Skip to content

NIST CSF

NIST CSF

NIST Cybersecurity Framework

1. Overview: The World’s Standard Guide for Cybersecurity, NIST CSF

    flowchart LR
    A["Compliance-centric security"] -- "Transition to outcome- and<br/>risk-based security" --> B["NIST CSF system"]
  

Definition: A framework established by the U.S. National Institute of Standards and Technology (NIST) that gives organizations a common language and structure for understanding, managing, and communicating cybersecurity risk.

Characteristics: (Flexible structure) A business-driven structure that lets organizations of any industry or size freely choose their level of adoption. (3 components) Organizes cybersecurity capability into three elements: Core (functions), Tiers (maturity), and Profiles (current/target). (Stronger governance) CSF 2.0 introduces a new Govern function, explicitly strengthening executive accountability and governance.


2. NIST CSF 2.0 Structure and Key Activities

A. The 6 Functions of the Framework Core

    flowchart TD
    GOV["GOVERN<br/>Establish strategy and policy"]
    ID["IDENTIFY<br/>Understand assets and risk"]
    PROT["PROTECT<br/>Defensive and technical measures"]
    DET["DETECT<br/>Detect intrusions and anomalies"]
    RES["RESPOND<br/>Actions taken during an incident"]
    REC["RECOVER<br/>Restore service and improve"]

    GOV --> ID --> PROT --> DET --> RES --> REC
    REC --> GOV

    style GOV fill:#1E3A5F,color:#fff
    style PROT fill:#28a745,color:#fff
    style RES fill:#dc3545,color:#fff
  
FunctionDescriptionKey Categories
GovernManages the organization’s cybersecurity strategy, roles, and responsibilitiesPolicy establishment, risk management strategy
IdentifyIdentifies assets, business context, and supply-chain riskAsset management, vulnerability analysis
ProtectSecures data protection and infrastructure resilienceAccess control, encryption, training
DetectTimely discovery of cybersecurity eventsContinuous monitoring, anomaly detection
Respond / RecoverIncident response and business-continuity assuranceResponse planning, recovery, and lessons learned

B. Implementation Tiers

    flowchart TD
  NISTCSFTiers["NIST CSF Implementation Tiers"] --> Tier1Partial["Tier 1 - Partial"]
  Tier1Partial --> Desc1["Informal, ad hoc risk response"]
  NISTCSFTiers --> Tier2RiskInformed["Tier 2 - Risk Informed"]
  Tier2RiskInformed --> Desc2["Policies exist but are not applied organization-wide"]
  NISTCSFTiers --> Tier3Repeatable["Tier 3 - Repeatable"]
  Tier3Repeatable --> Desc3["Formal policy in place and updated regularly"]
  NISTCSFTiers --> Tier4Adaptive["Tier 4 - Adaptive"]
  Tier4Adaptive --> Desc4["Proactive, prediction-based risk management"]
  
TierLevelCharacteristics
Tier 1PartialRisk management is ad hoc, with no external collaboration
Tier 2Risk InformedOrganizational awareness exists but lacks a consistent process
Tier 3RepeatableA formal risk management policy is executed company-wide
Tier 4AdaptiveState-of-the-art response through continuous improvement and predictive techniques

3. Expected Benefits and Adoption Strategy for NIST CSF

CategoryKey Expected BenefitApplication & Practical Use
Common languageSmooth communication across departmentsUsed as a standard for risk conversations between business leaders and security professionals
Flexible applicationProfiling tailored to organizational characteristicsDefine current (As-Is) and target (To-Be) states to determine investment priorities
Supply-chain managementAssessing partners’ security postureUsed as a baseline for managing supply-chain security risk
Global compatibilityEstablishing international credibilityBuild an integrated security system by linking with other standards such as ISO 27001