NIST Cybersecurity Framework
A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
The NIST Cybersecurity Framework (CSF) was created by the National Institute of Standards and Technology to provide a unified approach to cybersecurity. It is a voluntary framework that organizations can use to assess and improve their ability to prevent, detect, and respond to cyber attacks.
The Framework is not a one-size-fits-all approach to managing cybersecurity risk for organizations. Rather, it is designed to be customized by different sectors and individual organizations to best suit their risks, situations, and needs.
- Type: Cybersecurity Framework
- Core Idea: Risk Management
- Key Elements: Core, Tiers, Profiles
Framework Components
The three main components of the NIST Cybersecurity Framework.
Framework Core
The Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.
Framework Implementation Tiers
Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the Framework. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices.
Framework Profiles
A Profile is a representation of the outcomes that a particular organization has selected from the Framework Core that it has chosen to prioritize. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a "Current" Profile with a "Target" Profile.
Identify
Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
Protect
Develop and implement appropriate safeguards to ensure delivery of critical services.
Detect, Respond, Recover
Develop and implement appropriate activities to identify the occurrence of a cybersecurity event, take action regarding a detected event, and maintain plans for resilience and to restore any capabilities or services that were impaired.
Implementation & Strategy
Costs, timelines, and strategic considerations for adopting the NIST Cybersecurity Framework.
Estimated Project Costs
The NIST Cybersecurity Framework is a voluntary framework, so there are no direct costs associated with it. However, there are costs associated with implementing the controls and practices that are recommended by the framework. These costs can range from a few thousand dollars to several hundred thousand dollars, depending on the size and complexity of the organization.
Implementation Strategy
A typical NIST Cybersecurity Framework implementation starts with a risk assessment to identify the organization's current security posture. From there, the organization can develop a target profile and a plan for closing the gaps between their current and target profiles. The final step is to implement the plan and to monitor and improve the organization's cybersecurity posture over time.
Comparisons
How the NIST Cybersecurity Framework stacks up against other security frameworks.