What is the NIST Cybersecurity Framework?
Explore IBM's NIST solution Get Customer and Employee Experience updates
Illustration with collage of pictograms of clouds, mobile phone, fingerprint, check mark
What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (NIST CSF) provides comprehensive guidance and best practices that private sector organizations can follow to improve information security and cybersecurity risk management.

The National Institute of Standards and Technology (NIST) is a non-regulatory agency that promotes innovation by advancing measurement science, standards and technology.

The NIST CSF is flexible enough to integrate with the existing security processes within any organization, in any industry. It provides an excellent starting point for implementing information security and cybersecurity risk management in virtually any private sector organization in the United States.

Cost of a Data Breach

Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.

Related content

Register for insights on SAP

History of the NIST Cybersecurity Framework

On 12 February 2013, Executive Order (EO) 13636—"Improving Critical Infrastructure Cybersecurity"—was issued. This began NIST’s work with the US private sector to "identify existing voluntary consensus standards and industry best practices to build them into a Cybersecurity Framework." The result of this collaboration was the NIST Cybersecurity Framework Version 1.0.

The Cybersecurity Enhancement Act (CEA) of 2014 broadened NIST's efforts in developing the Cybersecurity Framework. Today, the NIST CSF is still one of the most widely adopted security frameworks across all US industries.

NIST Cybersecurity Framework core structure

NIST Cybersecurity Framework includes functions, categories, subcategories and informative references

Functions give a general overview of security protocols of best practices. Functions are not intended to be procedural steps but are performed “concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk.” Categories and subcategories provide more concrete action plans for specific departments or processes within an organization. 

Examples of NIST functions and categories include:

  • Identify: To protect against cyberattacks, the cybersecurity team needs a thorough understanding of the organization's most important assets and resources. The identify function includes categories such as asset management, business environment, governance, risk assessment, risk management strategy and supply chain risk management.

  • Protect: The protect function covers much of the technical and physical security controls for developing and implementing appropriate safeguards and protecting critical infrastructure. These categories are identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance and protective technology.

  • Detect: The detect function implements measures that alert an organization to cyberattacks. Detect categories include anomalies and events, security, continuous monitoring and detection processes.

  • Respond: The respond function categories ensure the appropriate response to cyberattacks and other cybersecurity events. Specific categories include response planning, communications, analysis, mitigation and improvements.

  • Recover: Recovery activities implement plans for cyber resilience and ensure business continuity in the event of a cyberattack, security breach or other cybersecurity event. The recovery functions are recovery planning improvements and communications.

The NIST CSF's informative references draw a direct correlation between the functions, categories, subcategories and the specific security controls of other frameworks. These frameworks include:

  1. The Center for Internet Security (CIS) Controls®
  2. COBIT 5
  3. International Society of Automation (ISA) 62443-2-1:2009
  4. ISA 62443-3-3:2013
  5. International Organization for Standardization and the International Electrotechnical Commission 27001:2013
  6. NIST SP 800-53 Rev. 4

The NIST CSF does not tell how to inventory the physical devices and systems or how to inventory the software platforms and applications; it merely provides a checklist of tasks to complete. An organization can choose its own method on how to perform the inventory.

If an organization needs further guidance, it can refer to the informative references to related controls in other complementary standards. There is plenty of freedom in the CSF to select the tools that best suit the cybersecurity risk management needs of an organization.

NIST Framework implementation tiers

To help private sector organizations measure their progress toward implementing the NIST Cybersecurity Framework, the framework identifies four implementation tiers:

  • Tier 1 – Partial: The organization is familiar with the NIST CSF and might have implemented some aspects of control in some areas of the infrastructure. Implementation of cybersecurity activities and protocols has been reactive versus planned. The organization has limited awareness of cybersecurity risks and lacks the processes and resources to enable information security.

  • Tier 2 – Risk informed: The organization is more aware of cybersecurity risks and shares information on an informal basis. It lacks a planned, repeatable and proactive organization-wide cybersecurity risk management process.

  • Tier 3 – Repeatable: The organization and its senior executives are aware of cybersecurity risks. They have implemented a repeatable, organization-wide cybersecurity risk management plan. The cybersecurity team has created an action plan to monitor and respond effectively to cyberattacks.

  • Tier 4 – Adaptive: The organization is now cyber resilient and uses lessons learned and predictive indicators to prevent cyberattacks. The cybersecurity team continuously improves and advances the organization’s cybersecurity technologies and practices and adapts to changes in threats quickly and efficiently. There is an organization-wide approach to information security risk management with risk informed decision-making, policies, procedures and processes. Adaptive organizations incorporate cybersecurity risk management into budget decisions and organizational culture.
Establishing a NIST Framework cybersecurity risk management program

The NIST Cybersecurity Framework provides a step-by-step guide on how to establish or improve their information security risk management program:

  1. Prioritize and scope: Create a clear idea of the scope of the project and identify the priorities. Establish the high-level business or mission objectives, business needs and determine the risk tolerance of the organization.

  2. Orient: Assess the organization’s assets and systems and identify applicable regulations, risk approach and threats to the organization.

  3. Create a current profile: A current profile is a snapshot of how the organization is managing risk as defined by the categories and subcategories of the CSF.

  4. Conduct a risk assessment: Evaluate the operational environment, emerging risks and cybersecurity threat information to determine the probability and severity of a cybersecurity event.

  5. Create a target profile: A target profile represents the risk management goal of the information security team.

  6. Determine, analyze and prioritize gaps: By identifying the gaps between the current and target profile, the information security team can create an action plan, including measurable milestones and resources (people, budget, time) required to fill these gaps.

  7. Implement action plan: Implement the action plan defined in Step 6.
Related solutions
Governance, risk and compliance services

Governance, risk and compliance services from IBM help you evaluate your existing security governance against your business requirements and objectives.

Explore governance, risk and compliance services
IBM Concert

Simplify and optimize your application management and technology operations with generative AI-driven insights.

Explore Concert
Resources What is network security?

At a foundational level, network security is the operation of protecting data, applications, devices and systems that are connected to the network.

What is cybersecurity?

Cybersecurity technology and best practices protect critical systems and sensitive information from an ever-growing volume of continually evolving threats.

Take the next step

Establish governance structures that increase cybersecurity maturity with an integrated governance, risk and compliance (GRC) approach. IBM Active Governance Services (AGS) integrates key cybersecurity and organizational data points into a centralized solution, providing key capabilities across people, processes and technology.

Explore GRC services