The Complete Guide to the NIST Cybersecurity Framework
The NIST Cybersecurity Framework (CSF) is a widely used reference point for organizations looking to review their security practices, establish a cybersecurity program or make informed buying decisions for security software. In this article, we’ll walk you through the five functions of the NIST Cybersecurity Framework, compared the framework to standards like SP 800-53, SP 800-171 or ISO 27001 and explain how you can use the NIST CSF in your organization.
Basics: What Is the NIST Cybersecurity Framework?
The Cybersecurity Framework is a guideline published by the National Institute of Standards and Technology (NIST) to help organizations who want to assess their current level of security or set targets to improve cybersecurity. It also provides a common reference point for talking about cybersecurity risks and safety measures. Originally targeted at critical infrastructure providers, the NIST Cybersecurity Framework has been widely adopted by businesses, public bodies and government agencies.
At its core, the NIST CSF covers 5 key functions that an organization’s cybersecurity program should address: Identify, Protect, Detect, Respond, Recover. These five areas are subdivided into categories (larger topics such as Asset Management or Detection Processes) and subcategories (specific requirements such as “Response and recovery plans are tested”). To assess how well your business meets these targets, the framework measures successful implementation of these criteria in 4 tiers.
NIST CSF Tier Overview:
Tier 1: Partial – Limited risk awareness, risk management is not formalized, cybersecurity activities are ad-hoc, irregular and not informed by business requirements or current threats.
Tier 2: Risk Informed – Organizational risk awareness, but no formal policy or risk management approach. Consideration of cybersecurity is inconsistent.
Tier 3: Repeatable – Risk management practices are approved by management, established as policy and regularly updated based on business requirements and new threats.
Tier 4: Adaptive – Security practices are adapted based on lessons learned and current threats. Risk management is formalized with a focus on continuous improvement.
Is the NIST CSF Mandatory?
The NIST Cybersecurity Framework offers voluntary guidance. However, Executive Order 13800 made the framework mandatory for federal agencies. Specifically, the order requires agencies to submit risk management reports that describe their plan to implement the framework and the strategic, operational and budgetary considerations behind security measures and accepted risks. The Secretary of Homeland Security is then tasked with determining whether their plan of action and risk mitigation choices are appropriate or need to be revised.
As a result of this federal mandate, contractors that want to do business with the public sector generally need to meet the requirements of NIST CSF and/or similar standards like Special Publication 800-53 (Security & Privacy Controls) and Special Publication 800-171 (Controlled Unclassified Information in Nonfederal Systems). More on these standards below.
NIST CSF Compliance: How Does Certification Work?
Unlike standards such as ISO 27001, the NIST Cybersecurity Framework does not include minimum requirements that organizations need to meet. Instead, companies can use the document to create their own target profile by matching security controls and implementation tiers to their unique business needs. The document acts as a reference point for both determining cybersecurity goals and tracking a company’s progress towards them.
This approach is intended to make the Cybersecurity Framework flexible and broadly applicable. However, it also means that there is no clear standard for NIST CSF compliance: Companies can use the framework to achieve different levels of cybersecurity depending on their target profile. While some businesses offer NIST CSF audits, there is no official certification for the Cybersecurity Framework. Instead, NIST CSF self-attestation can be used as common frame of reference to communicate security practices to other organizations.
NIST CSF 2.0: The Update Timeline
Since its original publication in 2014 and the release of Version 1.1 in 2018, the Cybersecurity Framework has seen widespread use by private and public entities alike. Many US states rely on the Cybersecurity Framework as the basis for their own norms and security standards. It has even served as the starting point for regulations in other countries like the Israeli Cyber Defense Doctrine. To bring the framework in line with this expanded use as well as new threats and cybersecurity developments, the National Institute of Standards and Technology is currently working on an updated and revised version: NIST CSF 2.0.
