NIST Cybersecurity Framework: A Cheat Sheet for

Professionals

The National Institute of Standards and Technology has updated its Cybersecurity Framework for
2024. Version 2.0 of the NIST CSF, the first major update since the framework was released a
decade ago, was created with the goal of expanding the primary audience from critical
infrastructure to all organizations. In general, the NIST CSF aims to standardize practices to ensure
uniform protection of all U.S. cyber assets.
TechRepublic’s cheat sheet about the NIST CSF is an overview of this new government
recommended best practice, and it includes steps on implementing the security framework.

What is the NIST Cybersecurity Framework?

The NIST CSF is a set of optional standards, best practices and recommendations for improving
cybersecurity and risk management at the organizational level. The goal of the CSFl is to create a
common language, a set of standards and an easily executable series of goals for improving
cybersecurity and limiting cybersecurity risk.
NIST has thorough documentation of the CSF on its website, along with links to FAQs, industry
resources and other information necessary to ease enterprise transition into a CSF world.

Is the NIST Cybersecurity Framework just for government use?

The NIST Framework isn’t just for government use — it can be adapted to businesses of any size.
The CSF affects anyone who makes decisions about cybersecurity and cybersecurity risks in their
organizations, and those responsible for implementing new IT policies.
The NIST CSF standards are optional for private businesses — that is, there’s no penalty for private
organizations that don’t wish to follow them. This doesn’t mean the NIST CSF isn’t an ideal
jumping off point for organizations, though — it was created with scalability and gradual
implementation so any business can benefit and improve its security practices and prevent a
cybersecurity event.

Does the NIST Cybersecurity Framework apply outside of the United States?
Although the NIST CSF is a publication of the U.S. government, it may be useful to businesses
internationally. The NIST CSF is aligned with the International Organization for Standardization
and the International Electrotechnical Commission. Version 2.0 will likely be translated by
community volunteers in the future, NIST said. The cybersecurity outcomes described in the CSF
are “sector-, country-, and technology-neutral,” NIST wrote in Version 2.0.
What’s new in Version 2.0 of the NIST Cybersecurity
Framework?
Version 2.0 of the NIST CSF expands the scope of the framework from critical infrastructure to
organizations in every sector and adds new emphasis on governance. The governance portion
positions cybersecurity as one of the most important sources of enterprise risk that senior business
leaders should consider, alongside finance, reputation and others.
The NIST CSF 2.0 includes Quick Start guides, reference tools and organizational and community
profile guides. The reference tools were created to provide organizations a simplified way to
implement the CSF compared to Version 1.1.
Version 2.0 of the NIST CSF adds:
• The Function of “Govern,” which focuses on how organizations can make informed decisions
regarding their cybersecurity strategy
• Implementation Examples and Informative References, which will be updated online regularly
• Organizational Profiles, which may help them determine their current status in terms of
cybersecurity and what status they might want to move to.

Why was the NIST Cybersecurity Framework created?

The cybersecurity world is fragmented, despite its ever-growing importance to daily business
operations. Organizations fail to share information, IT professionals and C-level executives sidestep
their own policies and organizations speak their own cybersecurity languages. NIST’s goal with the
creation of the CSF is to help eliminate the chaotic cybersecurity landscape we find ourselves in.
The NIST CSF provides a proven method by which organizations can address their specific
cybersecurity needs within a flexible but highly regimented set of instructions.
While version 2.0 is still too new to have proven success stories, NIST has recorded the benefits of
1.0. For example, the University of Chicago, which receives government funding, used the CSF to
create a prioritized data security mitigation and remediation plan and consistent data management
standards.
Since NIST standards are rigorous, adhering to them means an organization likely follows other
existing corporate security guidelines as well. Use of the NIST CSF may be a factor in which
organizations receive government funding.

When was the NIST Cybersecurity Framework created?

Former President Barack Obama signed Executive Order 13636 in 2013, titled Improving Critical
Infrastructure Cybersecurity, which set the stage for the NIST Cybersecurity Framework that was
released in 2014.
Former President Donald Trump’s 2017 cybersecurity executive order went one step further and
made the framework created by Obama’s order into federal government policy.
NIST CSF Version 2.0 was created in concert with the March 2023 National Cybersecurity Strategy
under President Joe Biden.

How do I prove NIST compliance?

There is no one-size-fits-all certification for compliance with NIST’s many different cybersecurity
recommendations and frameworks; however, “NIST compliance” often refers to SP 800-53,
“Security and Privacy Controls for Information Systems and Organizations.” NIST 800-53 is a
publication from NIST that outlines protections for information and information systems. Federal
agencies must be NIST 800-53 compliant. NIST 800-53 is potentially useful as a standard for other
organizations as well due to its thoroughness and proven effectiveness.
Non-federal organizations or contractors that do business with the U.S. government may need to
prove compliance with NIST SP 800-171, a standard for the protection of controlled unclassified
information.
Both NIST SP 800-53 and NIST SP 800-171 can involve internal or third-party audits. NIST
provides a list of accredited certifying laboratories that can provide third-party audits.
Organizations that want NIST validation on their products can use third-party vendors to prove the
products hold up to the NIST IT Security Validation Program.

