The NIST Cybersecurity Framework (NIST CSF) provides comprehensive guidance and best practices that private sector organizations can follow to improve information security and cybersecurity risk management.
The National Institute of Standards and Technology (NIST) is a non-regulatory agency that promotes innovation by advancing measurement science, standards and technology.
The NIST CSF is flexible enough to integrate with the existing security processes within any organization, in any industry. It provides an excellent starting point for implementing information security and cybersecurity risk management in virtually any private sector organization in the United States.
On 12 February 2013, Executive Order (EO) 13636—"Improving Critical Infrastructure Cybersecurity"—was issued. This began NIST’s work with the US private sector to "identify existing voluntary consensus standards and industry best practices to build them into a Cybersecurity Framework." The result of this collaboration was the NIST Cybersecurity Framework Version 1.0.
The Cybersecurity Enhancement Act (CEA) of 2014 broadened NIST's efforts in developing the Cybersecurity Framework. Today, the NIST CSF is still one of the most widely adopted security frameworks across all US industries.
NIST Cybersecurity Framework includes functions, categories, subcategories and informative references.
Functions give a general overview of security protocols of best practices. Functions are not intended to be procedural steps but are performed “concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk.” Categories and subcategories provide more concrete action plans for specific departments or processes within an organization.
Examples of NIST functions and categories include:
The NIST CSF's informative references draw a direct correlation between the functions, categories, subcategories and the specific security controls of other frameworks. These frameworks include:
The NIST CSF does not tell how to inventory the physical devices and systems or how to inventory the software platforms and applications; it merely provides a checklist of tasks to complete. An organization can choose its own method on how to perform the inventory.
If an organization needs further guidance, it can refer to the informative references to related controls in other complementary standards. There is plenty of freedom in the CSF to select the tools that best suit the cybersecurity risk management needs of an organization.
To help private sector organizations measure their progress toward implementing the NIST Cybersecurity Framework, the framework identifies four implementation tiers:
The NIST Cybersecurity Framework provides a step-by-step guide on how to establish or improve their information security risk management program:
Learn how to navigate the challenges and tap into the resilience of generative AI in cybersecurity.
Understand the latest threats and strengthen your cloud defenses with the IBM X-Force Cloud Threat Landscape Report.
Find out how data security helps protect digital information from unauthorized access, corruption or theft throughout its entire lifecycle.
A cyberattack is an intentional effort to steal, expose, alter, disable or destroy data, applications or other assets through unauthorized access.
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM X-Force Threat Intelligence Index.
Stay up to date with the latest trends and news about security.