A discussion draft outlining the upcoming changes in CSF 2.0 was published in April 2024. It details changes to the framework’s structure and security targets, including a new Govern function which contains many of the framework’s overarching requirements and a new section on the continuous evaluation and improvement of security measures. Following additional feedback, comments and workshops, the final version of CSF 2.0 will be available in Winter 2024. Additional information is available on the Journey To CSF 2.0 website.
Planned Changes In NIST CSF 2.0
Adjust the document scope to reflect widespread industry and international use.
Update guidance in accordance with new threats and cybersecurity practices.
Provide more context on the relationship to other NIST frameworks.
Add a new, sixth function (Govern) to address cybersecurity policies, strategies, roles and responsibilities.
Emphasize the importance of supply chain management.
NIST CSF vs. 800-53
Special Publication 800-53 (Security and Privacy Controls for Information Systems and Organizations) details required safety measures across 20 different control families. Like the Cybersecurity Framework, NIST 800-53 is mandatory for federal agencies. However, this application is phrased more broadly to cover all federal information systems, which includes IT systems accessed by federal contractors as well as networks operated by private companies on behalf of a federal agency.
The security controls laid out in SP 800-53 are required as part of the Federal Information Security Modernization Act (FISMA) and the Federal Information Processing Standards (specifically, FIPS 200). However, federal agencies and contractors do not need to implement all controls from all 20 control families. Rather, they need to choose the appropriate security measures based on their specific needs and impact level (low, moderate, high).
Read our direct comparison for more on the differences between NIST 800-53 and 800-171.
NIST CSF vs. 800-171
NIST 800-171 governs controlled unclassified information (CUI) in nonfederal systems. The requirements of the standard are based on NIST 800-53 assuming a moderate security baseline. As a result, there is significant overlap between the two documents. However, unlike 800-53, SP 800-171 applies to non-federal systems, i.e. contractors, subcontractors and anyone who works with controlled information across the entire supply chain. As a supplement to this document, SP 800-172 provides enhanced controls for controlled information with a high security impact.
ISO 27001: Access Management Requirements
Everything you need to know about IAM requirements and what documents are needed in preparation for ISO-compliance.
NIST CSF vs. ISO 27001
The NIST Cybersecurity Framework and ISO 27001 have a lot in common: both are voluntary and widely used standards that organizations can draw on in order to guide and structure their cybersecurity efforts. Indeed, most CSF requirements map to comparable demands in ISO. There are, however, a few important differences: ISO 27001 is internationally recognized. Unlike the CSF, ISO 27001 compliance requires official certification from an accredited body who will perform an on-site audit. The benefit of this mandatory review and regular recertification is that the norm is often considered a more reliable indicator of good cybersecurity practices.
ISO 27001 also has a less technical focus compared to the NIST CSF, placing a stronger emphasis on organizational controls like employee screening and training, cybersecurity awareness, disciplinary procedures and so on. The core goal of ISO 27001 is to establish an information security management system (ISMS), which not only lays out security practices and safety measures, but also clearly defines who is responsible for implementing, enforcing, reviewing and improving the necessary controls.
Compared to the ISO 27000 series, the fact that the NIST Cybersecurity Framework is available free-of-charge and based around self-attestation makes it ideal for organizations that are only just developing a cybersecurity program for the first time.
NIST CSF Core: The 5 Functions Explained
The framework core of NIST CSF covers 5 functions that organizations need to be able to perform as part of an effective cybersecurity strategy: Identify, Protect, Detect, Respond, Recover. These five chapters are subdivided into smaller topics like Governance or Risk Assessment as well as specific targets such as “External information systems are catalogued”.
All in all, NIST CSF contains 108 demands split into 23 categories. However, organizations are not required to implement every single safety measure found in the document. Companies need to create their own target profile to determine which of these practices match their resources, IT environment, business requirements and risk tolerances.
Identify (ID)
The Identify function creates an organizational understanding of cybersecurity risks. It does not refer to the identification of threats, but rather business assets, IT systems, user accounts and other digital resources that are potentially at risk. An accurate inventory of all elements of your company network is crucial in order to make informed risk management decisions, identify which assets were lost or comprised during a breach and ensure that safety measures are applied consistently to all systems and devices.
