NIST CSF Categories and Framework TiersPublished November 19, 2019 by Shanna Nasiri • 5 min read
NIST CSF stands for the National Institute of Standards and Technology Cybersecurity Framework. The NIST CSF consists of best practices, standards, and guidelines to manage cybersecurity program risk.
This voluntary framework is divided into three primary parts: the framework core, profiles, and tiers. The NIST CSF core comprises five functions, where each function are further broken down into categories and subcategories. There are currently 23 categories and 108 subcategories in the NIST CSF.
Below you will find a detailed assessment of the NIST CSF functions and categories:
Identify the risk to critical infrastructure, information systems, people, assets, and data.
- Asset Management: Inventory and manage all company assets, including people. It is important also to understand Bring You Own Device (BYOD), as this class of device generally carries a higher level of risk since they are not company owned and secured.
- Business Environment: Understand what encompasses the business environment. You should know what the company’s mission is, why it exists, who the stakeholders are, and how the objectives are accomplished. Understanding the business environment will aid in deciding where cybersecurity program activities are needed and what a potential risk profile looks like.
- Governance: Manage and monitor the organization through a formalized set of procedures, policies, and processes. Proper governance leads to clear communication channels to management and the board, highlighting risk, regulatory compliance, and overall company operations.
- Risk Assessment: Assess and manage risk in the organization. The management of risk includes people, processes, and technology—right down to individual assets.
- Risk Management Strategy: There is no one size fits all risk strategy. Some organizations are risk-averse, where others tolerate risk better because of the industry vertical or location. In the end, a risk management strategy is designed to support operational risk remediation.
Protect critical services delivery, Systems Development Lifecycle (SDLC), and overall secure engineering of secure information systems.
- Identity Management and Access Control: Who has access to what? Most importantly, how did they get the access and what are they doing with the access? Identity Management and Access Control is the core of how an organization’s employees are authorized to access applications and data. Multi-factor authentication, just-in-time access controls, password management, and single sign-on are all critical supporting technologies for identity management.
- Awareness and Training: How effective are your security controls if your end users don’t know the security basics? Phishing and spoofing are still the most successful attacks against most organizations. Whether you have won a fortune from a Nigerian prince or your CEO is suddenly asking for everyone’s W2 information, knowing what to look for can save your personal information and your companies reputation. User awareness training is a cost-effective way of mitigating many forms of risk.
- Data Security: The three basics of data security are confidentiality, integrity, and availability. Regardless of device type, data should be encrypted and hashed in transit and at rest whenever possible. Rights management is also a good way of protecting data as it also verifies the identity of the recipient before access is granted.
- Information Protection Process and Procedures: How successful would a security program be without process and procedures? Policies should address roles, responsibilities, and coordination between organizational entities.
- Maintenance: A well-oiled machine keeps running, but one without maintenance will eventually break down. Subcategories under protection are not set-and-forget, but require constant updates to remain operationally effective.
- Protective Technology: Supporting people and processes with technology ensures there is security resilience of information systems and assets in an organization.
Detect the occurrence of cybersecurity events in a continuous manner with situational awareness.
- Anomalies and Events: Need to be detected promptly and the impact of events must be well understood.
- Security Continuous Monitoring: Systems and assets must be continuously monitored to identify events and verify the effectiveness of protective measures.
- Detection Process: Logging, alerting, and events must follow a specific detection process that evolves with the emerging threat landscape.
Respond in the event of cybersecurity events and have a tested contingency plan.
- Response Planning: In the event of a cybersecurity incident, follow processes and procedures.
- Communications: Coordinate response actions with internal and external stakeholders.
- Analysis: Verify that response actions and recovery activities function on an ongoing basis through testing.
- Mitigation: Actions performed must prevent expansion of the event and lead to resolution.
- Improvements: Response actions as a whole should be examined for potential process improvements.
Recover from cybersecurity events and maintain plans to restore capabilities to impacted services.
- Recovery Planning: Recovery processes are similar to carpentry. The adage of “measure twice and cut once” applies to procedures focused on restoring information systems or assets affected by an incident.
- Improvements: Much like other areas of the framework profile, recovery processes should be reviewed for improvement on an ongoing basis.
- Communications: One of the most important aspects of recovering from an incident is well-defined communication channels.
NIST Cybersecurity Framework Tiers
There are four implementation tiers as part of the NIST CSF. Each tier contains the three maturity measurements of risk management process, integrated risk management program, and external participation. While not considered true maturity measurements, the tiers do foster communication between risk architects, engineers, and operators. The higher the tier typically represents a more mature cyber risk posture.
Tier 1 : Partial
Informal practices, limited awareness, and sparse cybersecurity coordination.
- Risk Management Process: Risk management processes are not formalized and risk is handled in an ad hoc and reactive manner.
- Integrated Risk Management Program: Limited awareness of cybersecurity risk. Any implemented cybersecurity risk management is irregular and communication within the organization is lacking.
- External Participation: The organization does not collaborate with other entities to better understand the threat landscape.
Tier 2 : Risk Informed
- Management approves the risk management practices, high-level awareness exists, and information is shared and coordinated.
- Risk Management Process: Practices are approved by management but may not be adopted organization wide. Information Security activities are directly applied.
- Integrated Risk Management Program: The organization is aware of cybersecurity risk, but the approach is not well managed. There are some small pockets of cybersecurity objectives and programs.
- External Participation: There is a general understanding of the organization’s role in the larger risk assessment ecosystem. Information is available and consumed from external sources but is rarely acted upon.
Tier 3 : Repeatable
Formal policies are defined, with organizational wide awareness, implemented processes, and regular formal coordination.
- Risk Management Process: Risk management is formally approved and expressed in policy. