NIST CSF
NIST CSF
NIST Cybersecurity Framework
1. Overview: The World’s Standard Guide for Cybersecurity, NIST CSF
flowchart LR
A["Compliance-centric security"] -- "Transition to outcome- and<br/>risk-based security" --> B["NIST CSF system"]
Definition: A framework established by the U.S. National Institute of Standards and Technology (NIST) that gives organizations a common language and structure for understanding, managing, and communicating cybersecurity risk.
Characteristics: (Flexible structure) A business-driven structure that lets organizations of any industry or size freely choose their level of adoption. (3 components) Organizes cybersecurity capability into three elements: Core (functions), Tiers (maturity), and Profiles (current/target). (Stronger governance) CSF 2.0 introduces a new Govern function, explicitly strengthening executive accountability and governance.
2. NIST CSF 2.0 Structure and Key Activities
A. The 6 Functions of the Framework Core
flowchart TD
GOV["GOVERN<br/>Establish strategy and policy"]
ID["IDENTIFY<br/>Understand assets and risk"]
PROT["PROTECT<br/>Defensive and technical measures"]
DET["DETECT<br/>Detect intrusions and anomalies"]
RES["RESPOND<br/>Actions taken during an incident"]
REC["RECOVER<br/>Restore service and improve"]
GOV --> ID --> PROT --> DET --> RES --> REC
REC --> GOV
style GOV fill:#1E3A5F,color:#fff
style PROT fill:#28a745,color:#fff
style RES fill:#dc3545,color:#fff
| Function | Description | Key Categories |
|---|---|---|
| Govern | Manages the organization’s cybersecurity strategy, roles, and responsibilities | Policy establishment, risk management strategy |
| Identify | Identifies assets, business context, and supply-chain risk | Asset management, vulnerability analysis |
| Protect | Secures data protection and infrastructure resilience | Access control, encryption, training |
| Detect | Timely discovery of cybersecurity events | Continuous monitoring, anomaly detection |
| Respond / Recover | Incident response and business-continuity assurance | Response planning, recovery, and lessons learned |
B. Implementation Tiers
flowchart TD
NISTCSFTiers["NIST CSF Implementation Tiers"] --> Tier1Partial["Tier 1 - Partial"]
Tier1Partial --> Desc1["Informal, ad hoc risk response"]
NISTCSFTiers --> Tier2RiskInformed["Tier 2 - Risk Informed"]
Tier2RiskInformed --> Desc2["Policies exist but are not applied organization-wide"]
NISTCSFTiers --> Tier3Repeatable["Tier 3 - Repeatable"]
Tier3Repeatable --> Desc3["Formal policy in place and updated regularly"]
NISTCSFTiers --> Tier4Adaptive["Tier 4 - Adaptive"]
Tier4Adaptive --> Desc4["Proactive, prediction-based risk management"]
| Tier | Level | Characteristics |
|---|---|---|
| Tier 1 | Partial | Risk management is ad hoc, with no external collaboration |
| Tier 2 | Risk Informed | Organizational awareness exists but lacks a consistent process |
| Tier 3 | Repeatable | A formal risk management policy is executed company-wide |
| Tier 4 | Adaptive | State-of-the-art response through continuous improvement and predictive techniques |
3. Expected Benefits and Adoption Strategy for NIST CSF
| Category | Key Expected Benefit | Application & Practical Use |
|---|---|---|
| Common language | Smooth communication across departments | Used as a standard for risk conversations between business leaders and security professionals |
| Flexible application | Profiling tailored to organizational characteristics | Define current (As-Is) and target (To-Be) states to determine investment priorities |
| Supply-chain management | Assessing partners’ security posture | Used as a baseline for managing supply-chain security risk |
| Global compatibility | Establishing international credibility | Build an integrated security system by linking with other standards such as ISO 27001 |