Select regional store:

What is the NIST Cybersecurity Framework (CSF)?

What is the NIST CSF? 

The NIST Cybersecurity Framework (CSF) is a framework that provides guidance for managing cybersecurity risk based on existing standards, guidelines, and practices.

Although primarily intended for US critical infrastructure organizations, the NIST Framework is flexible enough to be used by any organization anywhere globally.

Implementing the Framework

The CSF can be used to review or improve an existing cybersecurity program or establish an entirely new one. It offers a relatively straightforward implementation process.

This pocket guide covers:

  • Advantages of implementing the NIST CSF
  • Detailed explanations of each of the CSF’s components
  • How you can integrate the CSF with other frameworks, including ISO 27001 and ISO 22301

Tailoring your CSF to your organization’s needs can help you manage cybersecurity threats effectively and efficiently.

Shop now

NIST CSF overview

The CSF contains three key components: the core, the implementation tiers, and the profiles.

The core

The core is a set of activities, outcomes, and references that detail approaches to aspects of cybersecurity.

The core has four elements: functions, categories, subcategories, and informative references.

The five Framework core functions describe the basic phases to achieve cybersecurity:

  1. Identify potential cybersecurity risks to your information assets
  2. Protect yourself against these risks by developing and implementing safeguards
  3. Detect any irregular activity to determine if breaches have occurred
  4. Respond to any detected cybersecurity incidents to contain their impact
  5. Recover from these breaches by restoring any undermined assets

Each function is divided into categories, which are the activities necessary to fulfill each function.

These might include asset management, risk assessment, awareness and training, detection and recovery planning processes and procedures.

Subcategories further subdivide categories, describing specific results of these activities that are necessary to fulfill each category.

Finally, informative references specify sources of best practice from a range of publications, including standards and guidelines.

These describe methods or points of consideration to help achieve the outcomes of each subcategory (or control), and include ISO 27001, COBIT®, and NIST SP (Special Publication) 800-53.

Framework Implementation Tiers

Framework Implementation Tiers describe the sophistication of the organization’s cybersecurity measures based on its risk management process, integrated risk management program, and external participation in risk management. The four tiers are partial, risk-informed, repeatable, and adaptive. 

The Current profile

The current profile is a picture of an organization’s ongoing cybersecurity activities and outcomes.

It is an opportunity for an organization to establish its current cybersecurity activities.

The current profile can also effectively communicate the organization’s cybersecurity posture internally or with external partners.

The Target profile

The target profile describes the organization’s intended destination for cybersecurity risk management activities.

These destinations are strongly tied to the organization’s legal and regulatory requirements, contractual obligations, and business objectives.

Learn more about the NIST CSF and how it compares to
ISO 27001

Download our green paper to learn more about these two frameworks and how they can help protect your organization.

Download now

Free PDF download: Implementing Cybersecurity – The case for the NIST CSF

Learn about the benefits of implementing the NIST CSF

Download our green paper to learn more about the NIST CSF and how it can help protect your organization.

Download now

This website uses cookies. View our cookie policy