Every organization wants to improve its information security capabilities. Part of a security leader’s job is identifying the best way to do that.
However, no two organizations are exactly alike. Various stakeholders may have different ideas about what high-impact security excellence looks like in practice. Achieving meaningful security goals means getting everyone on the same page first.
The National Institute of Standards and Technology (NIST) publishes a voluntary cybersecurity framework so that security leaders and organizations can better understand, manage, and reduce cybersecurity risk. The NIST Cybersecurity Framework provides a uniform starting point for organizations to develop their information security capabilities.
The NIST Cybersecurity Framework (NIST CSF) provides a comprehensive outline of best practices for organizations investing time and resources into cybersecurity initiatives. It is designed to be applicable in many different contexts — small businesses, mid-sized enterprises, and multinational organizations can all follow this framework.
It is a voluntary framework, which means there is no legal or regulatory punishment for failure to comply. However, there is significant overlap between NIST’s voluntary standards and the legally mandated regulatory standards used in many industries. Organizations that adhere to ISO 27001, CIS, or PCI-DSS compliance can (and often do) also pursue NIST CSF.
Since it is a voluntary framework, security leaders aren’t under pressure to adopt the entire framework all at once. Some security leaders choose to implement individual parts of the framework, or to deploy the recommended controls only in certain business processes.
The framework itself describes five functions that are critical to security programs. Each function contains 23 unique categories, which are further broken down into more specific subcategories.
The five NIST Cybersecurity Framework categories are:
The Identify category is all about visibility. In order to protect business assets, security teams need to understand where those assets are located, how they interact with one another, and what policies govern their use.
In this context, “asset” means anything from endpoint devices like laptops and servers to user accounts created for employees and vendors. It can also include cloud computing workloads and applications, as well. Anything that has value to the organization can be an asset.
Here are some of the subcategories included under the Identify category:
The Protect category prevents attackers from exploiting vulnerabilities and contains the damage that may result from a successful breach. This category covers a wide range of technologies and policies, from technical implementations to employee training initiatives.
These framework elements work together to safeguard critical assets from the risks identified previously. NIST recommends establishing multi-layered security policies that ensure assets enjoy decent protection even if attackers bypass one or more security controls.
Here are some of the subcategories included in the Protect category:
The Detect category provides guidance on how to monitor different aspects of the organization’s security posture. This helps security teams detect threats early, making it much easier for them to contain threats before they cause serious damage.
The NIST Cybersecurity Framework provides some high-level guidance on identifying activities that deviate from expected norms. It also describes methods for continuously monitoring for threats and ensuring the integrity of threat detection workflows.
Some of the subcategories included in the Detect category include:
The Respond category focuses on minimizing the impact of a threat once it is detected. That requires building a comprehensive action plan that includes notifying stakeholders of security breaches, taking decisive actions against threat actors, and conducting investigations to assess the extent of the damage.
This category also provides guidance into threat mitigation and remediation. When taken altogether, these actions can make the difference between a minor security incident and a catastrophic data breach.
Some of the subcategories included in the Respond category include:
The Recovery category emphasizes the importance of returning to normal business activity as soon as possible after a security incident occurs. It includes policies for restoring systems, implementing lessons learned, and preventing future threats.
When properly implemented, these policies help reduce the costs associated with downtime. It provides core guidance on restoring damaged equipment and communicating with customers, employees, and stakeholders throughout the recovery process.
Some of the subcategories included in the Recovery category include:
Organizations use the NIST Cybersecurity Framework to increase their security awareness and improve their level of preparedness against unexpected threats. Because every organization pursues the NIST standard in a different way, it can be used for a variety of goals.
Some of the ways organizations enhance security using the NIST CSF include:
Note: Since NIST is a voluntary framework, organizations do not generally achieve “NIST CSF compliance”. Technically, security teams “leverage” NIST framework categories towards optimizing their security processes. All NIST CSF controls are internally developed and self-assessed.
Many security practitioners use “NIST” as an interchangeable catch-all term for compliance initiatives based on NIST standards. However, NIST is a large organization with more than a thousand published reference materials. More than one of these have applications in the information security space.
NIST Special Publication 800-53 is the most common example. This is a set of security standards developed by the same institution, but specifically for use by federal government information systems. This helps government agencies and their vendors comply with the Federal Information Security Management Act (FISMA).
Every organization has its own reasons for pursuing the NIST Cybersecurity Framework.
Since the NIST Cybersecurity Framework has a wide-ranging scope, it is a relatively accessible objective for organizations making their first foray into information security compliance. It is not a replacement for in-depth customization or industry-specific regulation — but pursuing NIST CSF can improve compliance outcomes down the line.
We’ve expanded our MDR capabilities with enhanced incident response and security services to better protect against evolving cyber threats.