The National Institute of Standards and Technology (NIST) is a non-regulatory agency that promotes innovation by advancing measurement science, standards, and technology. The NIST Cybersecurity Framework (NIST CSF) consists of standards, guidelines, and best practices that help organizations improve their management of cybersecurity risk. 

The NIST CSF is designed to be flexible enough to integrate with the existing security processes within any organization, in any industry. It provides an excellent starting point for implementing information security and cybersecurity risk management in virtually any private sector organization in the United States.

On February 12, 2013, Executive Order (EO) 13636—"Improving Critical Infrastructure Cybersecurity"—was issued. This began NIST’s work with the U.S. private sector to "identify existing voluntary consensus standards and industry best practices to build them into a Cybersecurity Framework." The result of this collaboration was the NIST Cybersecurity Framework Version 1.0.

The Cybersecurity Enhancement Act (CEA) of 2014 broadened NIST's efforts in developing the Cybersecurity Framework. Today, the NIST CSF is still is one of the most widely adopted security frameworks across all U.S. industries.

NIST Cybersecurity Framework includes functions, categories, subcategories, and informative references. 

Functions give a general overview of security protocols of best practices. Functions are not intended to be procedural steps but are to be performed “concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk.” Categories and subcategories provide more concrete action plans for specific departments or processes within an organization. 

Examples of NIST functions and categories include the following:

• Identify: To protect against cyberattacks, the cybersecurity team needs a thorough understanding of what are the most important assets and resources of the organization. The identify function includes such categories as asset management, business environment, governance, risk assessment, risk management strategy, and supply chain risk management.
  
  
• Protect: The protect function covers much of the technical and physical security controls for developing and implementing appropriate safeguards and protecting critical infrastructure. These categories are identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.
  
  
• Detect: The detect function implements measures that alert an organization to cyberattacks. Detect categories include anomalies and events, security continuous monitoring, and detection processes.
  
  
• Respond: The respond function categories ensure the appropriate response to cyberattacks and other cybersecurity events. Specific categories include response planning, communications, analysis, mitigation, and improvements.
  
  
• Recover: Recovery activities implement plans for cyber resilience and ensure business continuity in the event of a cyberattack, security breach, or other cybersecurity event. The recovery functions are recovery planning improvements and communications.

The NIST CSF's informative references draw direct correlation between the functions, categories, subcategories, and the specific security controls of other frameworks. These frameworks include the Center for Internet Security (CIS) Controls®, COBIT 5, International Society of Automation (ISA) 62443-2-1:2009, ISA 62443-3-3:2013, International Organization for Standardization and the International Electrotechnical Commission 27001:2013, and NIST SP 800-53 Rev. 4.

The NIST CSF does not tell how to inventory the physical devices and systems or how to inventory the software platforms and applications; it merely provides a checklist of tasks to be completed. An organization can choose its own method on how to perform the inventory. If an organization needs further guidance, it can refer to the informative references to related controls in other complementary standards. There is a lot of freedom in the CSF to pick and choose the tools that best suit the cybersecurity risk management needs of an organization.

To help private sector organizations measure their progress towards implementing the NIST Cybersecurity Framework, the framework identifies four implementation tiers:

• Tier 1 – Partial: The organization is familiar with the NIST CSF and may have implemented some aspects of control in some areas of the infrastructure. Implementation of cybersecurity activities and protocols has been reactive vs. planned. The organization has limited awareness of cybersecurity risks and lacks the processes and resources to enable information security.
  
  
• Tier 2 – Risk Informed: The organization is more aware of cybersecurity risks and shares information on an informal basis. It lacks a planned, repeatable, and proactive organization-wide cybersecurity risk management process.
  
  
• Tier 3 – Repeatable: The organization and its senior executives are aware of cybersecurity risks. They have implemented a repeatable, organization-wide cybersecurity risk management plan. The cybersecurity team has created an action plan to monitor and respond effectively to cyberattacks.
  
  
• Tier 4 – Adaptive: The organization is now cyber resilient and uses lessons learned and predictive indicators to prevent cyberattacks. The cybersecurity team continuously improves and advances the organization’s cybersecurity technologies and practices and adapts to changes in threats quickly and efficiently. There is an organization-wide approach to information security risk management with risk informed decision-making, policies, procedures, and processes. Adaptive organizations incorporate cybersecurity risk management into budget decisions and organizational culture.

The NIST Cybersecurity Framework provides a step-by-step guide on how to establish or improve their information security risk management program:

1. Prioritize and scope: Create a clear idea of the scope of the project and identify the priorities. Establish the high-level business or mission objectives, business needs, and determine the risk tolerance of the organization.
   
   
2. Orient: Take stock of the organization’s assets and systems and identify applicable regulations, risk approach, and threats to which the organization might be exposed.
   
   
3. Create a current profile: A current profile is a snapshot of how the organization is managing risk at present, as defined by the categories and subcategories of the CSF.
   
   
4. Conduct a risk assessment: Evaluate the operational environment, emerging risks, and cybersecurity threat information to determine the probability and severity of a cybersecurity event that can impact the organization.
   
   
5. Create a target profile: A target profile represents the risk management goal of the information security team.
   
   
6. Determine, analyze, and prioritize gaps: By identifying the gaps between the current and target profile, the information security team can create an action plan, including measurable milestones and resources (people, budget, time) required to fill these gaps.
   
   
7. Implement action plan: Implement the action plan defined in Step 6.