NIST Cybersecurity Framework (CSF)
Overview
The NIST Cybersecurity Framework provides a policy framework of computer security guidance for organizations to assess and improve their ability to prevent, detect, and respond to cyber attacks.
Framework Core
The CSF is organized around five core functions:
| Function | Purpose | Key Activities |
|---|---|---|
| Identify | Understand cybersecurity risk | Asset management, risk assessment |
| Protect | Implement safeguards | Access control, training, data security |
| Detect | Identify security events | Monitoring, anomaly detection |
| Respond | Take action on incidents | Response planning, communications |
| Recover | Restore capabilities | Recovery planning, improvements |
Framework Components
1. Framework Core
Categories and subcategories of cybersecurity outcomes:
Identify (ID)
- Asset Management (ID.AM)
- Business Environment (ID.BE)
- Governance (ID.GV)
- Risk Assessment (ID.RA)
- Risk Management Strategy (ID.RM)
Protect (PR)
- Access Control (PR.AC)
- Awareness and Training (PR.AT)
- Data Security (PR.DS)
- Information Protection (PR.IP)
- Maintenance (PR.MA)
- Protective Technology (PR.PT)
Detect (DE)
- Anomalies and Events (DE.AE)
- Security Continuous Monitoring (DE.CM)
- Detection Processes (DE.DP)
Respond (RS)
- Response Planning (RS.RP)
- Communications (RS.CO)
- Analysis (RS.AN)
- Mitigation (RS.MI)
- Improvements (RS.IM)
Recover (RC)
- Recovery Planning (RC.RP)
- Improvements (RC.IM)
- Communications (RC.CO)
2. Implementation Tiers
Tiers describe the degree of rigor in cybersecurity risk management:
| Tier | Name | Description |
|---|---|---|
| 1 | Partial | Ad hoc, reactive |
| 2 | Risk Informed | Risk-aware but not organization-wide |
| 3 | Repeatable | Formal policies, regularly updated |
| 4 | Adaptive | Continuous improvement, predictive |
3. Framework Profiles
Profiles align cybersecurity activities with business requirements:
- Current Profile - Where you are now
- Target Profile - Where you want to be
- Gap Analysis - Difference between current and target
Using NIST CSF
Step 1: Prioritize and Scope
- Identify business objectives
- Determine systems in scope
- Establish risk tolerance
Step 2: Orient
- Identify related systems and assets
- Determine regulatory requirements
- Identify threats and vulnerabilities
Step 3: Create Current Profile
- Assess current cybersecurity state
- Map to Framework categories
- Document gaps
Step 4: Conduct Risk Assessment
- Analyze threats and vulnerabilities
- Determine likelihood and impact
- Prioritize risks
Step 5: Create Target Profile
- Define desired cybersecurity outcomes
- Consider business drivers
- Set improvement goals
Step 6: Determine Gaps
- Compare current and target profiles
- Prioritize gaps
- Plan remediation
Step 7: Implement Action Plan
- Execute improvement initiatives
- Monitor progress
- Update profiles
Benefits
- Flexible - Adaptable to any organization
- Risk-based - Focuses on actual risks
- Voluntary - No mandatory requirements
- Common language - Shared terminology
- Widely adopted - Industry standard
Resources
- NIST CSF Official Site
- NIST SP 800-53 (Detailed Controls)
- NIST SP 800-171 (CUI Protection)