NIST Cybersecurity Framework
15 articles available
The NIST CSF organizes cybersecurity into six core functions: Govern (strategy and governance), Identify (understand risk posture), Protect (implement safeguards), Detect (discover events), Respond (take action on incidents), and Recover (restore services). Together they cover the full cybersecurity lifecycle.
NIST CSF 2.0 (released February 2024) adds a sixth core function (Govern), expands scope to all organizations (not just critical infrastructure), enhances supply chain risk management, introduces community profiles, and adds implementation examples. It is the first major update since the framework launched in 2014.
NIST CSF 2.0 has 22 categories and 106 subcategories organized under 6 core functions. Categories group related cybersecurity outcomes (e.g., Asset Management, Access Control), while subcategories define specific outcomes to achieve. Together they provide a detailed roadmap for cybersecurity activities.
NIST CSF has four implementation tiers representing cybersecurity maturity: Tier 1 (Partial — ad hoc), Tier 2 (Risk Informed — some processes), Tier 3 (Repeatable — formal policies), and Tier 4 (Adaptive — continuous improvement). Tiers assess how well risk management is integrated into organizational practices.
A NIST CSF maturity assessment evaluates how well your organization implements the framework across all functions, categories, and subcategories. It uses a scoring model (typically 0-5 or Tier 1-4) to identify strengths, weaknesses, and improvement areas. Assessments should be conducted annually.
A NIST CSF risk assessment identifies cybersecurity threats, vulnerabilities, likelihoods, and impacts to your organization. It follows the Identify function's risk assessment category (ID.RA) and involves cataloging assets, identifying threats, assessing vulnerabilities, determining likelihood and impact, and calculating risk to prioritize mitigation.
A NIST CSF Profile describes your organization's cybersecurity posture by documenting which CSF categories and subcategories are addressed and to what extent. The Current Profile shows where you are today; the Target Profile shows where you want to be. The gap between them drives your improvement plan.
A NIST CSF gap analysis compares your Current Profile against your Target Profile to identify security gaps. It involves assessing each applicable CSF subcategory, documenting gaps, prioritizing by risk impact, and creating an action plan. A typical gap analysis takes 2-8 weeks depending on organization size.
NIST CSF covers incident response across two functions: Respond (RS) for active incident handling and Recover (RC) for restoring services. An effective incident response plan should include preparation, detection, containment, eradication, recovery, and lessons learned phases aligned with CSF categories.
NIST CSF 2.0 elevates supply chain risk management with a dedicated category (GV.SC) containing 10 subcategories. It requires identifying critical suppliers, establishing security requirements in contracts, assessing supplier security posture, and monitoring supply chain risks continuously.
