NIST Cyber Security Framework

Navigating the NIST Cybersecurity Framework for optimal cybersecurity

A structured approach is essential to effectively combat the rising tide of complex and diverse cyber threats. A comprehensive framework encompassing all aspects of cybersecurity — such as asset identification and protection, threat detection and response and incident recovery — can help manage and minimize cybersecurity risks. This is where NIST plays a crucial role.

Learn more about the foundation of the NIST Cybersecurity Framework (NIST CSF), including NIST CSF fundamentals, risk management, supply chain, cybersecurity improvement and usage and implementation of the framework. 

What does NIST stand for, and what is the purpose of the NIST?

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides guidance and best practices for securing information systems and managing cybersecurity risks. NIST developed the CSF as a voluntary framework for organizations to improve cybersecurity. The NIST CSF provides core functions, categories and subcategories that help organizations embrace and execute cybersecurity.

By implementing the NIST standards, organizations can better protect their systems, data and operations. The framework is flexible and scalable, so organizations of all sizes and sectors can adapt it to their needs and risk profiles. The NIST Cybersecurity Framework is a valuable resource for organizations that want to build a robust cybersecurity foundation and enhance their overall cyber resilience.

Note: Want to learn more about the NIST CSF? Take our on-demand NIST CSF Learning Path.

What is the NIST definition of cybersecurity?

NIST designed the CSF to protect critical infrastructure and enhance cybersecurity. Let’s explore these terms, as defined by NIST:

• Cybersecurity: “The process of protecting information by preventing, detecting and responding to attacks.”
• Critical infrastructure: “System and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

What is the NIST 800 53 framework?

NIST SP 800-53, also known as "Security and Privacy Controls for Information Systems and Organizations," provides a comprehensive catalog of security controls and associated guidelines for federal information systems and organizations.

The security controls in NIST SP 800-53 are organized into families based on common functionality or objectives. Each control family contains individual security controls, associated supplemental guidance and implementation details. The controls are designed to be flexible and customizable, allowing organizations to tailor their security posture to their specific needs and risk environment. They outline or form the base for other frameworks, such as NIST 800-171.

NIST SP 800-53 is updated and revised to address emerging cybersecurity challenges and technologies. It is recognized as one of the most comprehensive and authoritative references for security and privacy controls and is widely adopted by government agencies, contractors and organizations as a framework for effective information security management. 

What are the three main components of the NIST framework?

The NIST CSF uses business drivers to guide cybersecurity operations and considers cyber risks as part of the company’s risk management program. The framework helps in identifying and prioritizing actions for mitigating cybersecurity risks. There are three parts of this framework:

1.     Framework core

2.     Implementation tiers

3.     Profiles 

Framework core

The framework core is a term that refers to various cybersecurity operations, desired results and applicable references that are common for all categories of critical infrastructure. Moreover, the framework core offers guidelines, best practices and industry standards that enable communication of cybersecurity activities and outcomes across the company from the management to the operational or implementation levels. The core incorporates three parts:

• Functions
• Categories
• Subcategories

Implementation tiers

Implementation tiers are designed to meet the varied cybersecurity requirements of every type of organization (e.g., small, medium and large). In fact, they define the degree to which an organization’s cybersecurity risk management practices exhibit characteristics elaborated in the NIST CSF. Below are 1-4 ranges of the implementation tiers:

1.     Tier 1 (Partial)

2.     Tier 2 (Risk Informed)

3.     Tier 3 (Repeatable)

4.     Tier 4 (Adaptive)

The profiles

Framework profiles help achieve the framework core's desired outcomes. This is done by aligning the organization’s requirements, objectives, risk appetite and resources against the desired outcomes of the framework core. As a result, the organization can beef up its cybersecurity posture by comparing a current profile with the target profile.

Learn more about the three main NIST components.

What are the five core functions of NIST cybersecurity?

