The NIST Cybersecurity Framework

by John Bandler

The NIST Cybersecurity Framework (CSF) is valuable cybersecurity guidance, free to access and use, created by lots of smart people, paid for with U.S. tax dollars. It is voluntary guidance organizations may choose to follow, adapt, or disregard.

If you are looking for a comprehensive cybersecurity framework, NIST CSF should be your first option to consider. It is reliable, credible, and totally free to access via the internet, without any fee, registration, or licensing agreement.

If you are looking for a simpler framework, consider my Four Pillars of Cybersecurity (link at bottom).

What is a cybersecurity framework?

A cybersecurity framework is simply guidance, or best practices to manage cybersecurity and information security.

There are many valuable frameworks for cybersecurity and information security to help organizations with the complex task of managing and securing their information assets. These frameworks are voluntary guidance, which organizations may choose to follow, adapt, or disregard. (See my link about external guidance later).

Simply put, a cybersecurity framework is a suggested best practice. It is not mandatory, it is voluntary guidance. Cybersecurity is complicated, we cannot expect every organization to reinvent the wheel while securing themselves. (PS, there might be circumstances where a "voluntary" framework becomes mandatory thanks to a contract or other requirement).

Compare this guidance with laws and regulations, which may impose mandatory rules upon the organization (see more about external rules later).

NIST is a respected government agency

NIST is the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce. They are funded by our federal tax dollars and do a lot of great work, thanks to many smart and hard working people there, and a comprehensive process for building, revising, and finalizing their documents.

Again the NIST frameworks are created and maintained by good government people working through a deliberative process, paid for with tax dollars and made publicly available at no cost and with no license agreement.

In contrast, many other frameworks come from for-profit or not-for-profit organizations (and some that blend both types of organizations). Some frameworks cost money to access, and have legal terms about their usage.

NIST makes their cybersecurity framework (and all of their other publications) freely and publicly available. That's amazing. People should take advantage of it. It should be your first stop before considering proprietary frameworks.

Who is the NIST cybersecurity framework for?

The NIST cybersecurity framework (CSF) can be applied to any organization, of any type. Especially so with the new release of CSF v 2.0 (prior versions required higher degrees of tech and cybersecurity knowledge).

That said, it is generally geared for readers with a high degree of technology and information security knowledge, and for organizations with in-house personnel with that level of understanding. And much of it pertains to a degree of complexity, detail, and tools that many smaller organizations do not possess nor have the resources to address.

The NIST cybersecurity framework (like most frameworks except for mine) might be too technical for most individuals to understand, and for most smaller and mid sized organizations to implement.

The NIST cybersecurity framework v1.1 is 55 pages, almost 17,000 words. On word count alone, that would be at least 1.5 hours to read through. But it is not an easy read, it has some terms that some users might need to research. They also provides additional informational to help implement the framework, and that would take time to read and understand. Version 1.1 remains relevant for a number of purposes, even though replaced by version 2.0.

The new NIST CSF v 2.0 is smaller, at 32 pages and about 9,200 words. It also comes with a number of resource guides and quick start guides, and excellent cross referencing with various NIST resources.

History of the NIST CSF

NIST has been creating information security related frameworks for decades (and lots of other voluntary standards for other areas).

Then in 2013 they were tasked by President Obama to create a "Cybersecurity Framework" for our nation's "critical infrastructure". Something more business friendly than some of their other extremely complicated frameworks. The CSF was born. Here's the chronology:

  • Executive Order 13636 by President Obama on 2/12/2013 for “Improving Critical Infrastructure Cybersecurity”
  • NIST CSF Version 1.0 was published in February 2014, titled "Framework for Improving Critical Infrastructure Cybersecurity", commonly known as the NIST Cybersecurity Framework (CSF).
  • NIST CSF Version 1.1 was published in April 2018
  • NIST CSF Version 2 draft version released in August 2023, comments closed in November 2023.
  • NIST CSF Version 2 released on 2/26/2024 (current version). Version 2 has the official name "NIST Cybersecurity
    Framework (CSF) 2.0" and does not use the clunky official name of versions 1.0 and 1.1.

Summary of the NIST CSF v 2.0

The NIST Cybersecurity Framework v 2.0 (NIST CSF) was released on 2/26/2024 and is organized into six main "functions" of:

  • Govern
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover.

It recognizes that the work of cybersecurity through these six functions is a cyclical process.

These six functions are further subdivided into 21 categories..

  • Govern (GV)
    • Organizational Context (GV.OC)
    • Risk Management Strategy (GV.RM)
    • Roles, Responsibilities, and Authorities (GV.RR)
    • Policy (GV.PO)
    • Oversight (GV.OV)
    • Cybersecurity Supply Chain Risk Management (GV.SC)
  • Identify (ID)
    • Asset Management (ID.AM)
    • Risk Assessment (ID.RA)
    • Improvement (ID.IM)
  • Protect (PR)
    • Identity Management, Authentication and Access Control (PR.AA)
    • Awareness and Training (PR.AT)
    • Data Security (PR.DS)
    • Platform Security (PR.PS)
    • Technology Infrastructure Resilience (PR.IR)
  • Detect (DE)
    • Continuous Monitoring (DE.CM)
    • Adverse Event Analysis (DE.AE)
  • Respond (RS)
    • Incident Management (RS.MA)
    • Incident Analysis (RS.AN)
    • Incident Response Reporting and Communication (RS.CO)
    • Incident Mitigation (RS.MI)
  • Recover (RC)
    • Incident Recovery Plan Execution (RC.RP)
    • Incident Recovery Communication (RC.CO)

The categories are further divided into subcategories.

