Every organization wants to improve its information security capabilities. Part of a security leader’s job is identifying the best way to do that.

However, no two organizations are exactly alike. Various stakeholders may have different ideas about what high-impact security excellence looks like in practice. Achieving meaningful security goals means getting everyone on the same page first.

The National Institute of Standards and Technology (NIST) publishes a voluntary cybersecurity framework so that security leaders and organizations can better understand, manage, and reduce cybersecurity risk. The NIST Cybersecurity Framework provides a uniform starting point for organizations to develop their information security capabilities.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (NIST CSF) provides a comprehensive outline of best practices for organizations investing time and resources into cybersecurity initiatives. It is designed to be applicable in many different contexts — small businesses, mid-sized enterprises, and multinational organizations can all follow this framework.

It is a voluntary framework, which means there is no legal or regulatory punishment for failure to comply. However, there is significant overlap between NIST’s voluntary standards and the legally mandated regulatory standards used in many industries. Organizations that adhere to ISO 27001, CIS, or PCI-DSS compliance can (and often do) also pursue NIST CSF.

Since it is a voluntary framework, security leaders aren’t under pressure to adopt the entire framework all at once. Some security leaders choose to implement individual parts of the framework, or to deploy the recommended controls only in certain business processes.

The framework itself describes five functions that are critical to security programs. Each function contains 23 unique categories, which are further broken down into more specific subcategories.

The five NIST Cybersecurity Framework categories are:

1.   Identify

The Identify category is all about visibility. In order to protect business assets, security teams need to understand where those assets are located, how they interact with one another, and what policies govern their use.

In this context, “asset” means anything from endpoint devices like laptops and servers to user accounts created for employees and vendors. It can also include cloud computing workloads and applications, as well. Anything that has value to the organization can be an asset.

Here are some of the subcategories included under the Identify category:

• Asset management. Create and maintain an inventory of all devices, software, and other assets that need to be secured.
• Business environment. Understand the organization’s overall scope and mission, and determine how that impacts its security risk profile.
• Establish policies that support cybersecurity risk management and provide standard operating procedures to security teams.
• Risk assessment. Conduct assessments that provide insight into the way IT assets may respond to known risks.
• Risk management strategy. Deploy a strategy to address security risks based on the organization’s capabilities and tolerance levels.
• Supply chain risk management. Assess and manage security risks associated with third-party partners and vendors.

2.   Protect

The Protect category prevents attackers from exploiting vulnerabilities and contains the damage that may result from a successful breach. This category covers a wide range of technologies and policies, from technical implementations to employee training initiatives.

These framework elements work together to safeguard critical assets from the risks identified previously. NIST recommends establishing multi-layered security policies that ensure assets enjoy decent protection even if attackers bypass one or more security controls.

Here are some of the subcategories included in the Protect category:

• Identity management and access control. Deploy authorization policies that verify users and applications when they move between networks or attempt to access sensitive data.
• Awareness and training. Develop an organization-wide security training policy that ensures every user does their part to maintain the system’s integrity.
• Data security. Protect information at rest and in transit with policies and procedures enforced by properly configured security tools.
• Information protection processes and procedures. Define the roles and responsibilities associated with information security processes and create formal policies for disposing of electronic files, old devices, and other systems.
• Conduct routine preventative maintenance on systems, equipment, and applications to ensure they remain secure.
• Protective technology. Deploy purpose-built security tools like firewalls and configure them appropriately. Make sure security tools logs are properly obtained and stored.

3.   Detect

The Detect category provides guidance on how to monitor different aspects of the organization’s security posture. This helps security teams detect threats early, making it much easier for them to contain threats before they cause serious damage.

The NIST Cybersecurity Framework provides some high-level guidance on identifying activities that deviate from expected norms. It also describes methods for continuously monitoring for threats and ensuring the integrity of threat detection workflows.

Some of the subcategories included in the Detect category include:

• Anomalies and events. Deploy systems capable of detecting unusual activity on network assets. Find ways to prioritize security events and log data so that the organization can address high-severity threats first.
• Security continuous monitoring. Maintain 24/7 alarm monitoring and response capabilities that ensure threats and vulnerabilities can be addressed the moment they arise.
• Detection processes. Develop processes that ensure security teams discover relevant events fast enough to act on them quickly. Deploy detection processes that support response and recovery workflows.

4.   Respond

The Respond category focuses on minimizing the impact of a threat once it is detected. That requires building a comprehensive action plan that includes notifying stakeholders of security breaches, taking decisive actions against threat actors, and conducting investigations to assess the extent of the damage.

