The NIST Cybersecurity Framework (CSF) is a set of guidelines developed by the National Institute of Standards and Technology (NIST) to help organizations manage cybersecurity risk. Its creation was directed by an executive order issued by President Obama in February 2013, and NIST gathered input from government and private sector entities during its development.
Commonly known by its abbreviation, CSF (Cyber Security Framework), it is widely referenced even outside the US; many companies and organizations in Japan, for example, use it as a guide to improve their cybersecurity measures.
The framework's official title is the "Framework for Improving Critical Infrastructure Cybersecurity." The first version (Version 1.0) was published in February 2014; an updated version (Version 1.1) was released in April 2018. This article will cover the fundamentals of the NIST CSF, focusing primarily on the features of NIST CSF Version 1.1.
On February 26, 2024, the National Institute of Standards and Technology (NIST) officially released version 2.0 of the NIST Cybersecurity Framework (NIST CSF). For more details about the latest version, please see below.
When compared to other prominent frameworks, the NIST CSF is recognized for several key features: it specifically focuses on addressing cyberattacks, its requirements are generalized for broad applicability across diverse organizations, it employs a risk-based approach, and the framework itself is freely available. These characteristics have contributed to its growing adoption by companies and organizations worldwide.
The following table provides a comparison with NIST CSF and other well-known frameworks such as ISMS, CIS Controls, and PCI DSS.
| Framework | Key Characteristics | Target Audience | Content / Description |
| CSF (NIST_2014 Initial Version) | Stronger on Organizational Aspects, Focused on Cyberattack Countermeasures | For Critical Infrastructure | • Primarily focuses on cyberattack countermeasures. • Requirements are general to allow for wide adoption. |
| ISMS (ISO/IEC_2005 Initial Version) | Stronger on Organizational Aspects, Broader Information Security Scope | Industry-Agnostic | • Primarily focuses on verifying overall information security measures. • Lacks sufficient coverage for incident response. |
| CIS Controls (SANS_2009 Initial Version) | Stronger on Technical Aspects, Focused on Cyberattack Countermeasures | Industry-Agnostic | • Primarily focuses on verifying technical measures against cyberattacks. |
| PCI DSS | Stronger on Technical Aspects, Broader Information Security Scope | Industries that handle credit card information | • Protection of credit card information. |
Although its formal name translates to "Cybersecurity Measures for Critical Infrastructure," the NIST CSF offers a comprehensive compilation of cybersecurity best practices and assessment standards, designed for use by organizations of any size or industry to evaluate their security measures.
The NIST Cybersecurity Framework (CSF) consists of three key components: "Core," "Tier," and "Profile." By utilizing these three elements, organizations can more easily conduct gap analyses between their current cybersecurity posture and their target state.
Key Points
Now, let's take a closer look at each of these components as defined in NIST CSF version 1.1.
First, let's review an overview of the Core. The NIST CSF Core outlines common cybersecurity measures that apply across industries and sectors. Here is a work core configuration we created by based on IPA materials.
| Function | Identifier | Category |
| Identify | ID.AM | Asset Management |
| ID.BE | Business Environment | |
| ID.GV | Governance | |
| ID.RA | Risk Assessment | |
| ID.RM | Risk Management Strategy | |
| ID.SC | Supply Chain Risk Management | |
| Protect | PR.AC | Access Control |
| PR.AT | Awareness & Training | |
| PR.DS | Data Security | |
| PR.IP | Information Protection Processes & Procedures | |
| PR.MA | Maintenance | |
| PR.PT | Protective Technology | |
| Detect | DE.AE | Anomalies & Events |
| DE.CM | Security Continuous Monitoring | |
| DE.DP | Detection Processes | |
| Respond | RS.RP | Response Planning |
| RS.CO | Communications | |
| RS.AN | Analysis | |
| RS.MI | Mitigation | |
| RS.IM | Improvements | |
| Recover | RC.RP | Recovery Planning |
| RC.IM | Improvements | |
| RC.CO | Communications |
Each category connects to several subcategories that list specific actions for organizations to consider when putting cybersecurity measures in place. The table below, based on IPA materials, shows how the asset management category relates to its subcategories.
| Category | Subcategory |
| Asset Management (ID.AM): Identify data, personnel, devices, systems, and facilities that enable the organization to achieve business objectives, and manage them according to their relative importance to business objectives and the organization's strategy. | ID.AM-1: An inventory of physical devices and systems within the enterprise is created. |
| ID.AM-2: An inventory of software platforms and applications within the enterprise is created. | |
| ID.AM-3: A diagram of communication and data flows within the enterprise is prepared. | |
| ID.AM-4: An inventory of external information systems is created. | |
| ID.AM-5: Resources (e.g., hardware, devices, data, software) are prioritized based on classification, criticality, and business value. | |
| ID.AM-6: Cybersecurity roles and responsibilities are defined for all employees and third-party stakeholders (e.g., suppliers, customers, partners). |
One of the main reasons why the NIST CSF is widely supported is its measurability. This is made possible by the role of tiers.
The CSF tiers utilize a 4-level maturity assessment framework to quantify the state of cybersecurity measures.
