Whether you are in a similar position or are seeking to learn more about one of the most comprehensive security frameworks, the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) is one of the best resources to begin with. Chartered under the United States Department of Commerce, NIST’s mission is to promote innovation and competitiveness across all industries. It releases frameworks to encourage sharing best practices across a range of domains, with the CSF being just one of several.  The NIST Cybersecurity Framework was first published in 2014 in response to a February 2013 Executive Order and was written for executives, auditors, board members and security professionals in mind, developed collaboratively by government, academia, the private sector and cybersecurity professionals. In practice, the CSF focuses on building “cyber resiliency” within organizations, helping them to be proactive and prepared for cyberthreats instead of only being in a reactive stance. And on May 11, 2017, Executive Order 13800 required all federal government agencies to use the CSF and all those that do business with them.  The Executive Order also introduced a new version of the CSF and includes a new methodology to “protect individual privacy and civil liberties” during the implementation of cybersecurity protocols. These changes are likely to increase the number of organizations using the CSF from the estimated 30 percent identified in 2015.

Cybersecurity framework overview

Unlike other frameworks, the CSF was not developed by NIST to be a standalone, end-to-end solution for an organization wishing to implement and maintain a cybersecurity program. In fact, the CSF isn’t even meant to be a checklist or evaluative tool used to determine the level of security an organization has in place.  Instead, the CSG is made to be used alongside other cybersecurity policy and management frameworks like COBIT, NIST SP 800-53, ISO 27000 and ANSI/ISA 62443, offering a risk-based approach to managing risk. When used alongside another best practices framework, the CSF helps to provide additional perspectives, guidance and compliance approaches that these other standards may not cover for each organization’s particular situation.  In terms of structure, the CSF has three main parts: the core, tiers and profiles. Each of these will be briefly introduced in this article but will be explored in far more depth as we continue with the Infosec Skills NIST CSF program series. 

Framework core

The main body of the CSF includes the framework’s five functions, goals or core components. These five functions are: Identify, Protect, Detect, Respond and Recover. Each of these five core components are further divided into categories, subcategories, outcomes and informative references or controls. In sum, there are 22 categories, 98 subcategories, 125 outcomes and 287 references that make up the CSF.  When presented as a whole, these core components can be a helpful way to define, evaluate and maintain a security program and the related policies and tools needed to implement it. The Framework Core is also written to be common across all industries and critical infrastructure sectors. 

Framework implementation tiers

There are four framework implementation tiers within the CSF: Partial, Risk-Informed, Repeatable and Adaptive. While not formally defined as levels of maturity, these tiers are helpful for organizations to provide milestones that can be used to evaluate how cybersecurity is prioritized, how risk is managed, and if the necessary processes are in place to maintain relevance and mitigate risk overtime. However, the NIST organization believes these tiers should not be something that organizations just use to try to race to the highest level, checking off compliance with categories and outcomes as fast as possible. Instead, because organizations have varying budgets, compliance standards and other resource constraints, NIST (through the CSF) is attempting to identify the key best practices and components that need to be in place, achieved in a manner and order that best aligns with organizational abilities and needs.  Furthermore, the CSF should actually be used as part of a cyclical or iterative exercise to continually evaluate an organization’s risk environment and verify controls they have in place are able to properly mitigate them. In short, organizations in tier 1 (partial) would include those with processes, positions and tools in place, but in an inconsistent manner without much enterprise or leadership involvement. Movement from tier 1 (partial) to tier 2 (risk-informed), for example, would involve more management involvement in setting priorities, evaluating risk and introducing accountability for when standards fall short of criteria. Tier 3 (repeatable) organizations are those that have comprehensive, customized and organization-wide policies in place that are funded, supported by management and used to evaluate business decisions. 

Framework profiles

Because not every organization is the same, NIST recommends that their CSF be customized to meet their business environment according to what NIST refers to as profiles. These framework profiles are used to capture a “current state,” which describes the cybersecurity activities and what outcomes they are achieving to form a baseline which future changes can be evaluated against.  As organizations make progress with implementing the CSF, organizations then compare their new baselines or profiles — including activities and outcomes — against their previous baseline. Organizations can also use one of several NIST-provided, industry-specific target profiles to guide their development and define next steps along the tiers. Ultimately, the use of profiles within the CSF helps organizations to align their cybersecurity budget, activities, risk tolerance and requirements against the functions laid out in the Framework Core.

Conclusion: Bringing it all together

As mentioned previously, the CSF is not a one-size-fits-all or one-time cybersecurity exercise. Just as every organization operates differently and works in a unique environment, their risks, tolerances, vulnerabilities and resources will continuously change and evolve.  Therefore, the CSF can be used alongside other cybersecurity best practices to help to organize and simplify the management of cyber risk, with new versions being released by NIST as lessons learned and new techniques are captured. These lessons and techniques may include, for example, expected additions of considerations for the Internet of Things.   


NIST Releases Draft Security Feature Recommendations for IoT Devices, NIST Cybersecurity “Rosetta Stone” Celebrates Two Years of Success, NIST NIST Releases Version 1.1 of its Popular Cybersecurity Framework, NIST Executive Order — Improving Critical Infrastructure Cybersecurity, obamawhitehouse.archives.gov How Soon Until the Next Ransomware Catastrophe?, The Atlantic Deloitte hit by cyber-attack revealing clients’ secret emails, The Guardian Target to pay $18.5M for 2013 data breach that affected 41 million consumers, USA Today NIST Cybersecurity Framework, NIST Cybersecurity Framework Core, NIST What’s New in NIST Cybersecurity Framework v1.1, Expel