The NIST Cybersecurity Framework (CSF) 2.0

Cyber threats are evolving constantly and pose a significant challenge for organizations of all sizes and sectors. In this situation, the NIST Cybersecurity Framework (CSF) 2.0 stands as a pivotal tool designed to empower organizations across every sectors — ranging from industry and government to academia and nonprofits—in managing and mitigating cybersecurity risks. The framework offers a flexible approach that can be tailored to meet specific organizational needs.

Unlike rigid, one-size-fits-all methodologies, the CSF acknowledges the distinct risk landscapes that organizations face and offers flexibility, allowing organizations to customize cybersecurity practices to fit their specific missions and risk tolerances. Also, the CSF promotes continuous improvement and resilience. It empowers stakeholders—from executives to frontline staff—with a common language to assess, prioritize, and communicate cybersecurity risks effectively.

The CSF’s modular structure—comprising the CSF Core, Organizational Profiles, and Tiers—provides a comprehensive framework for organizations to strengthen their cybersecurity posture. Together with other standards and best practices, the CSF fosters a holistic approach to cybersecurity and helps organizations build robust defenses against cyber threats while promoting proactive risk management and ongoing improvement.

CSF Core

CSF core is a set of cybersecurity outcomes that can help organization manage cybersecurity risk. The CSF Core components are a hierarchy of Functions, Categories, and Subcategories that detail each outcome.

The CSF Core Functions — GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER — organize cybersecurity outcomes at their highest level.

Govern (GV)

The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.

The GOVERN (GV) function focuses on establishing and managing an organization’s cybersecurity risk management strategy, expectations, and policies. Its primary role is to provide guidance on how organizations can achieve and prioritize cybersecurity outcomes across all functions in alignment with their mission and stakeholder expectations.

Key elements

• Organizational Context: Understanding the unique context in which cybersecurity operates within the organization, considering its mission, objectives, and external factors (legal, regulatory, and contractual cybersecurity requirements).

• Cybersecurity Strategy: Developing and communicating a cybersecurity strategy that aligns with organizational goals and risk management frameworks.

• Cybersecurity Supply Chain Risk Management: Integrating cybersecurity considerations into supply chain management to mitigate risks associated with third-party vendors and service providers.

• Roles, Responsibilities, and Authorities: Clearly defining roles, responsibilities, and decision-making authorities for cybersecurity within the organization to ensure accountability and effective governance.

• Policy Development: Establishing cybersecurity policies that outline expectations, requirements, and guidelines for protecting organizational assets and information.

• Oversight and Monitoring: Providing oversight and continuous monitoring of cybersecurity activities to ensure adherence to policies, strategy effectiveness, and responsiveness to evolving threats.

Identify (ID)

The organization’s current cybersecurity risks are understood.

By identifying and assessing assets, suppliers, and associated risks, organizations can prioritize their cybersecurity efforts in alignment with their risk management strategy and mission needs established under the GOVERN function.

Key elements

• Asset Identification: Understanding the organization’s assets, such as data, hardware, software, systems, facilities, services, and people.

• Supplier Identification: Recognizing suppliers and evaluating related cybersecurity risks to manage dependencies and third-party vulnerabilities.

• Risk Assessment: Identifying and evaluating cybersecurity risks to determine their potential impact on the organization.

• Prioritization: Prioritizing cybersecurity efforts based on the assessed risks, consistent with the organization’s risk management strategy and mission requirements.

• Improvement Opportunities: Identifying opportunities to enhance policies, plans, processes, procedures, and practices that support effective cybersecurity risk management.

Protect (PR)

Safeguards to manage the organization’s cybersecurity risks are used.

After identifying and prioritizing assets and risks, PROTECT focuses on securing these assets to prevent or minimize the impact of adverse cybersecurity events and to enhance the ability to leverage opportunities.

Key elements

• Identity Management, Authentication, and Access Control: Ensuring that access to assets is appropriately managed and restricted to authorized individuals.

• Awareness and Training: Educating personnel on cybersecurity risks and best practices to enhance organizational security.

• Data Security: Implementing measures to protect data at rest and in transit, ensuring its confidentiality, integrity, and availability.

• Platform Security: Securing the hardware, software, and services of both physical and virtual platforms to prevent unauthorized access and vulnerabilities.

• Technology Infrastructure Resilience: Enhancing the robustness of the technology infrastructure to withstand and recover from cybersecurity events.

