NIST Cybersecurity Framework: what it is and how to use it

The National Institute of Standards and Technology (NIST) Cybersecurity Framework was born as a result of the “Cybersecurity Enhancement Act” – passed by the US Congress in 2014 – and was initially aimed at guaranteeing the cybersecurity of critical infrastructures in the United States. Today, this methodology has become an authority on cyber risk self-assessment and implementation of preventive and protective action. In 2022, more than ever before, this framework is frequently called upon as cybersecurity challenges for companies become increasingly significant. How is this method structured? Is it easy to develop and implement? Is it sufficient in effectively identifying and rectifying cyber risks?

Christophe Forêt
President and co-founder of C-Risk
nist cyber security - C-Risk

The NIST Cybersecurity Framework: what is it?

The NIST CyberSecurity Framework (CSF) is a methodological framework to help manage cybersecurity.

A definition

The NIST Cybersecurity Framework was created in the United States. NIST is the National Institute of Standards and Technology from the US Department of Commerce. Its “Cybersecurity Framework” is defined as a set of standards, guidelines and best practices to manage Information Technology risks.

While companies may decide to follow this methodological framework, there is no legal obligation to do so. It is used to anticipate security breaches, but also to manage and mitigate identified IT risks.

The NIST CSF is often compared to national and international regulations, and the approach is similar to the requirements of the ISO 27001 certification, which deals with information system (IS) security.

What is the NIST CSF for?

This framework should help public and private organisations to draw up a detailed list of their cybersecurity objectives and to develop certain procedures to accomplish them. This means monitoring the processes of risk identification, IS protection, cybersecurity breach detection and management, and recovery. The NIST CSF should also help prioritize ideas for improvement and assess the organization's progress in cybersecurity.

In detail, the NIST CSF provides information on all of the following actions:

  • Building the foundation of a cybersecurity strategy by analyzing cyber risks ;
  • assessing the effectiveness of existing IT security practices;
  • estimating the potential severity of the risks the organization is exposed to;
  • improving the process of cybersecurity breach management;
  • raising employee awareness;
  • optimizing communication on cybersecurity with stakeholders.

Who is this intended for?

When the National Institute of Standards and Technology initially designed this cybersecurity framework, it was to improve cyber risk management in the United States. It primarily targeted “critical infrastructures”, essential for the functioning of American society and economy.

Now, as economic players from all sectors are affected by cyber risk, structures from both the public and private sector are using it all over the world to develop their cybersecurity management strategy. It is also the cybersecurity method of choice of large banking and industrial groups.

What is NIST CSF about?

The NIST Cybersecurity Framework helps companies analyze, manage, and reduce their cyber risks according to a ranking of priorities. This approach notably requires awareness and communication.

How to obtain NIST certification?

NIST CSF is not a certification. This is a method you choose to use or not, without any normative authority demanding you to comply.

NIST Cybersecurity Framework: what it is and how to use it

No, the use of the NIST framework is completely up to you.