The NIST Cybersecurity Framework (CSF): Its Purpose, Components and How It Works

The COVID-19 pandemic has accelerated the digital transformation that has been underway for decades. Digital technologies and solutions have swiftly become the cornerstone of modern businesses, eliminating data silos, automating manual processes and enhancing operational efficiency. However, this swift transition to a digital world has also introduced organizations to an intimidating and ever-evolving cyberthreat landscape.

Small and medium-sized businesses (SMBs) should be particularly wary of potential cyberattacks since they have become soft targets due to their lack of preparedness and resources. While it’s typically the big players that hit the headlines after experiencing a cybersecurity incident due to the enormity of the data and ransoms involved, cybercriminals are increasingly targeting SMBs in recent times. The bad guys believe they can fly under the radar and still quietly receive stable sums of money by targeting SMBs. Kaspersky’s IT Security Economics report shows that the average total financial impact of a data breach for SMBs in 2021 was $105,000. A study by IBM points to another staggering fact — 60% of businesses with fewer than 500 employees go out of business within six months of a cyberattack.

Against this backdrop, the significance of the NIST Cybersecurity Framework (NIST CSF) becomes all the more relevant for SMBs. Created by the National Institute of Standards and Technology (NIST), which operates under the U.S. Department of Commerce, NIST CSF is one of the world’s most popular and well-known security frameworks for SMBs. It primarily aids organizations in setting up and enhancing their cybersecurity strategy.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework offers a set of standards, guidelines and best practices for companies to help them improve their security posture and prevent, detect and respond to cyberattacks. The framework is most beneficial for SMBs and is considered a benchmark standard while building a cybersecurity program.

What is the latest version of the NIST CSF?

The NIST first developed the framework in 2014 in response to Executive Order 13636: Improving Critical Infrastructure Cybersecurity, working with private-sector and government experts in a decentralized way. The individuals who collaborated in developing this framework were sourced from different roles and industries with varying viewpoints and perspectives on data security and risk management, making it comprehensive and robust.

The NIST CSF version 1.0 was initially designed to improve the security posture of the U.S. private sector owners and operators of critical infrastructure who deal with government data. However, following the release of version 1.0, the NIST CSF was adopted by more than just critical infrastructure organizations. It swiftly metamorphosed to become the gold standard for standardizing cybersecurity strategies among all types of organizations, both large and small public and private sector companies.

In 2017, a draft of the NIST CSF version 1.1 was circulated for public comment and was announced and made publicly available on April 16, 2018. This new (current) version features updates on authentication and identity, cybersecurity risk self-assessments, cybersecurity management within the supply chain and vulnerability disclosure.

On June 3, 2022, NIST announced a more significant update to the framework: CSF version 2.0.  This NIST blog post sheds light on what stakeholders can expect with the update.

Who needs NIST CSF?

In addition to government agencies, public and private sector organizations of all shapes and sizes can leverage the NIST CSF to ensure their critical IT infrastructure is secure. While the CSF primarily provides guidance, the framework can be a cornerstone for forward-thinking cybersecurity strategies. With the compliance bar rising in different industries, organizations can utilize the NIST CSF to ease their way to compliance and use it as a foundation for their compliance standards and guidelines. The framework amply prepares an organization for new updates to existing standards and regulations across industries and geographies.

As of March 2022, the NIST CSF has seen more than 1.7 million downloads and has been adapted internationally in 15 translations.

Is the NIST CSF mandatory?

Executive Order 13800: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure makes the NIST CSF mandatory for U.S. federal government agencies. Besides, any company that does or intends to do business with the U.S. government must comply with the NIST CSF.

The NIST CSF is a voluntary framework for all other organizations. It provides valuable risk assessment and resolution techniques for organizations with or without a cybersecurity program. However, the framework cannot be used as a one-size-fits-all approach. Rather, it should be customized to best suit an organization’s risks, situations and needs.

What is the purpose of the NIST CSF?

