The National Institute for Standards and Technology (NIST) Framework for Critical Infrastructure Cybersecurity (also referred to as the NIST Cybersecurity Framework or “NIST CSF”) describes the standing of an organization’s information security program using a Framework Core, Implementation Tiers, and Framework Profiles. The NIST CSF’s Framework is flexible enough to be applied in various other contexts and across a wide array of industries. Its intent is to provide “a common taxonomy and mechanism for organizations” to: (1) describe their current cybersecurity posture; (2) describe their target state for cybersecurity; (3) identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; (4) assess progress toward the target state; [and] (5) communicate among internal and external stakeholders about cybersecurity risk” (emphasis added).
The NIST CSF is organized into five core Functions also known as the Framework Core. The functions are organized concurrently with one another to represent a security lifecycle. Each function is essential to a well-operating security posture and successful management of cybersecurity risk. Definitions for each Function are as follows:
The NIST CSF Tiers represent how well an organization views cybersecurity risk and the processes in place to mitigate risks. This helps provide organizations a benchmark on how their current operations.
You can use the NIST CSF to benchmark your current risk posture. Going through each category and subcategories in the core Function can help you determine where you stand on the NIST CSF Tier scale. Using the NIST Cybersecurity Framework is a great way to standardize your cybersecurity and risk management.