NIST Cybersecurity Framework: what it is and how to use it

The National Institute of Standards and Technology (NIST) Cybersecurity Framework was born as a result of the “Cybersecurity Enhancement Act” – passed by the US Congress in 2014 – and was initially aimed at guaranteeing the cybersecurity of critical infrastructures in the United States. Today, this methodology has become an authority on cyber risk self-assessment and implementation of preventive and protective action. In 2022, more than ever before, this framework is frequently called upon as cybersecurity challenges for companies become increasingly significant. How is this method structured? Is it easy to develop and implement? Is it sufficient in effectively identifying and rectifying cyber risks?

Christophe Forêt

An article from

Christophe Forêt
President and co-founder of C-Risk
March 8, 2023
March 8, 2023
Reading time
nist cyber security

The NIST Cybersecurity Framework: what is it?

The NIST CyberSecurity Framework (CSF) is a methodological framework to help manage cybersecurity.

A definition

The NIST Cybersecurity Framework was created in the United States. NIST is the National Institute of Standards and Technology from the US Department of Commerce. Its “Cybersecurity Framework” is defined as a set of standards, guidelines and best practices to manage Information Technology risks.

While companies may decide to follow this methodological framework, there is no legal obligation to do so. It is used to anticipate security breaches, but also to manage and mitigate identified IT risks.

The NIST CSF is often compared to national and international regulations, and the approach is similar to the requirements of the ISO 27001 certification, which deals with information system (IS) security.

What is the NIST CSF for?

This framework should help public and private organisations to draw up a detailed list of their cybersecurity objectives and to develop certain procedures to accomplish them. This means monitoring the processes of risk identification, IS protection, cybersecurity breach detection and management, and recovery. The NIST CSF should also help prioritize ideas for improvement and assess the organization's progress in cybersecurity.

In detail, the NIST CSF provides information on all of the following actions:

  • Building the foundation of a cybersecurity strategy by analyzing cyber risks ;
  • assessing the effectiveness of existing IT security practices;
  • estimating the potential severity of the risks the organization is exposed to;
  • improving the process of cybersecurity breach management;
  • raising employee awareness;
  • optimizing communication on cybersecurity with stakeholders.
The NIST CSF for assessing cyber risks

Who is this intended for?

When the National Institute of Standards and Technology initially designed this cybersecurity framework, it was to improve cyber risk management in the United States. It primarily targeted “critical infrastructures”, essential for the functioning of American society and economy.

Now, as economic players from all sectors are affected by cyber risk, structures from both the public and private sector are using it all over the world to develop their cybersecurity management strategy. It is also the cybersecurity method of choice of large banking and industrial groups.

Transform how you model, measure, and manage cyber risk.

Don't wait for the inevitable cyber incident. Build a resilient, risk-based cybersecurity program with CRQ.

How does the NIST CSF work?

The NIST framework revolves around three components, as illustrated in the diagram below: framework core, implementation tiers, and framework profile. Each component needs to support the evaluation of the impact of cybersecurity risk management on the operational and financial performance of the structure.

Cybersecurity Framework

1 / Core

The core component structures risk management organizational strategy around five "functions": identify, protect, detect, respond, and recover. These functions are themselves broken down into categories, subcategories, and “informative references”, or “documentary resources”.

2 / Implementation Tiers

The implementation tiers enable the company to assess the cyber-risk management process that has already been set up. These tiers support the evaluation of the structure's maturity in this area. This should lead to a diagnosis organized around four maturity tiers: partial, risk-informed, repeatable, or adaptive.

3 / Profile

The profile indicates how an organization manages cyber risks, with regard to its strategic objectives. The comparison between the “current profile” and the “target profile” should enable the company to identify the actions it should implement first.

What are the benefits of using the NIST Framework?

The NIST CSF is a detailed and comprehensive method which has become a reference in the field of cybersecurity. Like many theories surrounding cyber risk management, however, it still suffers from a few shortcomings, especially when it comes to identifying risks.

Benefits of the NIST Cybersecurity Framework

The NIST CSF has the merit of thoroughly supporting risk management. Many organizations have already reaped the benefits from properly applying the NIST CSF, as it helped them to raise awareness about their shortcomings in terms of cyber risk management. It is also an efficient way of evaluating which protective measures should be implemented.

