What is the NIST CSF?
The NIST Cybersecurity Framework (CSF) is a framework that provides guidance for managing cybersecurity risk based on existing standards, guidelines, and practices.
Although primarily intended for US critical infrastructure organizations, the NIST Framework is flexible enough to be used by any organization anywhere globally.
NIST CSF overview
The CSF contains three key components: the core, the implementation tiers, and the profiles.
The core
The core is a set of activities, outcomes, and references that detail approaches to aspects of cybersecurity.
The core has four elements: functions, categories, subcategories, and informative references.
The five Framework core functions describe the basic phases to achieve cybersecurity:
- Identify potential cybersecurity risks to your information assets
- Protect yourself against these risks by developing and implementing safeguards
- Detect any irregular activity to determine if breaches have occurred
- Respond to any detected cybersecurity incidents to contain their impact
- Recover from these breaches by restoring any undermined assets
Each function is divided into categories, which are the activities necessary to fulfill each function.
These might include asset management, risk assessment, awareness and training, detection and recovery planning processes and procedures.
Subcategories further subdivide categories, describing specific results of these activities that are necessary to fulfill each category.
Finally, informative references specify sources of best practice from a range of publications, including standards and guidelines.
These describe methods or points of consideration to help achieve the outcomes of each subcategory (or control), and include ISO 27001, COBIT®, and NIST SP (Special Publication) 800-53.
Framework Implementation Tiers
Framework Implementation Tiers describe the sophistication of the organization’s cybersecurity measures based on its risk management process, integrated risk management program, and external participation in risk management. The four tiers are partial, risk-informed, repeatable, and adaptive.
The Current profile
The current profile is a picture of an organization’s ongoing cybersecurity activities and outcomes.
It is an opportunity for an organization to establish its current cybersecurity activities.
The current profile can also effectively communicate the organization’s cybersecurity posture internally or with external partners.
The Target profile
The target profile describes the organization’s intended destination for cybersecurity risk management activities.
These destinations are strongly tied to the organization’s legal and regulatory requirements, contractual obligations, and business objectives.