Detect (DE)

Possible cybersecurity attacks and compromises are found and analyzed.

It involves the timely discovery and examination of anomalies, indicators of compromise, and other potentially adverse events, indicating that cybersecurity incidents may be occurring.

Key elements

• Anomaly Detection: Identifying unusual activities or behaviors that could signify a cybersecurity threat.

• Indicators of Compromise Analysis: Recognizing signs that an asset or system may have been compromised.

• Event Analysis: Analyzing detected events to understand the nature and impact of potential cybersecurity incidents.

Respond (RS)

Actions regarding a detected cybersecurity incident are taken.

It aims to effectively manage and mitigate cybersecurity incidents to minimize their impact on the organization.

Key elements

• Incident Management: Coordinating and managing the response to cybersecurity incidents.

• Incident Analysis: Investigating incidents to understand their scope and impact.

• Mitigation: Implementing measures to limit the damage caused by incidents.

• Reporting: Documenting and reporting incidents to relevant stakeholders.

• Communication: Ensuring effective communication during and after incidents to keep stakeholders informed.

Recover (RC)

Assets and operations affected by a cybersecurity incident are restored.

It focuses on ensuring business continuity and minimizing the long-term impact of cybersecurity incidents.

Key elements

• Restoration of Operations: Timely restoring normal operations after an incident.

• Minimizing Impact: Reducing the effects and disruptions caused by the incident.

• Communication: Facilitating appropriate communication during the recovery process to keep stakeholders informed.

CSF Profiles

A CSF Organizational Profile outlines an organization’s current and/or target cybersecurity posture based on the Core’s outcomes. It helps organizations understand, customize, assess, prioritize, and communicate their cybersecurity goals, taking into account their mission, stakeholder expectations, threat landscape, and requirements.

Every Organizational Profile includes one or both of the following

• Current Profile: Details the Core outcomes that an organization is currently achieving or working towards, and how effectively these outcomes are being met.

• Target Profile: Specifies the desired Core outcomes that an organization aims to achieve in the future, considering factors such as new requirements, technology adoption, and evolving threats.

Steps in CSF Organizational Profile

• Scope the Organizational Profile: Define the scope by documenting high-level facts and assumptions. Profiles can vary in scope, covering the entire organization, specific systems (like financial systems), or particular threats (such as ransomware).

• Gather Information: Collect necessary data, including organizational policies, risk management priorities, enterprise risk profiles, business impact analysis (BIA) registers, cybersecurity requirements, standards, practices, tools, and work roles.

• Create the Organizational Profile: Document the information for selected CSF outcomes. Use the risk implications of the Current Profile to inform and prioritize the Target Profile. Consider using a Community Profile as a basis for the Target Profile.

• Analyze Gaps and Create an Action Plan: Perform a gap analysis to identify differences between the Current and Target Profiles. Develop a prioritized action plan to address these gaps, such as a risk register, risk detail report, or Plan of Action and Milestones (POA&M).

• Implement and Update: Follow the action plan to address gaps and progress toward the Target Profile. The action plan may have a set deadline or be ongoing, requiring regular updates to the Organizational Profile.

CSF Tiers

An organization can use Tiers to inform its Current and Target Profiles, reflecting the rigor of its cybersecurity risk governance and management practices. The Tiers provide context on how an organization views and manages cybersecurity risks, similar to the Capability Maturity Model (CMM) used in various contexts to assess process maturity:

• Partial (Tier 1): Informal, ad hoc responses to cybersecurity risks.

• Risk Informed (Tier 2): Risk management practices are in place and aligned with organizational risk.

• Repeatable (Tier 3): Practices are documented, and cybersecurity risk management is consistent.

• Adaptive (Tier 4): Practices are agile, risk-informed, and continuously improving.

Using Tiers guides organizations in establishing their cybersecurity risk management approach, with higher Tiers indicating more robust practices, suitable for higher risks or when justified by cost-benefit analyses.

Overall, the NIST Cybersecurity Framework (CSF) 2.0 provides organizations with a flexible and structured approach to managing cybersecurity risks. By integrating Functions, Categories, and Tiers, the CSF enables organizations to enhance their resilience, prioritize investments effectively, and adapt to evolving threats, fostering a proactive cybersecurity posture essential for safeguarding critical assets and maintaining trust in a digital landscape.