NIST Cyber Security Framework

NIST CSF: Cybersecurity basics — Foundation of CSF

February 25, 2020 by Fakhar Imam


The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is all about the security of critical Infrastructure. NIST SP 800-30, Rev. 1 defines critical infrastructure as “system and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

Why do we need NIST CSF? Cybersecurity risk can drive up the company’s costs and affect its revenue, as well as possibly losing customers. NIST CSF is necessary for businesses’ overall risk management system.

In this article, we will delve into the foundation of CSF, including NIST Cybersecurity Framework fundamentals, risk management, supply chain and cybersecurity improvement, as well as usage and implementation of the framework. Do you want to know the foundation of CSF? Here’s some help.

What are NIST Cybersecurity Framework fundamentals?

The NIST CSF concentrates on utilizing business drivers to guide cybersecurity operations and consider cyber risks as a part of the company’s risk management program. The framework helps in identifying and prioritizing actions for mitigating cybersecurity risks. There are three parts of this framework:

  1. Framework core
  2. Implementation tiers
  3. Profiles

Framework core

The framework core is a term that refers to various cybersecurity operations, desired results and applicable references that are common for all categories of critical infrastructure. Moreover, the framework core offers guidelines, best practices and industry standards that enable communication of a set of cybersecurity activities and outcomes across the company from the management level to the operational or implementation level. The core incorporates three parts:

  • Functions
  • Categories
  • Subcategories

Functions are further divided into five steps: Identify, Protect, Detect, Respond and Recover. These functions are split into 23 categories and 108 subcategories, which are separate and distinct from one another for each function.

Implementation tiers

Implementation tiers are designed to meet the varied cybersecurity requirements of every type of organization (e.g., small, medium, large). In fact, they define the degree to which an organization’s cybersecurity risk management practices exhibit characteristics elaborated in the NIST CSF. Below are 1-4 ranges of the implementation tiers:

  1. Tier 1 (Partial)
  2. Tier 2 (Risk Informed)
  3. Tier 3 (Repeatable)
  4. Tier 4 (Adaptive)

The profiles

Framework profiles help in achieving the desired outcomes of the framework core. This is done by aligning the organization’s requirements, objectives, risk appetite and resources against the desired outcomes of the framework core. As a result, the organization will be able to beef up a cybersecurity posture by comparing a current profile with the target profile.

Risk management and NIST CSF

Risk management is the continual process that cybersecurity professionals use to identify, assess and respond to cybersecurity risks. The framework suggests that organizations must anticipate the future prospects of risk and its potential impact in the long run. Doing so will help enterprises to determine their risk tolerance capacities and prioritize their cybersecurity activities accordingly.

As per the framework, risk management is used to allow enterprises to inform and prioritize decisions with regard to cybersecurity. In addition, validation of the business drivers and recurring risk analysis are also supported by the framework to assist companies to choose target states for the cybersecurity operations that demonstrate desired outcomes.

How is the framework implemented?

There are two important elements in any organization. The first is decision-making; the second is the flow of information. These elements are considered at different organizational levels that include executive level, business/process level and implementation/operations level.

First and foremost, the executive level makes the business/process level aware of the risk tolerance, available resources and mission priorities. The business/process level utilizes this information for risk management. 

After that, the business/process level works together with the implementation/operation level to create a profile and communicate business needs. Afterward, the business/process level uses profile implementation progress to conduct the impact assessment. Lastly, the business/process level reports the impact assessment’s outcomes back to the executive level.

How is the framework used?

Organizations are not required to replace their current processes with the framework. Instead, they can overlay their existing processes into the framework. In this way, the gaps in the current cyber risks approach are determined and a roadmap to improvement is developed.

How does the framework help in establishing or improving a cybersecurity program?

Using the framework, an organization can either improve its existing cybersecurity program or create a new program. Below are seven recurring steps that are used to continually improve the cybersecurity program:

  1. Prioritize and scope
  2. Orient
  3. Create the current profile
  4. Perform a risk assessment
  5. Create the target profile
  6. Determine, analyze and prioritize the gaps
  7. Implement the action plan

Which stakeholders are required to communicate cybersecurity requirements?

Stakeholders are required to fulfill the need for essential products and services that are necessary for critical infrastructure. Cybersecurity requirements are communicated among all interdependent stakeholders and framework provides a common language for them to facilitate communication. Below are some examples of the potential stakeholders in accordance with the framework:

  • The owner or operator of the critical infrastructure
  • External service providers such as the cloud provider to whom the organization is exporting data

Why is the management of the supply chain necessary?

The supply chain is one of the critical components in any organization as it ensures the successful delivery of services and products to the end user. Unfortunately, the supply chain also involves cybersecurity risks. To deal with this problem, the framework recommends the Supply Chain Risk Management (SCRM) system, which includes various activities needed for the management of cybersecurity risks posed by the third parties involved in the supply chain process.

The SCRM will be able to:

  • Determine the suppliers’ cybersecurity requirements
  • Sign agreements and contracts (e.g., SLA, NDA) to enact cybersecurity requirements
  • To verify and validate cybersecurity requirements, communicate with the suppliers
  • Assessment methodologies are used to verify that cybersecurity requirements are fulfilled
  • Govern and manage the above-said activities

The bottom line (conclusion)

In today’s digital world, cyberwarfare is to the fore and cybersecurity risk management has the utmost importance to thwart financial and reputational damage. However, organizations are better if they follow international standards to create their cybersecurity plans or enhance their existing ones. The NIST Cybersecurity Framework (CSF) is also a standard that provides a set of activities to create or enhance the organization’s cybersecurity posture. 

In this article, we explored content with regard to the foundations of NIST CSF, including NIST Cybersecurity Framework fundamentals and supply chain, as well as framework usage and implementation.



  1. Critical infrastructure, NIST
  2. Framework for Improving Critical Infrastructure Cybersecurity, NIST
  3. NIST Cybersecurity Framework (NCSF) Foundation, ProTech
Posted: February 25, 2020
Fakhar Imam
View Profile

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.