The Asset Management category requires organizations to correctly identify staff, systems, devices & devices and manage them in accordance with their security impact. An inventory of software, hardware, information and personnel is needed to achieve this goal, as is a classification based on how critical different resources are to business goals. Additionally, roles and responsibilities surrounding cybersecurity must be established in the workforce.
More information is available in SP 1800-5: IT Asset Management.
To fulfill this category, an organization must understand its goals, objectives, and dependencies, such as its place in the supply chain. Risk management decisions are informed by this understanding in order to prioritize critical functions. Resilience requirements are established to support critical services even while under attack or in recovery.
See also SP 800-55: Performance Measurement Guide for Information Security.
The Governance category concerns the formal policies and procedures used to manage cybersecurity risks, alongside other regulatory concerns such as privacy. An internal cybersecurity policy must be established and communicated to staff, which coordinates roles and responsibilities.
Informative references include SP 800-100: Information Security Handbook for Managers.
Adequate risk assessment requires understanding new threats and exploits, as well as the specific vulnerabilities of devices and applications used in an organization. This information, combined with the likelihood and potential impact of attacks on different systems, is used to prioritize risk responses.
See SP 800-30: Guide for Conducting Risk Assessments.
Cybersecurity is always a trade-off between safety, productivity and cost. It is up to the organization to decide which risks can be accepted versus which need to be mitigated and how. The risk management strategy must be informed by risk analysis, clearly express risk tolerance and be agreed to by organizational stakeholders.
Additional information can be found in SP 800-39: Managing Information Security Risk.
Information systems depend on third-party components, services and service providers to meet business and functionality requirements. Adequate risk management requires organizations to take these dependencies into account. Under this category, companies are expected to identify and assess third-party providers, incorporate security expectations into contracts and audit or otherwise evaluate suppliers. Third-party providers must also be included in response and recovery planning/testing.
For additional guidance, review SP 800-161: Cybersecurity Supply Chain Risk Management.
More information is available in SP 1800-5: IT Asset Management.
Protect (PR)
This section of NIST CSF covers best practices for cybersecurity designed to harden your IT and reduce the risk of successful attacks. It includes security software, as well as organizational processes and cybersecurity awareness. IT security is often thought of as a purely technical domain. In reality, all departments of an organization must work together to maintain effective security practices.
Preventing unauthorized access to physical and logical assets is critically important to a secure information environment. Credentials and identities must be actively managed, audited and revoked as necessary to enforce the principle of least privilege and segregation of duties (SOD). Organizations must use multi-factor authentication and one-time passwords where appropriate based on high risk or impact. Additionally, physical access and remote access must be controlled.
More information on authentication and user lifecycle management can be found in NIST 800-63: Digital Identity Guidelines.
A cybersecurity strategy is only as strong as its weakest link and unfortunately the human factor is among the most frequently exploited through methods like phishing, social engineering, etc. To counteract this, the company must inform and train all employees to use information systems safely. Furthermore, executives, cybersecurity staff and privileged users such as admins must understand their roles and responsibilities in the company’s strategy.
For more details, compare the National Initiative for Cybersecurity Education (NICE).
Data security requires protecting information both at-rest and in motion through storage and transport layer encryption. Additionally, businesses must take adequate measures to ensure availability, prevent data leaks and safely dispose of storage media. Integrity checking mechanisms for software, firmware and hardware are used to prevent tampering.
SP 800-175 concerns the use of cryptographic standards in the federal government.
The information protection chapter touches on a variety of processes and procedures. IT systems need to be securely configured based on principles like least functionality, with change control processes to prevent tampering with system settings. Backups are maintained and tested. Similarly, incident response plans that address both business continuity and recovery need to be established and regularly tested.
Confer also SP 800-128 Security-Focused Configuration Management.