Some differences between NIST CSF v 1.1 and v 2.0

Overall, v 2.0 is an excellent improvement over v 1.1.

Some improvements include:

  • CSF is now better geared for every organization, with a number of quick start guides on many subjects, including for small and mid size business. (CSF 1.1 was for a more technical audience)
  • Added a sixth function of "Govern" -- a great addition because management (governance) is an essential part of cybersecurity, this this highlights that role
  • Tweaked the focus areas within each function
  • Slimmer main CSF text for an easier read (CSF 2.0 is  32pp, 9,200 words compared to CSF 1.1 which was 55 pages, almost 17,000 words)
  • A large amount of additional resource documents
  • A number of companion quick start guides
  • Graphics
  • Extensive hyperlinking and cross referencing to NIST's helpful online resources.

Summary of the NIST CSF v 1.1 (an obsolete version now that v 2.0 is out)

Many organizations are using NIST CSF v 1.1, and will want to transition to v 2.0. You could say v. 1.1 is obsolete or deprecated.

Feel free to skip this section by, but the history will be important for some, so let's note that NIST CSF v.1.1 was organized into five main categories ("functions") of:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover.

It recognizes the work of cybersecurity through these five categories is a cyclical process.

These five categories were further subdivided into 23 areas of focus.

  • Identify
    • Asset Management (ID.AM)
    • Business Environment (ID.BE)
    • Governance (ID.GV)
    • Risk Assessment (ID.RA)
    • Risk Management Strategy (ID.RM)
    • Supply Chain Risk Management (ID.SC)
  • Protect
    • Identity Management, Authentication and Access Control (PR.AC)
    • Awareness and Training (PR.AT)
    • Data Security (PR.DS)
    • Information Protection Processes and Procedures (PR.IP)
    • Maintenance (PR.MA)
    • Protective Technology (PR.PT)
  • Detect
    • Anomalies and Events (DE.AE)
    • Security Continuous Monitoring (DE.CM)
    • Detection Processes (DE.DP)
  • Respond
    • Response Planning (RS.RP)
    • Communications (RS.CO)
    • Analysis (RS.AN)
    • Mitigation (RS.MI)
    • Improvements (RS.IM)
  • Recover
    • Recovery Planning (RC.RP)
    • Improvements (RC.IM)
    • Communications (RC.CO)

This NIST CSF Version 1.1 was released April 2018.

Version 2.0 was released in February 2024, making v 1.1 obsolete.

Organizations will want to align with v 2.0 for their next policy update.

NIST CSF links and references

NIST has other frameworks and guidance too

NIST has many publications, many of which could be called "frameworks" that related to "cybersecurity". So remember there is not just one NIST framework for information security.

All of the NIST frameworks are publicly available and easily downloadable for free, without any registration. So thank you to the U.S. Government (and tax dollars) for that.

NIST SP 800-53 

NIST SP 800-53A

  • NIST SP 800-53A Rev. 5, Assessing Security and Privacy Controls in Information Systems and Organizations, Jan 2022
  • NIST SP 800-53A Rev. 5 landing page, https://csrc.nist.gov/pubs/sp/800/53/a/r5/final
  • NIST SP 800-53A Rev. 5 full document, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar5.pdf (733 pages)

NIST SP 800-171

NIST Privacy Framework

NIST Risk Management Framework

Miscellaneous

Some NIST general website links are:

Bandler's Four Pillars of Cybersecurity

In contrast to many cybersecurity frameworks, my Four Pillars framework is short, intuitive, and understandable by anyone.

Perfect for individuals, small organizations, and many medium sized organizations.

Even for organizations that follow a more complex framework, the Four Pillars allows individuals within that organization to better comprehend whatever cybersecurity framework their organization has adopted.

The Four Pillars can always be backstopped by a more robust framework such as the NIST CSF. And if an organization using the Four Pillars framework increases in size and maturity to the point where it requires a more complex framework, the fuller transition to a more complex and detailed guidance is simple. For example, to the NIST CSF, or the CIS Eighteen Critical Security Controls.

My Four Pillars of Cybersecurity model is a user-friendly cybersecurity framework which small and mid-sized organizations (and individuals) can use as guidance for their cybersecurity plan and practice. It consists of continual improvement of:Bandlers Four Pillars of Cybersecurity

  1. Improve knowledge and awareness for better decision making at all levels (e.g., re: cybercrime threats, information security, technology, and legal requirements)
  2. Secure computing devices
  3. Secure data
  4. Secure networks and use of the Internet.
  5. [Repeat]

Read more about the Four Pillars of Cybersecurity here.

Conclusion

A cybersecurity framework is external guidance (not a law or regulation. The NIST CSF is very respected and used by many. The NIST CSF and all other NIST publications are freely available thanks to the U.S. Government and our tax dollars, so take full advantage of that.

Also consider my Four Pillars of Cybersecurity. It is much simpler and freely available on this website (copyright protections may apply).

This is not legal advice nor consulting advice, and is not tailored to your circumstances.

Additional reading

This article is hosted at https://johnbandler.com/nist-cybersecurity-framework. Copyright John Bandler, all rights reserved.

Posted 12/4/2023. Updated 4/9/2024.