The National Institute of Standards and Framework’s Cybersecurity Framework (CSF) was published in February 2014 in response to Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which called for a standardized security framework for critical infrastructure in the United States.
The NIST CSF is recognized by many as a resource to help improve the security operations and governance for public and private organizations. While the NIST CSF is a terrific guideline for transforming the organizational security posture and risk management from a reactive to proactive approach, it can be a difficult framework to actually dive into and implement.
If you’re struggling to get through the NIST Cybersecurity Framework, a quick overview and summary of the framework can help you accelerate your security transformation.
Here’s a quick NIST Cybersecurity Framework Summary and detailed breakdown:
The NIST CSF is comprised of four core areas. These include Functions, Categories, Subcategories, and References. Below, we will provide a brief explanation of terminology for the NIST CSF.
The NIST CSF is organized into five core Functions also known as the Framework Core. The functions are organized concurrently with one another to represent a security lifecycle. Each function is essential to a well-operating security posture and successful management of cybersecurity risk. Definitions for each Function are as follows:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a security event.
- Respond: Develop and implement the appropriate activities when facing a detected security event.
- Recover: Develop and implement the appropriate activities for resilience and to restore any capabilities or services that were impaired due to a security event.
Categories & Subcategories
With each of the Functions noted in the Figure above, there are twenty-one categories and over a hundred subcategories. The subcategories provide context to each category with reference to other frameworks such as COBIT, ISO, ISA, and others.
The Figure below is a small view of the Identify Function with its categories, subcategories, and references:
The NIST CSF Tiers represent how well an organization views cybersecurity risk and the processes in place to mitigate risks. This helps provide organizations a benchmark on how their current operations.
- Tier 1 – Partial: Organizational cybersecurity risk is not formalized and managed in an ad hoc and sometimes reactive manner. There is also limited awareness of cybersecurity risk management.
- Tier 2 – Risk-Informed: There may not be an organizational-wide policy for security risk management. Management handles cybersecurity risk management based on risks as they happen.
- Tier 3 – Repeatable: A formal organizational risk management process is followed by a defined security policy.
- Tier 4 – Adaptable: An organization at this stage will adapt its cybersecurity policies based on lessons learned and analytics-driven to provide insights and best practices. The organization is constantly learning from the security events that do occur in the organization and will share that information with a larger network.
You can use the NIST CSF to benchmark your current security posture. Going through each category and subcategories in the core Function can help you determine where you stand on the NIST CSF Tier scale.
Using the NIST Cybersecurity Framework is a great way to standardize your cybersecurity and risk management. It can also be used when your organization needs to benchmark its current security operations. If you need a quick self-assessment, try out CIPHER’s NIST Self-Assessment that will guide you through each Function, Categories, and Subcategories of the Framework.