Maintenance and repairs of IT and industrial control (ICT) systems must be conducted according to policies and procedures. Unauthorized or undocumented changes can lead to to security risks that stakeholders are unaware of and can therefore not control or address.
Protective technologies can ensure system security and resilience, provided they are used appropriately. The principle of least functionality must be upheld by providing only essential capabilities to services and applications. Further, records and audit logs are maintained and reviewed to monitor system activity.
More information on authentication and user lifecycle management can be found in NIST 800-63: Digital Identity Guidelines.
NIST-Compliant Access Control With tenfold
Download our compliance guide to learn which access control measures are required by the NIST CSF and SP 800 series – and how tenfold helps you implement them!
Detect (DE)
Controls grouped under the Detect category enable organizations to identify attacks and other cybersecurity incidents. Detection processes are essential for a timely incident response, which can minimize the potential damage caused by data breaches, zero day vulnerabilities or ransomware attacks. Detecting anomolous events requires a clear understanding of what normal, intended IT operations look like. Therefore, the first step towards successful detection is defining a baseline for expected data flows and network operations.
In order to differentiate between normal operations and unauthorized activity, businesses must define a baseline of expected data flows and system use, as well as thresholds for incident alerts. Event data is collected from multiple sources and detected events are analyzed to understand their impact as well as attack targets and methods.
For more information, compare SP 800-94: Guide to Intrusion Detection and Prevention Systems.
This subcategory requires organizations to monitor physical premises, IT systems, personnel activity and third-party service providers for potential cybersecurity events. Additionally, they must perform vulnerability scans and take steps to detect unauthorized or malicious code.
SP 800-137 provides more guidance on Information Security Continuous Monitoring for Federal Systems.
New cybersecurity threats are always emerging alongside new ways to evade detection and delay the security response. To ensure effective monitoring, detection processes must be tested and contiuously improved. For the sake of accountability, official roles and processes must be established to enforce testing and improvement.
For more information, compare SP 800-94: Guide to Intrusion Detection and Prevention Systems.
Respond (RS)
The Respond section covers the steps that follow after an attack is detected: How does your organization mitigate the threat, ensure that the mitigation strategy was successful and coordinate this process with internal and external stakeholders (such as law enforcement agencies). To ensure a swift response, plans must be developed well in advance of actual incidents. Plans must also be continuously improved based on the lessons learned from actual incidents.
Cybersecurity incidents are a high-stress scenario for everyone involved. Consequently, training, planning and preparation is critical to make sure your staff knows the proper procedures to follow. While the chapter on Information Protection asks companies to develop incident response plans, this chapter requires them to put plans into action following an incident.
SP 800-34: Contingency Planning for Federal Information Systems can act as a reference point for establishing response plans.
Although time is of the essence after a cyberattack, response actions need to be closely coordinated with not just internal stakeholders like executives, but also outside parties like law enforcement. To this end, IT staff need to follow the established procedures for reporting incidents and communicating information. Additionally, organizations are expected to be forthcoming with external stakeholders. Sharing information about cyberattacks can alert other organizations to new threats and help them defend against them.
See also SP 800-150: Guide to Cyber Information Threat Sharing.
Detailed analysis is necessary to understand the attack vector used during a breach and prevent further attacks (if possible), as well as to ensure the security response successfully purges the IT system. Threat actors who manage to leave behind new accounts or entry points can achieve persistence, i.e. long-term access to the company network. To prevent this, this section of the CSF mandates forensics and analysis in the aftermath of a security incident.
For more information, see SP 800-86: Guide to Forensic Techniques in Incident Response.
The Mitigation subcategory essentially acts on the results of the incident analysis, taking the appropriate steps to contain and resolve the threat. After the immediate response, organizations are further expected to take action on any new vulnerabilities that were brought to light by the incident. Companies must either take steps to address these weaknesses or document them as accepted risks in their risk assessment.
For more information, compare SP 800-61: Computer Security Incident Handling Guide.
