NIST Framework
NIST Cybersecurity Framework (NIST CSF 2.0)¶
1. What is the NIST CSF?¶
The NIST Cybersecurity Framework is a voluntary guide to help organizations of all sizes identify, manage, and reduce cybersecurity risks. It is: - Flexible and sector-neutral - Based on existing standards - Focused on cybersecurity outcomes, not tools or tech
2. CSF Core¶
The CSF Core is structured as:
- Functions (high-level cybersecurity outcomes)
- Categories (groupings of outcomes)
- Subcategories (specific outcomes)
- Identifiers (for tracking and reference)
CSF Core Table: Functions, Categories, and Identifiers¶
| Function | Category | Identifier |
|---|---|---|
| Govern (GV) | Organizational Context | GV.OC |
| Risk Management Strategy | GV.RM | |
| Roles, Responsibilities, and Authorities | GV.RR | |
| Policy | GV.PO | |
| Oversight | GV.OV | |
| Cybersecurity Supply Chain Risk Management | GV.SC | |
| Identify (ID) | Asset Management | ID.AM |
| Risk Assessment | ID.RA | |
| Improvement | ID.IM | |
| Protect (PR) | Identity Management, Authentication, and Access Control | PR.AA |
| Awareness and Training | PR.AT | |
| Data Security | PR.DS | |
| Platform Security | PR.PS | |
| Technology Infrastructure Resilience | PR.IR | |
| Detect (DE) | Continuous Monitoring | DE.CM |
| Adverse Event Analysis | DE.AE | |
| Respond (RS) | Incident Management | RS.MA |
| Incident Analysis | RS.AN | |
| Incident Response Reporting and Communication | RS.CO | |
| Incident Mitigation | RS.MI | |
| Recover (RC) | Incident Recovery Plan Execution | RC.RP |
| Incident Recovery Communication | RC.CO |
Each Subcategory under these identifiers describes more granular outcomes (e.g., GV.OC-01, PR.AA-03, etc.)
3. CSF Profiles¶
Profiles describe how an organization aligns with the CSF Core:
| Type | Description |
|---|---|
| Current Profile | Outcomes currently being achieved |
| Target Profile | Outcomes you aim to achieve |
| Community Profile | Shared goals for a sector or group |
How to Create a CSF Organizational Profile:¶
- Scope the Profile (e.g., org-wide, or specific systems)
- Gather information (policies, risks, stakeholders)
- Map to CSF Core (Current and/or Target)
- Analyze Gaps (compare Current vs Target)
- Plan & Act (prioritize and execute improvements)
4. CSF Tiers¶
Tiers reflect how mature your risk governance and management practices are:
| Tier | Maturity Description |
|---|---|
| Tier 1: Partial | Ad hoc processes, low awareness |
| Tier 2: Risk Informed | Risk-based decisions but not consistent |
| Tier 3: Repeatable | Documented and practiced organization-wide |
| Tier 4: Adaptive | Integrated, evolving, real-time risk management |