A Quick Guide To The NIST Cybersecurity Framework

    The NIST Cybersecurity Framework provides security guidelines for a company to improve cyber resilience. Here is a quick guide to the framework.

    by Julie Anderson

    Key Points

    • The NIST Cybersecurity Framework provides a methodology for companies to manage cyberattack risks.
    • The major framework functions are Identify, Protect, Detect, Respond and Recover.
    • Using profiles, a company assesses its current standards and practices and identifies its target level of cybersecurity resilience.


    Every month brings a new form of cyberattack. Just as a company fends off the current ransomware or phishing attack, a newer and more malicious attack appears on the horizon. The best defense is a formal strategy for cyber resilience, both to ward off attacks and to handle and recover from those that break through. The Cybersecurity Framework documented by the National Institute of Standards and Technology (NIST)[1] lays out practical guidelines and standards for both public agencies and private companies to manage cyberattack risks and maintain cyber resilience.

    What Is the NIST Cybersecurity Framework?

    Originally designed for critical infrastructure systems, the NIST framework can be applied to organizations in any sector. Companies can implement as much of the framework as is practical and cost-effective for their current business environment, on a voluntary basis.   

    This is not the only cybersecurity framework. Using general frameworks, such as the International Organization for Standardization (ISO) 27001 and 27002 standards, a company can validate cybersecurity readiness to their customers and partners. Other cybersecurity frameworks protect data in specific sectors, such as finance, energy and healthcare.  

    The purpose of the NIST Cybersecurity Framework is to help organizations assess and manage risk, as well as communicate that strategy to internal and external stakeholders. It’s intended to facilitate communications throughout the company — from end users to the executive suite. Companies can also use the framework to communicate and coordinate risk management activities with business partners throughout their supply chain.

    Why Your Company Needs a Cybersecurity Framework
    Today’s reliance on technology and interconnected systems increases vulnerability to cyberattacks. Additionally, it’s critically important in the current environment to ensure the security of user and customer data. The NIST Cybersecurity Framework can minimize cyberattack vulnerabilities that expose private data.

    Organizations can use the NIST Cybersecurity Framework to marry business objectives with security objectives either by creating a new cybersecurity program or improving an existing one. Additionally, the framework is flexible, so companies can implement what fits their business priorities and risk tolerance.

    Using the framework won’t eliminate all exposure, but if attacked, the cyber resilience plan will help companies respond and recover. And since a company is often only as secure as its supply chain partners, the NIST Cybersecurity Framework can help establish cyberattack protection requirements with partner companies.

    The NIST Cybersecurity Framework Explained
    NIST continuously evolves the Cybersecurity Framework in collaboration with industry, under the Cybersecurity Enhancement Act of 2014. The original target audience was critical infrastructure organizations, such as utilities, transportation and healthcare, but now any company can take advantage of the NIST Cybersecurity Framework recommendations and strategies. In fact, companies across the globe have implemented this framework,[2] and NIST has recently increased efforts to extend its tools to small and midsize businesses.[3] The framework focuses on global standards and best practices, and it is technology neutral.

    As a cyber resilience framework, the NIST Cybersecurity Framework specifies a set of activities to achieve defined outcomes for mitigating cyber risk and recovering from attacks.

    • The Framework Core comprises five functions: Identify, Protect, Detect, Respond and Recover. Within each function are categories and subcategories, which consist of activities and recommended references that describe standards and practices for achieving the goals of each function.
    • Four Implementation Tiers define the degree to which an organization implements the framework — from basic implementations (Tier 1) to more advanced and agile security plans (Tier 4).
    • Profiles describe the current and desired state of security. The Current Profile represents a company’s existing practices and standards, while the Target Profile represents the cyber security resilience the company wants to achieve.

    The next section more fully explains the three components.

