NIST Cybersecurity Framework: Frequently asked questions

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a set of guidelines, best practices, and standards designed to help organisations manage and improve their cyber security posture. It was introduced in 2014 and organisations across a range of industries have adopted it since.

The NIST hosted conferences, webinars and workshops to gain input from more than 3,000 experts from a wide range of backgrounds (e.g. the US government, the tech industry and academia).

The NIST regularly reviews the framework, and calls for public submissions (or “requests for information”) as to how it should be amended and updated.

The origins of the CSF are one of its strengths. The collaborative approach that the NIST took in creating it ensures that the framework reflects a broad consensus and is applicable to diverse organisational contexts.

Although the framework is kept under regular review, a new version will not be created unless there is a general agreement among users that it’s necessary.

For example, the NIST sent out a request for information in December 2014 – the same year that the CSF first went live. Users broadly agreed that it was too early for a revised version to be issued.

That said, the framework is periodically updated to reflect changes in the cyber security landscape and to incorporate feedback from the cyber security community.

Regardless of how often the NIST issues new versions of the CSF, you should keep your own cyber security practices under constant review. Consider implementing regular incident response drills (i.e. tabletop exercises). Finally, bear in mind that there are many factors that will require a revisiting of your cyber security processes – for example:

• business activities and changes (e.g. mergers and acquisitions, expansion, new products or service lines);
• technological advances (such as AI) usually create new threats and vulnerabilities;
• regulatory changes and/or new legislation and compliance requirements or standards;
• changes in your third-party relationships and extended supply chain;
• evolution in the threat landscape (e.g. new geopolitical events that may expose you to the risk of ‘hacktivism’).

You can find out about the changes in our eBook, A Guide to Using the New NIST Cybersecurity Framework.

The use of the CSF is entirely optional, so even if you did have legal and regulatory compliance obligations the use of the framework would be a voluntary opt-in on your part.

However, there are very good reasons for adopting it.

The framework is designed to be flexible and adaptable to various organisational structures and sizes. It provides a common language for discussing and managing cyber security risk and is often used as a foundation for developing or enhancing an organisation’s cyber security program. While the CSF was initially targeted at critical infrastructure sectors, it has been widely adopted across industries to improve overall cyber security resilience.

And, because it encourages organisations to continuously assess and improve their cyber security, many organisations find it helpful for creating a culture of continuous improvement. The CSF is a great tool for prompting regular reviews, updates, and adjustments to cyber security practices based on changes in the threat landscape and business environment.

From a third-party risk perspective, the flexibility and ‘industry agnostic’ approach of the CSF makes it useful for improving operational resilience. Think, for example, of the EU’s Digital Operational Resilience Act (DORA), which is designed to strengthen the European financial sector against cyber risks posed by their essential third-party IT suppliers. The CSF provides a way for organisations in completely different industries to communicate clearly with each other when they need to work closely together and share data.

The NIST CSF provides a structured approach by organising key cyber security activities into five categories or, as the CSF calls them, ‘functions’:

1. Identify: Understand and prioritise assets, business processes, and cyber security risks to inform the development of a comprehensive cyber security strategy.
2. Protect: Implement safeguards to ensure the delivery of critical infrastructure services. This includes measures such as access control, encryption, and security awareness training.
3. Detect: Develop and implement capabilities to identify and detect cyber security threats and incidents in a timely manner. This involves continuous monitoring, anomaly detection, and incident response planning.
4. Respond: Establish an effective and structured response to detected cyber security incidents. This includes containment, eradication, recovery, and communication procedures.
5. Recover: Develop and implement strategies to restore capabilities that were impaired due to a cyber security incident. This involves learning from incidents and making improvements to prevent future occurrences.

The uniqueness of the CSF lies in its approach, flexibility, and adaptability. Most importantly, it is risk-based and voluntary. Because the CSF is not prescriptive or mandatory, organisations of all sizes and in all industries can tailor the way they implement it to their own specific needs and risk profiles.

Part of the NIST CSF’s flexibility stems from the fact that it is designed to complement existing cyber security standards and frameworks, rather than replace them. The CSF can be integrated with other standards, such as ISO 27001 or COBIT, to create a more robust cyber security program.

The framework also aligns with multiple global standards and best practices, promoting consistency in cyber security approaches across different regions.

While the NIST CSF has its distinct characteristics, you may choose to leverage multiple frameworks or standards based on their specific requirements, regulatory obligations, and industry best practices. The key is to select an approach that aligns with your organisation’s goals and enhances its overall cyber security resilience.

The CSF is often used as a strategic tool to improve cyber security with a systematic and risk-based approach.

For example, we have found the framework useful when working with clients who need a gap analysis to see what more they can do to improve their cyber security. Our gap analysis involves:

• an initial questionnaire;
• interviews with stakeholders;
• a documentation review; and
• all powered by Orbit Security.

The outcome of the gap analysis means that clients receive:

• an executive report outlining the current state of their compliance readiness and NIST CSF maturity view;
• a roadmap to compliance and progression of their NIST CSF maturity;
• actionable findings;
• recommendations; and
• access to Orbit Risk.

At a high level, here’s how you might get started with using the framework in your own organisation:

Understand the framework: Familiarise yourself with the structure, functions, and components of the NIST CSF. Understand how the five functions—Identify, Protect, Detect, Respond, and Recover—work together to form a comprehensive cyber security framework.

Assess your current cyber security posture: Conduct an initial assessment of your organisation’s current cyber security posture. Identify existing cyber security practices, policies, and controls. Determine strengths, weaknesses, and areas for improvement.

Identify and prioritise assets: Use the Identify function to categorise and prioritise assets based on their importance to your operations. This includes information, technology, personnel, and other critical resources.

Conduct a risk assessment: Implement the risk assessment process (as outlined in the Identify function). Identify potential cyber security risks, assess their impact, and prioritise them based on likelihood and consequences. This forms the basis for risk management decisions.

Implement protective measures: Use the Protect function to implement protective measures and safeguards. This may involve improving access controls, encrypting sensitive data, enhancing security awareness training, and establishing a secure system architecture.

Establish continuous monitoring: Leverage the Detect function to establish continuous monitoring capabilities. Implement tools and processes for real-time detection of cyber security events, anomalies, and potential threats.

Develop an incident response plan: Use the Respond function to develop and implement an incident response plan. Clearly define roles and responsibilities, establish communication protocols, and conduct regular drills to ensure readiness for cybersecurity incidents.

Plan for recovery: Incorporate the Recover function by developing plans for the recovery of systems and data in the event of a cyber security incident. This includes strategies for data restoration, system recovery, and continuous improvement.

Integrate with governance and compliance: Align the NIST CSF with your organisation’s governance structure and regulatory compliance requirements. Ensure that cyber security activities are integrated into overall business processes and decision-making.

Customise for your organisation: Tailor the NIST CSF to fit the unique characteristics of your organisation. Customise the framework based on its size, industry, and specific risk profile.

Establish a culture of cyber security: Foster a culture of cyber security awareness and responsibility. Ensure that employees at all levels understand their role in maintaining a secure environment.

Periodic review and improvement: Regularly review and update your cyber security practices based on changes in the threat landscape, business operations, and technology. Use the framework as a living document that evolves with your organisation.

The official NIST website provides access to the complete NIST CSF documentation, including the framework itself, implementation guidance, and related resources. We can also help you with assessing and remediating the gaps in your cyber security defences, using our extensive experience and specialist skills. 

While the framework itself does not explicitly outline specific tactics for addressing emerging threats, its principles and framework structure support all organisations in dealing with the challenges posed by new and emerging cyber security threats.