What is NIST Cybersecurity Framework 1.1 (NIST CSF)

Kerie Kerstetter
4 min read
The NIST Cybersecurity Framework is a set of procedures and guidelines developed to help organizations improve cybersecurity measures. Commonly known as the Cybersecurity Framework, its full title is the Framework for Improving Critical Infrastructure Cybersecurity. It was launched by the National Institute of Standards and Technology (NIST), a part of the US Commerce Department.

Robust cybersecurity processes are vital for any organization. With ever-changing developments in technology and digital applications, organizations are becoming increasingly exposed to growing cyber threats, as more digital solutions are integrated across business operations. The NIST Cybersecurity Framework helps to improve IT governance and risk management through best-practice guidelines.

The framework is used by all federal agencies and has proven popular with organizations of all sizes across the USA. It has also been used or adapted by international companies and governments.

This article explores the NIST Cybersecurity Framework, how to use it and the benefits of compliance with the framework.

The National Institute of Standards and Technology Cybersecurity Framework 1.1 explained

The Cybersecurity Framework was first published in 2014 by the National Institute of Technology. It was developed with input from research institutes, industry, and government. Originally, it was created to standardize cybersecurity within organizations dealing with critical infrastructure. It has since been adopted by organizations across a range of industries.

Popular because of its flexibility, organizations of all sizes can customize and use the framework to meet their specific cybersecurity needs. It can be used to understand the critical elements of an organization's service delivery, making cybersecurity planning cost-effective.

NIST Cybersecurity Framework version 1.1 was released in April 2018. It makes a range of improvements to the original version, based on workshops, public feedback and consultation. Changes include new guidance on self-assessment of cybersecurity risks, and an expanded section on Cyber Supply Chain Risk Management. Updates reflect advances in wider technology and cybersecurity threats.

The Benefits of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework brings a range of benefits to all organizations. Security breaches and cyber threats can have a huge financial impact, alongside the impact made on reputation. The framework can help organizations prevent, resolve and recover from serious cybersecurity incidents.

The NIST Cybersecurity Framework helps organizations:
  • Improve and support existing IT risk management plans.
  • Embed clear guidelines to prevent and resolve cybersecurity incidents.
  • Prepare for restoring normal operation after serious cybersecurity breaches.
  • Create a cybersecurity risk management process tailored to the organization's needs.
  • Encourage a systematic approach to cybersecurity.
Build an understanding of cybersecurity risks across the entire organization.

What's in the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is made up of three components:

Component 1: Core

The core component contains activities and objectives to improve cybersecurity risk management. This component contains the important Five Functions of the framework.

Component 2: Tiers

The tiers component helps define the level of cybersecurity risk management required. This allows for a scaled approach to suit different budgets and organizations.

Component 3: Profiles

The profiles component helps to identify cybersecurity risks and objectives in the organization and wider sector.

The Five Functions of the NIST Cybersecurity Framework

A vital part of the NIST Cybersecurity Framework is the Five Functions found within the core component. Each function represents an important step in cybersecurity risk management and contains an array of categories and subcategories.

The Five Functions are:

Function 1: Identify

Identify the cybersecurity risks to all areas of the organization including resources, data and people. This helps to inform the risk management strategy.

Function 2: Protect

The steps needed to safeguard services against cybersecurity threats, limiting serious incidents and breaches.

Function 3: Detect

Outlines the process for identifying the existence of a cybersecurity incident and its impact.

Function 4: Respond

The process for responding to a cybersecurity incident, mitigating its impact on the organization.

Function 5: Recover

The steps to restoring service after a cybersecurity incident.

Using the NIST Cybersecurity Framework

The NIST Cybersecurity Framework is optional for most private businesses or organizations. However, the value it brings to IT governance and risk management means it has become popular with organizations of all sizes.

The tiers component of the Cybersecurity Framework helps organizations implement it. Different levels of cybersecurity risk management are outlined, streamlining the process of embedding the framework.

The framework is both scalable and customizable. It can be used by organizations to create new cybersecurity processes as well as those with long-established IT risk management programs. Elements can be fine-tuned to fit the needs and budgets of both small and large organizations. It will take time and resources to properly embed the NIST Cybersecurity Framework, but the potential cost of a cybersecurity breach is much greater.

Diligent Can Help

Diligent Compliance software will streamline the implementation of the NIST Cybersecurity Framework in your organization. Manage internal audits of current cybersecurity processes, perform compliance monitoring, and track improvements in IT governance.

Book a demo with Diligent Compliance today.
Related Insights
This is where Author Role goes
Kerie Kerstetter
Kerie Kerstetter is the former Senior Director of Content Strategy for Diligent and the Next Gen Board Leaders.