Submitted by on
Home> Guides> Governance> What Is the NIST Cybersecurity Framework?

Home > What Is the NIST Cybersecurity Framework?

What Is the NIST Cybersecurity Framework?

Share this Page

The NIST Cybersecurity Framework is a compilation of security best practices. Produced by the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce for federal government agencies, the NIST Cybersecurity Framework is publicly available to any organization seeking to understand, manage, and protect their networks and data by reducing cybersecurity risk.

While implementation of the NIST Cybersecurity Framework can be time-consuming, the results are well worth the organizational effort.

The guidelines set forth in the NIST Cybersecurity Framework provide cybersecurity standards that apply to all government agencies, as well as organizations in the private sector. Data users (e.g., businesses, and government agencies) benefit from the added protection of NIST’s cybersecurity controls.

The three key components of the NIST Cybersecurity Framework are:

1. The Framework Core
Defining what must be done to achieve different cybersecurity results, the Framework Core is divided into four parts:

A. Functions—the five functions outlined in the NIST Cybersecurity Framework are identify, detect, protect, respond, and recover 

B. Categories—for each of the five functions, categories detail specific risks and tasks that must be carried out to protect systems and data (e.g., implement software updates, install anti-virus and anti-malware programs, establish and enforce access control policies)

C. Subcategories—the tasks or challenges associated with each category (e.g., for the “implementing software updates” category, activate  auto-updates on all of your Windows-based  technology) 

D. Informative sources—documentation for how to execute specific tasks (e.g., how to set up auto-updates on Windows-based technology)

2. Implementation tiers
Define the four levels of compliance, with the highest being the most compliant

3. Profiles
Provide an overview of an organization’s current status with regard to programs and processes in place to become NIST Cybersecurity Framework compliant

Core Functions of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework provides details around five functions that work in concert to protect against threats. 

1. Identify
“Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.”
– NIST Cybersecurity Framework

  • Create an inventory of all systems in use (e.g., servers, laptops, desktops, software, services, smart devices, IoT devices) 
  • Develop a cybersecurity governance plan that details risks and requirements
  • Identify who (e.g., employees, partners, and vendors) has access to sensitive systems and privileged data and document roles and responsibilities, along with why access is required and the duration that access is needed 

2. Protect
“Develop and implement appropriate safeguards to ensure delivery of critical services.” – NIST Cybersecurity Framework

  • Prevent unauthorized access to systems (e.g., networks, computer systems) 
  • Encrypt sensitive data at rest and in transit 
  • Back up data regularly to a remote location and test it regularly
  • Install software updates and patches when they become available
  • Train users on cybersecurity best practices (e.g., password protocols, social engineering threats)  

3. Detect
“Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.”
– NIST Cybersecurity Framework

  • Monitor all systems (e.g., computer systems, networks) for unauthorized access, devices (e.g., removable storage devices), connections, and unauthorized software
  • Investigate unusual activity  

4. Respond
“Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.”
– NIST Cybersecurity Framework

  • Develop an incident response plan for communicating to customers, employees, and anyone else who cyber-incidents may have impacted
  • Ensure that procedures are in place to restore operations and minimize downtime
  • Report details about the incident to law enforcement and other authorities (e.g., industry and governmental regulators)
  • Identify the root cause and contain the incident 

5. Recover
“Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.”
– NIST Cybersecurity Framework

  • Review the incident in its entirety 
  • Apply lessons learned to future organizational policies  
  • Repair and reinforce any impacted systems
  • Communicate lessons learned to employees and your executive team

Which Organizations Should Consider the NIST Cybersecurity Framework?

Experts regard the NIST Cybersecurity Framework as a resource that can and should be used by all organizations. It is a requirement for federal agencies and organizations that work for federal agencies. US Federal regulations such as Level 2 and 3 CMMC compliance are based on the National Institute of Standards and Technology Special Publication (NIST SP 800-171) and NIST SP 800-172. 

There are no legal or regulatory requirements for non-governmental organizations to follow the NIST Cybersecurity Framework, but many organizations leverage it to  improve overall their security preparedness,  by helping them to:

  • Assess current levels of protection against cyber-threats
  • Identify gaps in cybersecurity protocols 
  • Create new cybersecurity programs and requirements 
  • Implement additional cybersecurity standards and policies

Getting Started with the NIST Cybersecurity Framework

Before implementing the NIST Cybersecurity Framework, an organization should:

  • Assess the maturity of the organization’s cybersecurity to establish what tier applies to it 
  • Determine initial objectives and future goals
  • Develop plans to achieve short-term and long-term goals

The NIST Cybersecurity Framework implementation is based on tiers that provide orientation and guidance for organizations as they move through the process. The implementation tiers for the NIST Cybersecurity Framework mirror the maturity levels.

Tier 1—Partial

Tier 2—Risk-Informed

Tier 3—Repeatable

Tier 4—Adaptable

Maturity Levels in the NIST Cybersecurity Framework

Level 1: Partial

The organization has partial cybersecurity processes in place, but lacks security and risk management practices documentation. Security measures are reactive and not repeatable, measurable, or scalable. 

Level 2: Risk-Informed

Security and risk management practices have been implemented, but are not formally established as an organization-wide practice. Some processes have been documented and repeatable, but there is no formalized, overarching plan.  

Level 3: Repeatable

The organization’s security and risk management practices are proactive and repeatable. Programs and processes are standardized and defined to facilitate the organization’s consistent application of security measures.

Level 4: Adaptable

Security and risk management are data-driven based on lessons learned and predictive indicators to refine and adapt security measures to improve efficacy and efficiency. 

Level 5: Optimized 

Depending on the resource that’s reviewed, you may find reference to a fifth level: Optimized, At Level 5, the organization’s security and risk management practices are stable and flexible, with processes in place to support continuous improvement and innovation.

Take Advantage of Free Advice Endorsed by Security Experts

There is no such thing as a free lunch—most of the time. The NIST Cybersecurity Framework is one of the exceptions. Endorsed by cybersecurity experts, the NIST Cybersecurity Framework is considered to be a valuable resource in the fight against cyberthreats.

While implementing the NIST Cybersecurity Framework can be time-consuming, the results are well worth the effort. In addition, following the NIST cybersecurity guidelines helps to facilitate compliance with federal regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), and Sarbanes–Oxley Act (SOX).

Last Updated: 23rd November, 2024

Share this Page