The primary goal of the NIST CSF is to encourage organizations to prioritize cybersecurity, like any other operational or financial risks. It intends to bring cybersecurity risk assessments and considerations into day-to-day organizational decisions and activities. Implementing the NIST CSF enables organizations to ensure that their data, systems and networks are as safe as they can be from cybersecurity threats and intrusions.

The NIST CSF helps an organization better understand, manage and reduce its cybersecurity risks. It analyses the current cybersecurity measures, identifies potential cybersecurity standards and policies and establishes a comprehensive cybersecurity program. It creates a common language and set of norms, streamlining communication inside and outside the organization. On the whole, compliance with the NIST CSF will save a considerable amount of cost, effort and time for organizations down the line.

Is the NIST CSF a maturity model?

The NIST has explicitly stated that the NIST cybersecurity framework is not designed to be a maturity model. However, the NIST CSF does identify four tiers (Tiers 1,2,3 & 4) and five maturity levels (Levels 1,2,3,4 and 5) to aid organizations in assessing their cybersecurity capabilities and help them gauge their progress.

The implementation tiers offer guidance on how an organization is presently poised with its cybersecurity risk management and operational risk management processes. They are designed to act as a benchmark to review the current risk management practices and help organizations develop a roadmap to improve their cybersecurity posture. While tiers tell you what you have in place currently, levels allow you to measure your maturity level in identifying, protecting, detecting and responding to cyberthreats and recovering from cybersecurity incidents.

Is the NIST CSF a risk assessment?

While the NIST CSF is not a risk assessment, it is indeed an integral part of an organizational risk management process. It helps identify, estimate and prioritize risks to corporate assets, resources and operations and empowers organizations to enhance their security posture over time in a collaborative environment.

Is there a NIST CSF certification?

The National Institute of Standards and Technology doesn’t provide certification for IT systems, products or modules. However, the NIST has various IT security validation programs in which vendors can use third-party, independent, private-sector, accredited testing laboratories to test their products. Products and modules that conform to validation program test requirements are awarded validations by the NIST.

Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) offers Certified NIST CSF LI certification for individuals to certify their ability to implement the formal structure, governance and policy of a robust cybersecurity framework following internationally recognized and respected NIST best practices and standards.

How is the NIST CSF organized?

The NIST CSF is made of three main components: framework core, framework implementation tiers and framework profiles.

• Framework core: It is a set of cybersecurity activities, desired outcomes and applicable benchmarks common across any critical infrastructure sector. It consists of five simultaneous and continuous functions: Identify, Protect, Detect, Respond and Recover.
• Framework Implementation tiers: The framework implementation consists of tiers that offer insights into an organization’s cybersecurity risks and processes in place to manage those risks.
• Framework profiles: These define the current state of an organization’s cybersecurity program and can be used to gauge an organization’s progress toward achieving its target profile.

Framework core

The framework core identifies the actions an organization needs to take within a tier to successfully meet that tier’s cybersecurity outcomes. It acts as a translation layer that enables communication between multidisciplinary teams using simplistic and non-technical language. The four elements that make up the framework core are functions, categories, subcategories and informative references.

Functions

The NIST cybersecurity framework consists of five simultaneous and continuous functions.

• Identify: The Identify function is the primary function for successfully implementing the NIST cybersecurity framework. The NIST defines it as calling on the need to “develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities.” The Identify function helps organizations comprehend their current security status and cyber-risks concerning their data, assets, resources and systems.

  It aims to create an organizational cybersecurity policy that covers the following:

  • Roles and responsibilities for employees, vendors and any other parties with access to sensitive data.
  • Steps to take to protect against an attack and limit the damage should an attack occur.

  The Identify function addresses the categories of asset management, business environment, governance, risk assessment and risk management strategy.

• Protect: The Protect function describes the essential safeguards needed to be in place to guarantee the delivery of critical infrastructure services and maintain business continuity. It supports the ability to limit the damage of a potential cybersecurity incident.

  The Protect function addresses the categories of identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance and protective technologies.

• Detect: The Detect function is vital to identify potential cyberattacks. It is a critical step in a robust cybersecurity program, ensuring the development and implementation of appropriate processes to recognize the occurrence of a cybersecurity incident.