What are the six core activities of the NIST

Cybersecurity Framework?
As of Version 2.0 of the NIST framework, these are the six core activities: Identify, protect, detect,
respond, recover and govern. These activities, or functions, of the NIST framework are used to
organize cybersecurity efforts at the most basic level.

What are the four components of the NIST Cybersecurity

Framework?
The framework is divided into four components: Core, Organizational Profiles, Tiers and
Informative References.

Core
The core component is “a set of activities to achieve specific cybersecurity outcomes, and
references examples of guidance to achieve those outcomes.” It is further broken down into three
elements: Functions, categories and subcategories.
• Functions: This section explains the six functions: Identify, protect, detect, respond, recover and
govern (Figure A). Together, these six functions form a top-level approach to securing systems
and responding to threats. Think of them as your basic incident management tasks.
Figure A

• Categories: Each function contains categories used to identify specific tasks or challenges
within it. For example, the protect function could include access control, identity management,
data security and platform security.
• Subcategories: These are further divisions of categories with specific objectives. The data
security category could be divided into tasks like protecting data at rest, in transit and in use or
creating, protecting, maintaining and testing backups.

Organizational Profiles
Profiles are both outlines of an organization’s current cybersecurity status and roadmaps toward
CSF goals for stronger security postures (Figure B). NIST said having multiple profiles — current
and goal — can help an organization find weak spots in its cybersecurity implementations and make
moving from lower to higher tiers easier.
Figure B
NIST suggests using the Organizational Profiles as an ongoing assessment of an organization’s
cybersecurity maturity. Image: NIST
Profiles help connect the functions, categories and subcategories to business requirements, risk
tolerance and resources of the larger organization it serves.

Tiers
There are four tiers of implementation, and while CSF documents don’t consider them maturity
levels, the higher tiers are considered more complete implementation of CSF standards for
protecting critical infrastructure. NIST considers Tiers useful for informing an organization’s
current and target Profiles.
• Tier 1: Called partial implementation, organizations at Tier 1 have an ad-hoc and reactive
cybersecurity posture to protect their data. They have little awareness of organizational
cybersecurity risk and any plans implemented are often done inconsistently.
• Tier 2: At the tier called risk-informed, organizations may be approving cybersecurity measures,
but implementation is still piecemeal. They are aware of risks, have plans and have the proper
resources to protect themselves from a data breach, but haven’t quite gotten to a proactive point.
• Tier 3: The third tier is called repeatable, meaning that an organization has implemented NIST
CSF standards company-wide and is able to repeatedly respond to cyber crises. Policy is
consistently applied, and employees are informed of risks.
• Tier 4: Called adaptive, this tier indicates total adoption of the NIST CSF. Adaptive
organizations aren’t just prepared to respond to cyber threats — they proactively detect threats
and predict issues based on current trends and their IT architecture.
Informative References and other online resources
The Informative References provided with Version 2.0 of the CSF are documentation, steps for
execution, standards and other guidelines. A prime example in the manual Windows update
category would be a document outlining steps to manually update Windows PCs. In Version 2.0,
Informative References, Implementation Examples and Quick-Start Guides can be found through
the NIST CSF website or the CSF document.

When is the NIST Cybersecurity Framework updated?

As the needs of organizations change, NIST plans to continually update the CSF to keep it relevant.
Updates to the CSF happen as part of NIST’s annual conference on the CSF and take into account
feedback from industry representatives, via email and through requests for comments and requests
for information NIST sends to large organizations.

What organizations can use the NIST Cybersecurity

Framework?
The NIST CSF affects everyone who touches a computer for business. IT teams and CXOs are
responsible for implementing it; regular employees are responsible for following their
organization’s security standards; and business leaders are responsible for empowering their
security teams to protect their critical infrastructure. Specifically, the NIST CSF 2.0’s new Govern
function includes communication channels between executives, managers and practitioners —
anyone with a stake in the technological health of the company.
The degree to which the NIST CSF will affect the average person won’t lessen with time either, at
least not until it sees widespread implementation and becomes the new standard in cybersecurity
planning.

How can I implement the NIST Cybersecurity Framework?

Start working on implementing the CSF by visiting NIST’s Cybersecurity Framework website. Of
particular interest to IT decision-makers and security professionals is NIST’s Framework Resources
page, where you’ll find methodologies, implementation guidelines, case studies, educational
materials, example profiles and more.
“The CSF does not prescribe how outcomes should be achieved,” NIST points out in
the framework. “Rather, it links to online resources that provide additional guidance on practices
and controls that could be used to achieve those outcomes.”
The NIST CSF can improve the security posture of organizations large and small, and it could
potentially position you as a leader in forward-looking cybersecurity practices or prevent a
catastrophic cybersecurity event.