← Home

NIST Cybersecurity Framework (CSF)

The NIST Cybersecurity Framework (CSF) is a voluntary, risk-based framework developed by the National Institute of Standards and Technology (NIST) to help organizations manage and reduce cybersecurity risk.

It provides a common language for cybersecurity across all industries and organizations, regardless of size.

NIST Cybersecurity Framework
Figure – The six core functions of the NIST Cybersecurity Framework (CSF 2.0).

Overview

Objectives


Core Structure

The NIST CSF is built around six core functions (CSF 2.0).

1. Govern (GV)

Establish organizational cybersecurity governance.

Focuses on:

Key question:

Are we managing cybersecurity as part of business governance?

2. Identify (ID)

Understand what needs protection.

Activities include:

Key question:

What assets are important and what risks exist?

3. Protect (PR)

Implement safeguards to reduce the likelihood of cyber incidents.

Includes:

Key question:

How do we prevent cyber attacks?

4. Detect (DE)

Identify cybersecurity events as early as possible.

Activities include:

Key question:

Has something happened?

5. Respond (RS)

Take action once an incident occurs.

Includes:

Key question:

What do we do now?

6. Recover (RC)

Restore operations after an incident.

Activities include:

Key question:

How do we return to normal operations?

Framework Components

Core

The Core defines the six cybersecurity functions and the outcomes organizations should achieve.


Profiles

Profiles compare:

Profiles help organizations:


Tiers

Implementation Tiers describe how mature cybersecurity risk management is.

Tier 1 – Partial


Tier 2 – Risk Informed


Tier 3 – Repeatable


Tier 4 – Adaptive


Risk Management Process

Typical NIST CSF implementation:

  1. Understand business objectives
  2. Identify critical assets
  3. Assess cyber risks
  4. Select security controls
  5. Implement safeguards
  6. Monitor security continuously
  7. Respond to incidents
  8. Recover operations
  9. Review and improve

Benefits


Relationship with Other Standards

NIST CSF complements rather than replaces other cybersecurity standards.

Standard Purpose Relationship to NIST CSF
IEC 62443 Industrial Automation & Control Systems (OT) NIST CSF provides enterprise-level risk management; IEC 62443 provides detailed OT security requirements.
ISO/IEC 27001 Information Security Management System (ISMS) NIST CSF can be used to structure and assess an ISO 27001 security program.
ISO/IEC 27002 Security controls Provides detailed security controls that support NIST CSF outcomes.
CIS Controls Practical security controls Helps implement many of the Protect, Detect, and Respond functions.

Strengths


Limitations


Key Takeaways