Visit us at it-sa 2024!

GetyourfreeticketGetyourfreeticket

Home>

NIST CSF

Security lock

What Is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (NIST CSF) provides guidance for companies, government agencies and other organizations to manage cybersecurity risks.

Hands pointing to a laptop screen

01

NIST Cybersecurity Framework: A Definition

The NIST Cybersecurity Framework (CSF) is a guide for organizations looking to improve their cybersecurity and effectively manage risk. Developed by the National Institute of Standards and Technology (NIST), it provides a flexible and scalable approach that is suitable for organizations of all sizes and industries - regardless of their current cybersecurity maturity level. The framework is voluntary and provides an overview of best practices without prescribing how outcomes should be achieved.

02

What Are the Specific Goals of the NIST Cybersecurity Framework?

The main goal of the NIST CSF is to provide comprehensive support to organizations in improving their cybersecurity. In detail, you can use it to:

  1. Develop a more accurate picture of your cyber security level:

    The framework helps organizations to accurately assess their current cybersecurity situation. It provides a structured method for the inventory of systems, processes and risks, giving organizations a clear understanding of their security situation.

  2. Set goals and priorities for improving cybersecurity:

    Based on the inventory, the CSF allows the definition of concrete, measurable goals to strengthen cybersecurity. It helps companies to set priorities and develop a structured plan for continuous improvement.

  3. Create a common language for cybersecurity:

    The CSF provides a standardized terminology and structure for cybersecurity. This facilitates communication about risks and protective measures between different departments, organizations, industries or regulatory authorities, leading to better understanding and more effective collaboration on security issues.

03

How Is the NIST Cybersecurity Framework Structured?

The NIST Cybersecurity Framework was designed to be a living document that is refined, improved, and evolved over time to keep pace with technology and threat trends and to incorporate new lessons learned.

The first version of the Cybersecurity Framework (CSF 1.0) was published in 2014 and updated in 2018 (CSF 1.1). It was primarily aimed at operators of critical insfrastructure. In order to take account of the constantly evolving cybersecurity landscape and expand the range of applications, NIST has been developing a new version since 2022.

The NIST CSF 2.0 (PDF) was published in February 2024. It still consists of three main components: the Core, Organizational Profiles and Tiers. One new aspect is the greater consideration of topics such as cloud security, supply chain risks and threats associated with artificial intelligence (AI) and the Internet of Things (IoT). CSF 2.0 also focuses more on the relationship between cybersecurity and data protection as well as the development of cyber-resilient systems that not only prevent attacks but also ensure rapid recovery after security incidents.

NIST CSF Timeline

 

What Are the Core Components of the NIST Cybersecurity Framework?

The core of the framework defines six central functions that cover the entire cybersecurity management lifecycle.

Icon Analytics Data Lake

Govern

The organization’s cybersecurity risk management strategy, expectations and policy are established, communicated and monitored.

Icon checklist

Identify

The organization’s current cybersecurity risks are understood.

Icon protection

Protect

Safeguards to manage the organization’s cybersecurity risks are used.

Icon attention danger

Detect

Possible cybersecurity attacks and compromises are found and analyzed.

Automatic configuration icon

Respond

Actions regarding a detected cybersecurity incident are taken.

Myra Security Career Icon Compliance Management

Recover

Assets and operations affected by a cybersecurity incident are restored.

The six functions are divided into 22 categories and more than 100 subcategories that describe specific cybersecurity activities and results. These are formulated to be understood by a wide audience with varying levels of cybersecurity expertise - from IT managers to CEOs. Because the outcomes are sector-, country- and technology-neutral, they provide an organization with the flexibility needed to address their unique risks, technologies and mission considerations.

    Govern

    Identify

    Protect

    Detect

    Respond

    Recover

  • NIST CSF Identify

    Identify

    Determining the current cybersecurity risk for the organization

     

    The Identify function includes the following categories:

    • Asset management

    • Risk assessment

    • Improvement

  • NIST CSF Protect

    Protect

    Using suitable protective measures to avoid or reduce cybersecurity risks

     

    The Protect function includes the following categories:

    • Identity management, authentication and access control

    • Awareness and training

    • Data security

    • Platform security

    • Technology infrastructure resilience

  • NIST CSF Detect

    Detect

    Detecting and analyzing potential attacks and cybersecurity compromises

     

    The Detect function includes the following categories:

    • Continous monitoring

    • Adverse event analysis

  • NIST CSF Respond

    Respond

    Taking action in the event of a detected cybersecurity incident

     

    The Respond function includes the following categories:

    • Incident management

    • Incident analysis

    • Incident response reporting and communication

    • Incident mitigation

  • NIST CSF Recover

    Recover

    Recovering assets and processes affected by a cybersecurity incident

     

    The Recover function includes the following categories:

    • Incident recovery plan execution

    • Incident recovery communication

The Security-as-a-Service solutions from Myra provide reliable protection for your IT infrastructure  and web applications against cyberthreats. Ensure the security of your critical business processes proactively, sustainably and legally compliant.

