What is the NIST CSF?
The NIST Cybersecurity Framework CSF is a voluntary framework that provides guidance to help organizations manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices.
Although primarily intended for US critical infrastructure organizations, the Framework is flexible enough to be used by any organization anywhere in the world.
NIST CSF overview
The CSF contains three key components: the corse, the implementation tiers and the profiles.
The core is a set of activities, outcomes, and references that detail approaches to aspects of cybersecurity. The core has four elements: functions, categories, subcategories, and informative references.
The five Framework core functions describe the basic phases to achieve cybersecurity:
- Identify potential cybersecurity risks to your information assets
- Protect yourself against these risks by developing and implementing safeguards
- Detect any irregular activity to determine if breaches have occurred
- Respond to any detected breaches to contain their impact
- Recover from these breaches by restoring any undermined assets
Each function is divided into categories, which are the activities necessary to fulfil each function. These might include asset management, risk assessment, awareness and training, and detection processes.
Subcategories further subdivide categories, describing specific results of these activities that are necessary to fulfil each category.
Finally, informative references specify sources of best practice from a range of publications, including standards and guidelines. These describe methods or points of consideration to help achieve the outcomes of each subcategory (or control), and include ISO 27001, COBIT®, and NIST SP (Special Publication) 800-53.
Framework Implementation Tiers
Framework Implementation Tiers describe the sophistication of the organization’s cybersecurity measures on the basis of its risk management process, integrated risk management program, and external participation in risk management. The four tiers are partial, risk-informed, repeatable, and adaptive.
The Current profile
The current profile is a picture of an organization’s ongoing cybersecurity activities and their outcomes. It is an opportunity for an organization to clearly establish its current cybersecurity activities. The current profile can also be an effective way of communicating the organization’s cybersecurity posture internally or with external partners.
The Target profile
The target profile describes the organization’s intended destination for cybersecurity risk management activities. These destinations are strongly tied to the organization’s legal and regulatory requirements, contractual obligations, and business objectives.