What is the NIST Cybersecurity Framework? A short guide

The National Institute of Standards and Technology (NIST) is a US government agency founded in 1901 by Congress (originally as the National Bureau of Standards), and forms part of the United States Department of Commerce. Initially focused on standardizing physical weights and measures, NIST’s role has expanded over time to cover many aspects of technology and its use and included the investigation into the collapse of the World Trade Center as a result of the September 11^th attacks. Some aspects of NIST’s role are explicitly laid out in US legislation and in 2013 an Executive Order from President Obama (EO 13636 – “Improving Critical Infrastructure Cybersecurity”) mandated the creation of a Cybersecurity Framework (CSF), with the Cybersecurity Enhancement Act of 2014 placing further emphasis on NIST’s role in cybersecurity. The first version of the Framework was published in 2014 and it was updated in April 2018 with CSF 1.1.

The use of the Cybersecurity Framework was made compulsory for federal agencies by President Trump in an Executive Order (EO 13800 – “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”) in 2017. A strong aspect of the legislation dealing with the CSF is the need for it to stay up to date, to drive improvement and to encourage close cooperation between the private and public sectors. To this end, NIST has embarked on the journey to CSF 2.0 with a comprehensive program of consultation, including a series of well-attended workshops and invitations for comment, culminating in the publication of CSF 2.0 in February 2024.

What’s New in Version 2.0

Version 2.0 of the CSF represents an “opening out” of the framework to position it as being generally applicable, not only to the public and private sectors in the USA, but also internationally. The emphasis is less on protecting critical infrastructure (although this is still a major goal) and more towards improving cybersecurity standards across the full range of industrial sectors, including within small and medium-sized businesses. This change is reflected in the new name of simply “Cybersecurity Framework”, compared to the previous name of “Framework for Improving Critical Infrastructure Cybersecurity”.

Another obvious enhancement is the creation of the new “Govern” function, a cross-cutting set of categories intended to provide overall direction to the existing five functions, as shown below.

The Govern (GV) function consists of the following categories:

• Organizational Context (GV.OC)
• Risk Management Strategy (GV.RM)
• Roles, Responsibilities and Authorities (GV.RR)
• Policy (GV.PO)
• Oversight (GV.OV)
• Cybersecurity Supply Chain Risk Management (GV.SC)

Many of the subcategories covered within the above list have been taken from the Identify (ID) function, with a few also being extracted from other functions within the CSF V1.1.

Other significant changes include:

• Informative references will now be provided online, to provide for easier and more frequent updating
• Implementation examples will be provided to help with interpretation of the sub-categories
• The use of tiers has been clarified
• Revised guidance on how to create and use framework profiles
• Clearer emphasis on improvement, with the creation of an Improvement category within the Identify function

The NIST CSF 2.0 consists of a number of building blocks which, when used together, allow an organization to put in place a risk-based framework tailored to their specific environment. This section explains briefly what those building blocks are.

Functions

Functions provide an overall structure for the framework and group together related categories as shown in the list below. In many respects, it may help to view the first three functions as “proactive”, as they deal with the process of assessing and treating risk ahead of time, and the latter three functions as “reactive”, as they cover the more real-time process of detecting and dealing with cybersecurity incidents.

However, NIST is clear that this is not intended to be a process model, so activities may be taking place within all of the functions at the same time.

The functions are usually color-coded to provide a degree of familiarity when working with the framework.

Categories

Categories provide the next level of detail below functions, as shown in the list below. Again, they are not necessarily intended to be done in the order in which they appear but are a way of grouping together the sub-categories below them which give more detail about specific activities that can be done to improve cybersecurity.

Govern (GV):

• GV.OC – Organizational Context
• GV.RM – Risk Management Strategy
• GV.RR – Roles, Responsibilities, and Authorities
• GV.PO – Policy
• GV.OV – Oversight
• GV.SC – Cybersecurity Supply Chain Risk Management

Identify (ID):

• ID.AM – Asset Management
• ID.RA – Risk Assessment
• ID.IM – Improvement

Protect (PR):

• PR.AA – Identity Management, Authentication, and Access Control
• PR.AT – Awareness and Training
• PR.DS – Data Security
• PR.PS – Platform Security
• PR.IR – Technology Infrastructure Resilience

Detect (DE):

• DE.CM – Continuous Monitoring
• DE.AE – Adverse Event Analysis

Respond (RS):

• RS.MA – Incident Management
• RS.AN – Incident Analysis
• RS.CO – Incident Response Reporting and Communication
• RS.MI – Incident Mitigation

Recover (RC):

• RC.RP – Incident Recovery Plan Execution
• RC.CO – Incident Recovery Communication

Subcategories

Subcategories are where we get into the detail of the outcomes that we are looking to achieve. The table below shows the subcategories for the Organizational Context (GV.OC) category, which is within the Govern (GV) function.

Each subcategory has a reference (for example GV.OC-01) which allows it to be uniquely identified within the framework.

The subcategories are written as statements of fact (for example “The organizational mission is understood…”) and the aim of the organization in implementing the framework is to be able to agree with each relevant statement.

Implementation Examples

New with CSF 2.0 is the use of implementation examples. These are intended to be illustrative rather than definitive and are used to give a better idea of the kinds of tasks that should be performed to achieve the goal stated in the sub-category. They may not all apply to a particular organization and so should be used as guidelines only. The table below shows some typical implementation examples.

Informative References

One of the intentions of the CSF is to be able to leverage the content of other standards and it does this through the use of informative references. For each subcategory a list of specific references to other standards is given. References are commonly taken from the following:

• Center for Internet Security – Critical Security Controls
• ISO/IEC 27001 international standard for information security
• COBIT 5 – Control Objectives for Information Technologies
• NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
• ISA 62443 – International Society of Automation standards

Whereas these were listed directly in the main CSF document previously, the intention with 2.0 is to maintain these separately in a tool accessible via the NIST website.

Tiers

Four levels of rigor are defined within the CSF to judge an organization’s practices within two areas:

• Cybersecurity risk governance
• Cybersecurity risk management

The four levels used are:

• Tier 1 – Partial
• Tier 2 – Risk informed
• Tier 3 – Repeatable
• Tier 4 – Adaptive

In effect, the tiers are similar to levels of maturity used in other frameworks, but NIST is keen to point out that not every organization needs to be at Tier 4 for each of the three areas. The additional effort required to reach a higher tier needs to be cost-justified.

Tiers are an optional part of the framework and they are intended to be used at a number of different levels as appropriate, from a high level aspiration of “becoming a Tier 3 organization” to a more specific goal of “improving the Cybersecurity Supply Chain Risk Management category from Tier 2 to Tier 3”.

Profiles

Within the context of the CSF, a profile is a description of parts of the framework that are either in place already (a current profile) or that the organization aspires to meet (a target profile). In common terms this comparison between current state and desired state is often called a gap assessment, although this is not a term used by NIST. There is no standard way to create a profile, and it may be done at a number of different levels; for example at the highest level by function and at the lowest by subcategory. A further level of granularity can be introduced by the use of tiers (as described above).

The key output of the use of profiles is an action plan to move the organization’s cybersecurity from where it is now to where it is desired to be.

More NIST Guidance Available

We recommend you make use of these resources on the NIST website in addition to the CertiKit NIST Cybersecurity Toolkit to smooth your journey to implementing the Cybersecurity Framework 2.0.