization’s desired level of risk management and the current implementation.
Implementation Tiers are a way for organizations to describe how closely their risk management practices match the Cybersecurity Framework. This largely depends on an organization’s resources and ability to implement risk management processes at scale.
Each function includes a set of activities that guide organizations on cybersecurity best practices that is further broken down into categories and subcategories. There are five functions: Identify, Protect, Detect, Respond and Recover.
Each function and its corresponding categories are described below.
Objective: understanding the organization’s existing assets, objectives and risk appetite
- Asset Management – Identify and document all assets that enable the organization to operate
- Business Environment – Understand and prioritize organizational mission & objectives
- Governance – Understand and document policies, procedures and processes related to regulatory or operational needs
- Risk Assessment – Identify potential risks to business operations
- Risk Management Strategy – Establish organizational priorities and risk tolerances to support operational decisions
- Supply Chain Risk Management – Establish organizational priorities and risk tolerances associated with its supply chain
Objective: Create the appropriate defenses to support organizational objectives
- Identity Management, Authentication and Access Control – Limit access to authorized users
- Awareness & Training – Offer cybersecurity education to personnel and partners
- Data Security – Protect the confidentiality, integrity and availability of information
- Information Protection Processes & Procedures – Define policies to protect systems & data
- Maintenance – Define processes for maintenance of information systems
- Protective Technology – Implement technical solutions to protect systems & data
Objective: Implement actions to detect cybersecurity incidents
- Anomalies and Events – Define processes for detecting and determining impact of anomalies
- Security Continuous Monitoring – Monitor systems and assets continuously to identify & verify effectiveness of security controls
- Detection Processes – Maintain and test methods for detecting anomalous events
Objective: Execute actions after a cybersecurity incident is detected
- Response Planning – Define and execute processes to respond to detected events
- Communications – Communicate and coordinate response with stakeholders
- Analysis – Conduct analysis to verify effectiveness of response
- Mitigation – Perform activities to prevent, mitigate or resolve the incident
- Improvements – Improve response activities by updating processes due to lessons learned
Objective: Restore capabilities, services or reputation after a cybersecurity incident
- Recovery Planning – Execute processes to recover after incident
- Improvements – Improve recovery planning activities after lessons learned
- Communications – Communicate and coordinate recovery with stakeholders
The CSF defines a 7-step process for how to use profiles to improve the organization’s cybersecurity posture:
- Prioritize and Scope
- Create a Current Profile
- Conduct a Risk Assessment
- Create a Target Profile
- Determine, Analyze, and Prioritize Gaps
If you’d like to learn more details about the Cybersecurity Framework (CSF), head over to the NIST website for official documentation, including a spreadsheet containing all of the categories and subcategories.