The NIST Cybersecurity Framework also represents one of the major worldwide references in IT risk management, even have an influence on the newest cyber risk regulations.

Limitations of the NIST cyber framework

The NIST framework revolves around different categories and subcategories of information that some structures struggle to implement due to its daunting nature. Also, its proper application is not a given. Indeed, application depends on a self-assessment process, which is not validated by any external body. The smooth running of this method of risk analysis and anticipation of cybersecurity breaches therefore depends on the organization’s maturity in this area.

The NIST framework is also commonly criticized for deviating too much from the standards of other risk management methods, which makes it harder for teams to seamlessly integrate the approach. Training existing staff in this method therefore requires more time and resources.

The NIST Cybersecurity Framework also presents the same difficulties as other methods, such as ISO27001, when it comes to measuring or estimating cyber risks. Within the framework of NIST, this analysis is part of a qualitative risk assessment, based on an entirely subjective probability of occurrence. This sometimes results in unrealistic risk classifications.

The only solution to this type of problem is to move away from subjectivist risk analysis and take advantage of statistical methods, which is the main goal of FAIR™ Analysis (Factor Analysis of Information Risk). This standard is now the international reference in terms of quantifying cyber risks. It aims to mathematically measure these risks in order to translate them into financial data. What’s more, it is referenced by NIST in NISTIR 8286, a document published in 2020, and in a “success story” published in 2019. To quote section 3.3.1 Risk analysis types: “While qualitative methods are commonplace, the practitioner may benefit from considering a quantitative methodology with a more scientific approach to estimating likelihood and the impact of consequences where the data is available for this type of analysis. This may help to better prioritize risks or prepare more accurate risk exposure forecasts.

How to use the NIST CSF correctly

The NIST Framework is a method broken down into many steps. The success of cyber risk self-assessment is contingent on the company’s ability to properly implement it. You can find the complete cyber framework detailed on the NIST website.

Explaining the 5 functions of the core

The first step of the NIST analysis consists of structuring the management of cyber risks around five functions:

1 / Identifying the critical assets of the company, in order to prioritize the actions. This identification must relate to processes, systems, and valuable resources. NIST version 1.1 also implies sifting through the supply chain and stakeholders.

2 / Protecting the structure from cyber threats. This approach involves raising awareness and leading training, but also implementing software and protective technology to mitigate or prevent any risk to systems containing sensitive data.

3 / Detecting suspicious activities before they have adverse implications. This function relies on the monitoring levers the company has set up.

4 / Responding to cybersecurity events using a guide designed upstream of the occurrence of risks. This strategy should permit the company to quell the threat before it emerges and includes planning, communication, and mitigation measures.

5 / Recovering after a cyberattack: restoring the original state of the information systems and implementing measures to prevent the risk from reoccurring.

The NIST framework’s 4 tiers of maturity

Thanks to the tiers of implementation provided for by the NIST, you can assess how well your organisation manages its risks and use the method at your own pace, factoring in your individual requirements:

  • Tier 1: Partial

This tier concerns the structures that react to risks more than they take preventive action against them. High awareness and internal communication processes on this topic have not yet been achieved.

  • Tier 2: Risk-informed

Here, cyber risk management is more focused. Employees have the tools to implement cybersecurity processes and begin to be aware of the risks. However, the company still lacks secure communication channels with external players.

  • Tier 3: Repeatable

The cyber risk management strategy is both formalized and prioritized. Employees are well aware of the risks, and have the tools for secure collaboration with external sources.

  • Tier 4: Adaptive

This is the highest tier of cybersecurity risk management. The company is able to guard against dangers and anticipate them. Employees have a high level of cybersecurity skills.

Frequently Asked Questions about NIST Cybersecurity Framework

What is NIST CSF about?

The NIST Cybersecurity Framework helps companies analyze, manage, and reduce their cyber risks according to a ranking of priorities. This approach notably requires awareness and communication.

How to obtain NIST certification?

NIST CSF is not a certification. This is a method you choose to use or not, without any normative authority demanding you to comply.

In this article
Cyber Risk Quantification for better decision-making

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.