  The Detect function addresses the categories of anomalies and events, security continuous monitoring and detection processes.

• Respond: The Respond function defines the steps to be taken when a cybersecurity event is detected and helps limit its impact.

  The Respond function involves the categories of response planning, communications, analysis, mitigation and improvements.

• Recover: It is critical to establish robust restoring capabilities and services that enable a prompt return to “business as usual.” The NIST defines the Recover function as the need to “develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.” The Recover function helps organizations stay on track to achieve their business goals even if a breach occurs.

  The Recover function addresses the categories of recovery planning, improvements and communications.

Categories

Categories cover the breadth of cybersecurity objectives of an organization across cyber, physical and personnel, with a core focus on business outcomes. The 23 categories of the framework core are meticulously designed to provide a comprehensive breadth of cybersecurity objectives for an organization without being excessively detailed.

Subcategories

The framework core has 108 subcategories, which are the deepest level of abstraction. The subcategories are, in fact, outcome-driven statements that provide risk-based implementation suggestions tailored to the organization’s needs. For example, subcategories of the “Identity Management and Access Control” category include inventorying all physical devices and systems within the organization (ID.AM-1), inventorying all software platforms and applications (ID.AM-2), cataloging external information systems (ID.AM-4) and more.

Informative references

Informative references support the framework core by offering comprehensive references that are more technical than the framework itself. They provide organizations with a starting point for implementing practices to achieve the framework’s desired outcomes (described in the associated subcategory). The informative references presented in the framework core are illustrative and not exhaustive.

Framework implementation tiers

The NIST cybersecurity framework’s latest version has four implementation tiers — ranging from partial (tier 1) to adaptive (tier 4) — that aid an organization in tracking the effective implementation of the NIST CSF guidelines. The tiers define the degree to which an enterprise’s risk management practices exhibit the characteristics described by the framework.

An organization must consider various elements, like current risk management practices, threat landscape, regulatory requirements, business objectives and other constraints, such as available budgets, before selecting a tier.

Areas Tiers	Risk management processes	Integrated risk management program	External participation
Tier 1: Partial	Risk management is typically performed in a nonprocedural or reactive manner. Cybersecurity activities are performed with little to no prioritization based on the degree of risk.	Limited awareness of cybersecurity risks at the organizational level. Risk management becomes difficult.	The organization lacks an understanding of its role in its business ecosystem — position in the supply chain, dependents and dependencies.
Tier 2: Risk-Informed	Risk management practices are approved by management but not established as an organization-wide policy.	While there is cybersecurity risk awareness at the organizational level, an effective approach to managing this risk has not been implemented.	Organizations understand either their role in the ecosystem in terms of dependencies or dependents, but not both.
Tier 3: Repeatable	Risk management practices are approved and expressed as an organization-wide policy.	Has a higher-level organization-wide approach to managing cybersecurity risk. Risk-informed policies, processes and procedures are defined, implemented and reviewed consistently.	The organization understands its role, dependencies and dependents in the business ecosystem and contributes to a broader understanding of risks in the community.
Tier 4: Adaptive	Adapts cybersecurity practices based on past and current cybersecurity activities.	Building on tier 3, organizations have more clarity in understanding the link between their goals and risks. Prioritize cybersecurity risks like operational or financial risks and base budgeting decisions on an understanding of the current and potential risk landscape.	Going beyond tier 3, tier 4 organizations receive, generate and contribute to the understanding of the ecosystem about evolving risks.

Framework profiles

Framework profiles are the unique alignment of an organization’s requirements, risk appetite and resources against the desired outcomes of the framework core. Comparing a “current profile” with a “target profile” aids in identifying the opportunities to enhance a cybersecurity posture. As the names suggest, the current profile indicates an organization’s current situation concerning risk management. The target profile shows the results required to attain the desired cybersecurity risk management goals.

How is the NIST CSF used?

The NIST CSF has become one of the world’s most popular security frameworks for SMBs. Unlike larger organizations that devote resources to cybersecurity, smaller companies are often limited in expertise and the budget needed to adequately protect their networks. On that front, the NIST cybersecurity framework offers adequate controls necessary for SMBs to protect their data, systems and networks.