There are five core functions in the NIST framework. These recommended activities are designed as guidance to help organizations manage and improve cybersecurity:

1. Identify: This includes identifying and documenting key resources, establishing a risk management strategy and understanding potential vulnerabilities and threats.
2. Protect: Implementing safeguards includes access controls, awareness training, data encryption, secure configurations and implementing protective technologies.
3. Detect: Continuous monitoring and timely identification include establishing monitoring processes, implementing intrusion detection systems, analyzing network traffic and conducting security assessments to detect and respond to potential threats and vulnerabilities.
4. Respond: Response activities include establishing incident response plans, defining roles and responsibilities, conducting incident investigations and executing response actions to minimize the impact of security incidents.
5. Recover: Restoring the capabilities and services affected by a cybersecurity incident can include developing and implementing recovery plans, conducting system backups, performing system and data restoration and analyzing lessons learned.

These functions are split into 23 categories and 108 subcategories, which are separate and distinct from one another for each function.

NIST RMF vs. NIST CSF

The NIST CSF suggests organizations must anticipate future risk and its potential long-term impact. This is a crucial part of risk management, a continual process that cybersecurity professionals use to identify, assess and respond to cybersecurity risks. However, the NIST CSF should not be confused with the NIST Risk Management Framework (RMF).

The NIST RMF is utilized by the federal government and is a framework specific to the federal government's risk management practices. The NIST CSF is intended to assist organizations in determining their risk tolerance capacities and prioritizing cybersecurity activities based on those risks.

While both frameworks are important for managing risk and ensuring cybersecurity, the NIST RMF is more focused on process (and is not aimed at the private sector), and the NIST CSF is more focused on guidelines and best practices.

Note: Want to learn more about the NIST RMF? Take our on-demand NIST RMF Learning Path.

How is the framework implemented?

There are two important elements in any organization: decision-making and the flow of information. These are implemented at different organizational levels that include:

• Executive
• Business/process
• Implementation/operations.

The executive level makes the business/process level aware of the risk tolerance, available resources and mission priorities. The business/process level uses this information for risk management.

The business/process level then works with the implementation/operation level to create a profile and communicate business needs. Next, the business/process level uses profile implementation progress to conduct the impact assessment. Lastly, the business/process level reports the impact assessment’s outcomes to the executive level.

How is the NIST framework used?

The NIST CSF is designed to be both voluntary and flexible. Organizations are not required to replace their current processes with the framework. Instead, they can overlay their existing practices into the NIST framework. In this way, they determine gaps in the current cyber risks approach and develop a roadmap to improvement.

How does the framework help in establishing or improving a cybersecurity program?

Using the framework, an organization can either improve its cybersecurity program or create a new one. Below are seven recurring NIST steps to continually improve cybersecurity programs:

1.     Prioritize and scope

2.     Orient

3.     Create the current profile

4.     Perform a risk assessment

5.     Create the target profile

6.     Determine, analyze and prioritize the gaps

7.     Implement the action plan 

Which stakeholders are required to communicate cybersecurity requirements?

Potential stakeholders in accordance with the framework include:

• The owner or operator of the critical infrastructure
• External service providers, such as the cloud provider to whom the organization is exporting data

Stakeholders are required to provide essential products and services that are necessary for critical infrastructure. The framework provides a common language for all interdependent stakeholders to communicate cybersecurity requirements.

Why is the management of the supply chain necessary?

The supply chain is one of the critical components in any organization as it ensures the successful delivery of services and products to the end user. Unfortunately, the supply chain also involves cybersecurity risks. To deal with this problem, the framework recommends the Supply Chain Risk Management (SCRM) system, which includes various activities needed to manage cybersecurity risks the third parties involved in the supply chain process poses.

The SCRM will be able to:

• Determine the suppliers’ cybersecurity requirements
• Sign agreements and contracts (e.g., SLA, NDA) to enact cybersecurity requirements
• To verify and validate cybersecurity requirements, communicate with the suppliers
• Assessment methodologies are used to verify that cybersecurity requirements are fulfilled
• Govern and manage the above-said activities

Get NIST CSF training

Build your understanding of the NIST Cyber Security Framework with seven courses taught by Ross Casanova.

Get Started

The bottom line

In today’s digital world, cyber threats are at the fore, and the NIST CSF is an important tool that organizations can use to defend themselves against those threats — from cybercriminals groups to nation-state actors. The NIST CSF is a standard all organizations should consider when evaluating how to improve their cyber defense and limit their cyber risk.

Learn more about risk management with NIST self-assessment.