Blog Eight Benefits of the NIST Cybersecurity Framework

NIST CSF History

The National Institute of Standards and Technology (NIST) is a US government agency founded in 1901 by Congress (originally as the National Bureau of Standards), and forms part of the United States Department of Commerce. Initially focused on standardizing physical weights and measures, NIST’s role has expanded over time to cover many aspects of technology and its use and included the investigation into the collapse of the World Trade Center as a result of the September 11th attacks. Some aspects of NIST’s role are explicitly laid out in US legislation and in 2013 an Executive Order from President Obama mandated the creation of a Cybersecurity Framework with the Cybersecurity Enhancement Act of 2014 placing further emphasis on NIST’s role in cybersecurity. The first version of the Framework was published in 2014 and it was updated in April 2018 with CSF 1.1.

The use of the Cybersecurity Framework was made compulsory for federal agencies by President Trump in an Executive Order in 2017. A strong aspect of the legislation dealing with the CSF is the need for it to stay up to date, to drive improvement and to encourage close cooperation between the private and public sectors. To this end, NIST embarked on the journey to CSF 2.0 with a comprehensive program of consultation, including a series of well-attended workshops and invitations for comment. Version 2.0 was published in February 2024.

There are a number of ways in which the NIST Cybersecurity Framework 2.0 scores over the available alternatives. Let’s look at what these are.

1 – It’s backed by the US Government

Whatever your views on the US Government, you can’t deny that it has influence. It also has massive budgets, and the combination of these two factors means that a framework that was created and mandated by POTUS carries a lot of weight. With this level of focus and investment, the CSF is likely to stick around for the long term and get better over time, which has to make it a good bet.

2 – It gets input from USA tech companies and government agencies

It’s hard to think of a big tech company that isn’t American, and few would dispute the fact that the USA leads the way worldwide in technology. Some of this leading-edge knowledge works its way into the CSF via participation in consultations and workshops, making NIST probably the best-informed standards body around. Add to that the idea that NIST is able to access knowledge from US Government intelligence agencies (of which there are many) and you come to realise that CSF is based on a firm understanding of the cyber threat landscape.

3 - It has a good reputation

As an organisation, NIST is generally well-regarded internationally, and this reputation rubs off on its products, such as the CSF. Adopting the framework is unlikely to be seen as a strange thing to do, and your announcement of your company’s intention will probably be met with understanding nods of approval, rather than puzzlement. Due to some countries’ suspicion of the USA, you may find that it goes down better in the West perhaps, but in this case, would an alternative such as the ISO/IEC 27001 standard, be any better?

4 - It’s comprehensive in its coverage

With Version 2.0 of the CSF, NIST has expanded its coverage (particularly in the area of Governance) and in some respects it now looks remarkably similar to more established standards such as ISO/IEC 27001. An organization adopting the CSF doesn’t need to be concerned about important areas being missing, as the CSF Functions and Categories encompass the full range of cybersecurity disciplines. The Subcategories further drill down into a fair degree of detail, and the introduction of Implementation Examples with CSF 2.0 help to clarify many of the concepts and controls.

5 - It’s easy to use

To be honest, some other NIST documents can be heavy going, but with the CSF NIST has done a good job of keeping it simple, with relatively few concepts that tie in well together to provide a set of tools that can be easily understood. The standard document provides well written explanations of the core Functions, together with advice for their use and implementation. The Categories and Subcategories that describe the controls are set out as simple statements that an implementer will try to make true, such as “GV.OC-01: The organizational mission is understood and informs cybersecurity risk management”. Combining this with Tiers allows an organization to effectively score itself on a scale of one (Partial) to four (Adaptive) and decide how far it needs to go.

6 - It’s free and well supported

All of the NIST CSF resources are free to download and use and there’s a well-maintained website that provides additional materials to support an organization in implementing the framework. This is in contrast to ISO whose standards cost money and come with no offer of ongoing support. The website includes Quick Start Guides (for example for small businesses), and Informative References which provide more detail available from other NIST standards such as SP 800-53 Security and Privacy Controls for Information Systems and Organizations (which is also free).

7 - It’s flexible to implement

With the CSF, you don’t have to do it all, and you can pick and choose which parts of it make sense for your organization. This is supported by the use of Profiles which allow a kind of gap assessment to be carried out to identify the important priorities for you. Nor is it an all or nothing game, as Tiers allow the controls to be implemented to a degree of completeness that is appropriate to your circumstances.

8 - There’s no expectation for certification

There’s no certification scheme for CSF which could be seen as a disadvantage, but this may have the effect of allowing an organization to focus on what matters to them, rather than the needs of an audit body. If you need to prove the thoroughness of your CSF implementation then there are other routes available, such as an external report along the lines of SOC2.

In Summary

There are lots of good reasons to take a hard look at the NIST Cybersecurity Framework and seriously consider its adoption within your organization. You’ll be buying into a framework that covers the subject well, has good support and carries some weight worldwide.

Written by Ken Holmes, CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

CertiKit's NIST Cybersecurity Framework V2.0 Toolkit

The CertiKit NIST Cybersecurity Framework 2.0 toolkit can help you implement the framework easily. The toolkit is aligned to the structure of the final published version of CSF 2.0. With 150+ expertly created documents, this toolkit has everything you need for easy implementation. With unlimited email support from our consultants, a perpetual licence and lifetime updates, you’ll have everything you need for compliance.

View NIST CSF 2.0 Toolkit