NIST CSF (Cybersecurity Framework)
The CSF is a voluntary framework that provides guidance to help organizations manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices. Although primarily intended for US critical infrastructure organizations, the Framework is flexible enough to be used by any organization anywhere in the world.
Learn more about the NIST CSF >>
NIST CSF overview
The CSF contains three key components: the core, implementation tiers, and profiles.
The core is a set of activities, outcomes, and references that detail approaches to aspects of cybersecurity. The core has four elements: functions, categories, subcategories, and informative references.
The five Framework core functions describe the basic phases to achieve cybersecurity:
- Identify potential cybersecurity risks to your information assets
- Protect yourself against these risks by developing and implementing safeguards
- Detect any irregular activity to determine if breaches have occurred
- Respond to any detected breaches to contain their impact
- Recover from these breaches by restoring any undermined assets
Each function is divided into categories, which are the activities necessary to fulfil each function. These might include asset management, risk assessment, awareness and training, and detection processes.
Subcategories further subdivide categories, describing specific results of these activities that are necessary to fulfil each category.
Finally, informative references specify sources of best practice from a range of publications, including standards and guidelines. These describe methods or points of consideration to help achieve the outcomes of each subcategory (or control), and include ISO 27001, COBIT®, and NIST SP (Special Publication) 800-53.
The current profile is a picture of an organization’s ongoing cybersecurity activities and their outcomes. It is an opportunity for an organization to clearly establish its current cybersecurity activities. The current profile can also be an effective way of communicating the organization’s cybersecurity posture internally or with external partners.
The target profile describes the organization’s intended destination for cybersecurity risk management activities. These destinations are strongly tied to the organization’s legal and regulatory requirements, contractual obligations, and business objectives.
Framework Implementation Tiers describe the sophistication of the organization’s cybersecurity measures on the basis of its risk management process, integrated risk management program, and external participation in risk management. The four tiers are partial, risk-informed, repeatable, and adaptive.
Implementing the Framework
The CSF can be used to review or improve an existing cybersecurity program or to establish an entirely new one, and it offers a relatively straightforward implementation process.
Learn how to implement the NIST CSF with our pocket guide >>