Request a free demo now

Person works on two laptops

05

How Can NIST CSF Organizational Profiles Be Created and Used?

The organizational profiles allow companies to adapt the NIST CSF to their specific requirements and risk assessments. The profiles can be used to describe the current state of cybersecurity (“current profile”) and the desired target state (“target profile”). The comparison of these profiles helps to identify opportunities for improvement and the continuous optimization of the security level.

 

The NIST CSF 2.0 recommends the following steps for creating and using an organizational profile:

  1. Define scope: Define the scope, such as one profile for the entire organization or multiple profiles for specific systems or mitigation of specific threats.

  2. Gather information: Gather relevant information such as organizational policies, risk management priorities and resources, business impact analysis, cybersecurity requirements and standards, and role distribution.

  3. Create profile: Create a current profile and a target profile based on the information gathered. Consider the risk implications of the actual profile for planning and prioritizing the target profile.

  4. Analyze gaps and create an action plan: Identify gaps between the current and target profiles (gap analysis) and develop a prioritized action plan to close these gaps.

  5. Implement action plan and update profile: Implement the action plan to eliminate gaps and achieve the target profile. The organizational profile should then be updated accordingly and the whole process continuously repeated.

 

The organizational profiles are also useful to document and communicate the organization's cybersecurity level and improvement opportunities to business partners or potential customers. Furthermore, the profiles can help to formulate the organization's cybersecurity risk management requirements and expectations towards suppliers, partners and other third parties as a target.

06

What Tiers Does the NIST CSF Include?

The NIST Cybersecurity Framework includes four tiers that can be applied to organizational profiles. These tiers provide a framework for organizations to assess the current maturity of their cybersecurity practices and set goals for improvement. The tiers are defined as follows:

    Tier 1: Partial

    Tier 2: Risk-Informed

    Tier 3: Repeatable

    Tier 4: Adaptive

  • NIST CSF TIER 2

    Tier 2

    Risk-Informed

    At this level, organizations have a better understanding of cybersecurity risks and are implementing more systematic approaches to risk management. More formal processes are in place, but they may not yet be standardized across the organization. Risk management practices are approved by management but not set as an organization-wide policy. Prioritization of cybersecurity activities and protection needs is directly driven by the organization's risk objectives, threat environment, or business and mission requirements.

  • NIST CSF TIER 3

    Tier 3

    Repeatable

    Organizations at this level have implemented formalized and consistent cybersecurity practices that are regularly adapted to changes in business and mission requirements, threats and technological developments. There are company-wide policies and formally approved processes for risk management, and the organization can respond effectively to cybersecurity events.

  • NIST CSF TIER 4

    Tier 4

    Adaptive

    This is the highest level of implementation. Organizations at this level have a proactive, adaptable and enterprise-wide approach to cybersecurity risk management that employs risk-based policies, processes and procedures. This enables organizations to assess and manage risks in real time. They also continuously adapt their practices to new threats. The links between cybersecurity risks and business objectives are clearly understood and taken into account when making decisions. Managers monitor cybersecurity risks in the same context as financial and other organizational risks. Cybersecurity risk management is part of the corporate culture.

Server room

07

What You Need to Know About the NIST Cybersecurity Framework

The NIST Cybersecurity Framework provides organizations with a powerful and customizable instrument to strengthen their cybersecurity. With its methodical approach, it enables the systematic identification, assessment and reduction of cyberrisks. The six core functions (Govern, Identify, Protect, Detect, Respond and Recover) cover all important aspects of cybersecurity.

 

Companies that want to improve their digital resilience will find the NIST CSF a helpful tool. Beyond simply providing guidance on how to implement protective measures, it promotes a holistic understanding of cybersecurity. This integrative approach includes all organizational levels and thus creates a robust security structure.

© Myra Security GmbH 2024, all rights reserved

Responsible DisclosureLegal noticePrivacy policyPrivacy SettingsTerms and Conditions