This category also provides guidance into threat mitigation and remediation. When taken altogether, these actions can make the difference between a minor security incident and a catastrophic data breach.

Some of the subcategories included in the Respond category include:

• Response planning. Develop comprehensive incident response plans that detail the organization’s strategy for handling security incidents.
• Ensure timely, effective policies for communicating with security teams, internal users, and external stakeholders during a security incident. Establish a plan for notifying customers, employees, and regulators of data breaches.
• Conduct investigations into security incidents to understand what kinds of mitigation strategies are likely to provide the best outcomes.
• Take immediate action to neutralize security threats and contain the damage they have already done.
• Review cybersecurity incidents after they occur and find ways to improve security performance and reduce overall risk.

5.   Recover

The Recovery category emphasizes the importance of returning to normal business activity as soon as possible after a security incident occurs. It includes policies for restoring systems, implementing lessons learned, and preventing future threats.

When properly implemented, these policies help reduce the costs associated with downtime. It provides core guidance on restoring damaged equipment and communicating with customers, employees, and stakeholders throughout the recovery process.

Some of the subcategories included in the Recovery category include:

• Recovery planning. Establish a series of recovery plans that optimize the organization’s return to normal operations after a security incident occurs.
• Learn from security incidents and establish new policies designed to reduce the risk of future incidents.
• Create a plan for ensuring transparency and trust between internal teams and external stakeholders during the recovery process

What does NIST compliance achieve?

Organizations use the NIST Cybersecurity Framework to increase their security awareness and improve their level of preparedness against unexpected threats. Because every organization pursues the NIST standard in a different way, it can be used for a variety of goals.

Some of the ways organizations enhance security using the NIST CSF include:

• Creating risk profiles that communicate the organization’s current level of cybersecurity preparedness in a standard format that external stakeholders can easily engage with.
• Identifying new standards, policies, and other opportunities that can improve the performance of existing security controls.
• Developing new cybersecurity initiatives and meeting new requirements, including requirements stipulated by third-party vendors or partners.
• Communicating security requirements throughout the organization in a consistent, uniform way.

Note: Since NIST is a voluntary framework, organizations do not generally achieve “NIST CSF compliance”. Technically, security teams “leverage” NIST framework categories towards optimizing their security processes. All NIST CSF controls are internally developed and self-assessed.

What about NIST SP 800-53?

Many security practitioners use “NIST” as an interchangeable catch-all term for compliance initiatives based on NIST standards. However, NIST is a large organization with more than a thousand published reference materials. More than one of these have applications in the information security space.

NIST Special Publication 800-53 is the most common example. This is a set of security standards developed by the same institution, but specifically for use by federal government information systems. This helps government agencies and their vendors comply with the Federal Information Security Management Act (FISMA).

Key differences between the NIST Cybersecurity Framework and NIST SP 800-53

• Different use case scenarios. The NIST Cybersecurity Framework is a voluntary set of standards and policies that help organizations manage security risks more effectively. NIST SP 800-53 is a set of security controls specifically designed for federal government information systems.
• Broad vs. specific scope. The NIST Cybersecurity Framework provides a high-level overview of risk management best practices. It is designed to be used in a wide variety of contexts. NIST SP 800-53 is a detailed set of security controls designed for a particular context — working with US government federal agencies.
• Different technical formats. One is a framework, while the other is a set of standards. Standards have much more precise applications than frameworks and provide strict technical metrics for demonstrating compliance.
• Organization size and structure. The NIST Cybersecurity Framework is designed for all types of organizations, from small businesses to global enterprises. NIST SP 800-53 is meant specifically for government agencies and the commercial organizations they do business with.
• Only one is voluntary. Any organization can choose to follow the NIST Cybersecurity Framework. Federal agencies are required to adhere to NIST SP 800-53 by law.

Why comply with the NIST Cybersecurity Framework?

Every organization has its own reasons for pursuing the NIST Cybersecurity Framework.

• In some cases, security leaders and executive decision-makers simply agree that establishing a consistent, industry-standard approach to addressing cybersecurity risk is worth the effort.
• In other cases, third-party partners stipulate the adoption of NIST CSF controls as a condition for exposing their assets to a potential vendor’s network.
• Sometimes pursuing NIST CSF standards is a stepping stone towards achieving more complex compliance goals, since many regulated frameworks overlap significantly with NIST CSF.

Since the NIST Cybersecurity Framework has a wide-ranging scope, it is a relatively accessible objective for organizations making their first foray into information security compliance. It is not a replacement for in-depth customization or industry-specific regulation — but pursuing NIST CSF can improve compliance outcomes down the line.