The four levels of tier evaluation are as follows:
| Tier | Description | Characteristics |
| 1 | Partial | Cybersecurity risk management is ad hoc and reactive; limited awareness and inconsistent practices. |
| 2 | Risk-Informed | Risk management practices are approved but not consistently implemented organization-wide; some awareness and planning. |
| 3 | Repeatable | Risk management processes are formally established, repeatable, and regularly updated; clear understanding across departments. |
| 4 | Adaptive | Cybersecurity risk management processes are fully integrated and adaptive to changing threats; predictive analysis and continuous improvement. |
In frameworks that assess maturity, including NIST CSF, it's common for respondents to struggle with determining which level best represents their organization's situation. To avoid confusion, the tiers can be simplified by considering the implementation and operational status of measures. Below is an example of a simplified definition for the 4 levels of tier evaluation.
| Tier | Description | Criteria Definition Example |
| 1 | Partial | Measures Not Yet Implemented |
| 2 | Risk-Informed | Measures Implemented |
| 3 | Repeatable | Measures Implemented & Regularly Reviewed |
| 4 | Adaptive | Measures Implemented & Reviewed in a Timely Manner |
The NIST CSF framework was designed to be adaptable and flexible to allow for adjustments based on each organization’s specific needs. Therefore, the exact definition of the Tier levels should be discussed and agreed upon within each organization, with relevant stakeholders aligning on how each level is interpreted.
Additionally, the goal of a maturity assessment is not necessarily to achieve the highest level (Tier 4 in CSF). Instead, organizations should set appropriate Tier levels for each category, based on factors like business characteristics and the nature of their information assets.
Unlike the Core and Tier, which are broadly applicable, the Profile is influenced by each organization’s specific characteristics and strategies. As a result, while the NIST CSF offers guidelines for creating Profiles, it does not provide a template. This makes the Profile component a part of the framework that requires creativity and adjustment from cybersecurity professionals.
Profiles are tailored based on the organization's business requirements, risk tolerance, and available resources. They describe the current state (As-Is) and the desired future state (To-Be) of cybersecurity measures.
Using the NIST CSF primarily aims to maintain, strengthen, and improve cybersecurity measures. To achieve this, aligning the metrics for the current state (As-Is) and the target state (To-Be) is crucial.
Here are some practical examples of how NIST CSF profiles can be used:
| NIST CSF Core Function | Description | Current Profile Level (As-Is) | Target Profile Level (To-Be) |
| Identify | Develop an understanding of the organization's systems, assets, data, and capabilities to manage cybersecurity risk. | Lv2 | Lv3 |
| Protect | Implement safeguards to ensure delivery of critical services and limit the impact of potential cybersecurity events. | Lv1 | Lv3 |
| Detect | Develop and implement activities to identify the occurrence of cybersecurity events. | Lv1 | Lv2 |
| Respond | Develop and implement activities to take action regarding a detected cybersecurity incident. | Lv1 | Lv3 |
| Recover | Develop and implement activities to restore capabilities or services that were impaired due to a cybersecurity incident. | Lv2 | Lv3 |
First, it's essential to understand the role of a Profile. The Profile is used to assess the current cybersecurity situation using the NIST CSF and, based on this evaluation, determine the desired level of cybersecurity for the organization.
The goal is not necessarily to aim for Tier 4 but to set a target that reflects the organization's future goals. This involves a comprehensive approach and stakeholder collaboration to reach a consensus on the target level.
Let's consider some specific scenarios to explore this further.
What do we mean by "business requirements"? Defining the exact industry or sector an organization belongs to in today's business landscape can be challenging. For instance, it's common for companies in sectors like telecommunications or retail to expand into the financial industry. Each industry has its standards and regulations, with government oversight being a significant factor. If an organization plans to expand into a new industry, this should be considered when setting the target Profile.
A company that is currently privately held but plans to go public soon will need to establish a management system that meets the standards of a publicly traded company, including cybersecurity controls. This scenario is common among rapidly growing startups approaching an IPO, where security policies must be quickly implemented.
Moreover, even if a company is operating independently, it should also be considered if it plans to expand through new partnerships, joint ventures, or outsourcing. In such cases, the company may need to address specific risk management categories related to supply chain cybersecurity, such as ID.SC.
The NIST CSF 1.1, updated in April 2018, includes six key points:
Key Points
While each of these improvements is an important update, the most notable revision is the significant strengthening of SCRM (Supply Chain Risk Management).
As digitalization advances, the increasing use of cloud technologies, IoT, and the diversification of manufacturing and international operations make threats related to supply chain risks more severe. From the supply chain perspective, managing risks within a single company is not enough; it also involves controlling risks related to suppliers and SMEs.
For more details on the supply chain updates, please refer to Section 3.3 of NIST CSF 1.1: "Communicating Cybersecurity Requirements to Stakeholders."
In February 2019, SecureSketCH updated its questions to reflect the NIST CSF Version 1.1, enhancing its compliance with the framework. All SecureSketCH users have automatically been updated to questions compliant with CSF 1.1. The platform will continue leveraging its service model to align consistently with other frameworks.
The "Guideline Check Function" in SecureSketCH allows organizations to analyze and verify whether their cybersecurity measures comply with various global security frameworks, including NIST CSF, CIS Controls, and ISO/IEC 27001 and 27002. Previously, SecureSketCH checked only the specific measures it had defined. With this feature, organizations can cross-reference their cybersecurity levels with multiple guidelines to push forward appropriate security measures tailored to their needs.
By using Secure to cross-reference with various frameworks, users can more efficiently and quickly check compliance and provide explanations to internal and external stakeholders. As part of this effort, we will continue to expand the number of guidelines available for review.
The NIST CSF has been continuously updated since its 2014 draft through collaboration among government, academia, and the NIST. Feedback from thousands of workshop participants helps refine the framework.
With input from many experts, the CSF stays relevant and comprehensive in addressing cybersecurity measures. Expect regular, practical updates that keep pace with evolving cybersecurity risks.