    Key Functions of a NIST Cybersecurity Framework

    Critical to the NIST Cybersecurity Framework are the five Core Functions, which are intended to be executed concurrently and continuously:

    1. Identify: For this function, a company identifies its critical resources and the risks associated with those resources. For example, for ransomware attacks, the company might identify users as the main entry-point risk — especially users working remotely —and also prioritize company data to be protected. Categories under this function include Asset Management, Business Environment, Governance, Risk Assessment and Risk Management Strategy.
    2. Protect: This is where the company develops safeguards to ensure continuous delivery of business functions. Using the same example of ransomware attacks, the company may employ multiple actions, such as strengthening email security by training users, warning them not to open suspicious emails, implementing artificial intelligence to screen and discard phishing emails before being delivered to users, and using two-phase authentication to make it more difficult for attackers to steal credentials. And to protect the data, the company may create offsite backups. Categories under Protect include Identity Management and Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance and Protective Technology.
    3. Detect: For this function, the company develops methods to discover an intrusion or attack. For example, the company can monitor user logins for anomalies or be on the lookout for ransomware-delivery trojans. Ideally, the ransomware trojan can be detected before it drops its payload. Categories for Detect include Anomalies and Events, Security Continuous Monitoring and Detection Processes.
    4. Respond: After a successful attack, the company must be prepared to notify the appropriate stakeholders and halt the intrusion. After a ransomware attack, for example, a company with offsite data backups should be able to respond without paying the ransom. Categories here are Response Planning, Communications, Analysis, Mitigation and Improvements.
    5. Recover: In this step, a company restores any damaged resources to normal operation. In a ransomware attack, that means restoring the data from an offsite backup and cleansing user devices. Categories are Recovery Planning, Improvements and Communications.

    Many factors affect the Cybersecurity Framework Tier that a company will choose to implement. The level of risk and a company’s risk tolerance, regulatory requirements, supply chain security requirements and business constraints are just a few. The four Tiers are:

    • Tier 1, Partial: Characterized by an informal and reactive approach to cybersecurity risk, in this Tier organizations respond on a case-by-case basis without coordinating with business partners.
    • Tier 2, Risk Informed: Awareness of risk but no company-wide program is implemented. Some limited cooperation with business partners.
    • Tier 3, Repeatable: Risk management is set as company-wide policy and regularly reviewed. In this Tier, companies collaborate with outside entities via agreements with supply chain partners.
    • Tier 4, Adaptive: Organizations in this Tier continuously improve cybersecurity practices organization-wide, adopting advanced technologies to face changing threats. They proactively monitor their supply chain environment, in which they have formal agreements.

    A company’s NIST Cybersecurity Framework Profile represents a company’s security environment and risk tolerance.

    • Current Profile: A company’s self-assessment of its cybersecurity readiness, which may uncover weaknesses in its policies and procedures.
    • Target Profile: A company’s desired level of cybersecurity readiness.

    By comparing its Current Profile with its Target Profile, a company can measure the costs and benefits of its cybersecurity activities and develop an action plan to advance to the Target Profile.

    How to Get Started with Your Cybersecurity Framework

    If you are interested in creating a new cybersecurity framework for your organization, or improving your current cybersecurity practices, you can do so in a few steps:

    1. Identify your business’s mission and the resources that need to be protected. Also consider any regulatory and privacy requirements and identify related threats. From that information, describe your priorities and assess your risks and risk tolerance.
    2. Develop your Current Profile. List the practices already in place as well as outcomes achieved or partially achieved. Conduct a risk assessment to determine the likelihood of an event and the resulting impact. It’s important to be up to date on current threats.
    3. Develop your Target Profile. For any vulnerabilities uncovered in the Current Profile, identify additional practices and standards to implement. If the Target Profile seems unreachable with current staffing, consider adding resources.
    4. At each step, communicate the state of cybersecurity risk to internal and external stakeholders.

    Why Do Organizations Need to Implement the NIST Cybersecurity Framework?

    The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data.

    The Bottom Line

    Implementing a cybersecurity framework is not a job that’s “one and done.” Cybercriminals don’t rest and neither can a business. Assessing risk should be repeated at intervals because achieving cybersecurity resilience is an ongoing process. Using the NIST Cybersecurity Framework, organizations can determine where their security vulnerabilities lie and how to limit and manage cyberattacks.


    [1]Framework for Improving Critical Infrastructure Cybersecurity,” National Institute of Standards and Technology

    [2]NIST Marks Fifth Anniversary of Popular Cybersecurity Framework,” National Institute of Standards and Technology

    [3]Small and Medium Business Resources,” National Institute of Standards and Technology


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top