The NIST recommends the following seven-step process to implement the NIST cybersecurity framework while creating a new cybersecurity program or improving an existing one.

1. Prioritize and scope: An organization must identify its business objectives and organizational priorities. With this information, the organization should make strategic decisions regarding cybersecurity implementations and determine the scope of systems and assets in supporting the business processes.
2. Orient: Once the scope is determined for the business line or process, the organization must recognize the related systems and assets, regulatory requirements and overall risk approach. It should also assess the threats and vulnerabilities applicable to those systems and assets.
3. Create a current profile: The organization has to determine its current profile by identifying which category and subcategory outcomes from the framework core are currently being achieved.
4. Conduct a risk assessment: The organization has to assess its operational environment to discern the likelihood of a cybersecurity event and the consequent impact such an event could have on the organization. Organizations need to identify emerging risks and utilize information from internal and external sources to better understand the threat landscape.
5. Create a target profile: Once the risk assessment is done, the organization must create a target profile that describes the organization’s desired cybersecurity outcomes based on the framework categories and subcategories. It can also develop its own additional categories and subcategories to account for unique organizational risks.
6. Determine, analyze and prioritize gaps: During this step, the organization should compare its current profile with the target profile and identify gaps between them. It should then create a prioritized action plan to address them and determine the resources needed for it.
7. Implement action plan: In this final step, the organization must finalize the steps needed to address the above-discussed gaps, if any, and carry them out. It should adjust its cybersecurity practices to achieve the target profile.

Apply the NIST CSF with Unitrends

Unitrends Unified BCDR is a complete data backup and disaster recovery platform with protection for traditional data center workloads, cloud-native workloads (AWS, Azure), SaaS applications Microsoft 365, Google Workspace and Salesforce, and direct-to-cloud backup for endpoints such as PCs, workstations and file servers.

As a backup and recovery vendor, one may assume that Unitrends would primarily complement, respond and recover aspects of the framework. While that is true, one of the aspects that makes our platform unique is how we’ve leveraged powerful workflow integrations within the Kaseya ecosystem along with automation and artificial intelligence to augment capabilities to support other aspects of the framework outside of the traditional BCDR scope.

Some examples include:

Protect: Identity Management and Access Control (PR.AC)

• Unitrends Role-Based Access Control (RBAC) enables organizations to assign roles and limit scope within the backup environment. Users may be restricted to performing only certain functions (i.e., only schedule backups, only perform restores) against certain assets (i.e., Database Admin only has access to work with backups of their specific DBs).
• UniView, our centralized management portal, provides a singular window to manage all of your backup modules (appliances, SaaS protection, direct-to-cloud agents) from a single pane. UniView is protected with multifactor authentication (MFA).

Protect: Data Security (PR.DS)

• Secure Agent Pairing establishes a secure pairing between the backup appliance and the Windows agent on each of its protected assets, enabling Transport Layer Security (TLS) to encrypt data and authenticate connections between appliances and agents. Communication is only allowed if there is a matching (paired) certificate.
• Unitrends appliances use AES 256-bit encryption to secure and protect sensitive customer data for backups at-rest and in-flight.
• Data Copy Access enables automated provisioning of testing and sandbox environments on configured isolated networks.  

Detect: Anomalies and Events (DE.AE)

• All Unitrends appliances are equipped with artificial intelligence (AI) that runs during every backup, analyzing a number of heuristics, such as change rates, entropy (randomness of file changes), data density and more, to identify backups infected by ransomware. Upon detection, email and dashboard alerts are immediately sent to administrators and all suspected backups are flagged with an icon to prevent recoveries using infected files.

Detect: Security Continuous Monitoring (DE.CM):

• Our Spanning SaaS backup solution offers integrated Dark Web Monitoring to alert administrators to compromised or stolen employee credentials on the dark web, enabling them to take proactive steps to secure accounts at risk before a malicious activity occurs.

This list is not exhaustive. If you are interested in learning more about how Unitrends enables organizations with complete, automated and secure backup and disaster recovery, sign up for a demo today.