Aside from newly discovered vulnerabilities, which must be addressed under the Mitigation chapter, there are many other potential learnings that can result from a security incident. Organizations are expected to update their response plans and strategies to incorporate these lessons and improve their resilience and readiness facing future attacks.
SP 800-34: Contingency Planning for Federal Information Systems can act as a reference point for establishing response plans.
Recover (RC)
Recovery describes the steps necessary to restore full functionality after an attack on your network. Even in the best case scenario of a breach that was successfully detected and quickly contained, some devices or network resources may be temporarily unavailable while your incident response team ensures they are no longer compromised. An organization’s recovery plan documents the steps necessary for the full restoration of all affected systems.
Similarly to the response plan, system recovery should follow a clearly structured and documented process to guarantee that all necessary functions, devices and systems are fully restored and that all resulting changes to the network are properly documented.
Additional information on this topic is available in NIST 800-184 Guide for Cybersecurity Event Recovery.
As with incident response, putting the recovery plan into action can reveal problems and shortcomings that did not surface during testing. Consequently, organizations must take the lessons learned during system recovery to update their plan and address these newly-revealed concerns.
In the aftermath of an attack or breach, organizations will need to communicate with suppliers, business partners and service providers and discuss the extent to which their network was compromised and if any shared assets or resources were exposed as a result. In order to repair trust, companies must engage in public relations and work to repair their reputation.
Additional information on this topic is available in NIST 800-184 Guide for Cybersecurity Event Recovery.
Using NIST CSF for Software Buying Decisions
Security standards like the Cybersecurity Framework, Critical Security Controls or ISO 27001 are generally written to be technology neutral. This means that they set security targets for organizations, but don’t mandate a specific solution to achieve this goal. This approach is meant to prevent businesses from being forced to buy a specific product and ensure that compliance is upheld even if the target is achieved through a solution that uses a different label or technical categorization.
The result of this tech-neutral approach is that organizations looking to implement a cybersecurity strategy cannot treat CSF as a shopping list for required tools. However, by using the framework as a reference point for gap analysis, businesses can identify improvements they’d like to make and choose security products based on their specific needs.
The Right Technology Mix
As the five pillars of the NIST CSF show, an effective cybersecurity strategy must address a broad range of topics. Consequently, organizations that want to keep their network secure and achieve their compliance goals need a mix of technologies to cover all areas of cybersecurity. And choosing the right tools can be tricky: effective software solutions not only have to help companies address security needs, but do so in a way that fits their budget and integrates with their existing IT setup.
Take access control for example: On paper, a platform might allow you to manage identities and permissions across different systems like your local Active Directory, Azure AD and Microsoft 365. In practice, this integration won’t do you any good if it takes months to set up the necessary interfaces and you need to call a consultant everytime you want to change a setting. Mid-sized businesses in particular struggle with the lengthy setup and huge operational costs of large-scale identity and access management solutions. There is simply no way to use enterprise IAM effectively with the budget and staff constraints of a smaller organization.
That’s what makes tenfold‘s out-of-the-box plugins so revolutionary: Thanks to our wide range of prebuilt integrations, you can set up our IAM platform and enjoy a fully automated user lifecycle in a matter of days rather than months or years. tenfold can be fully configured without the need to write custom code for interfaces or workflows. This way, you benefit from a powerful IAM solution without wasting time on lengthy setups.
NIST-Compliant Access Control with tenfold
Taking control of user accounts and IT privileges to prevent unauthorized access to data is one of the most essential tasks in cybersecurity. No wonder then, that the NIST CSF discusses access control in its own section in the Protect function (PR.AC). However, this chapter deals with digital identities as well as physical and remote access.
This may leave you wondering which subcategories can be covered with identity and access management and which require their own dedicated solution. Or perhaps you’re asking yourself: Which of the various NIST security standards apply to my organization? And how do these different standards relate to each other?
Download our NIST compliance overview to learn more about the relationship between the different NIST cybersecurity standards, their access control requirements and which tenfold features map to which sections.
Access Management
Is an Essential Part of
IT Compliance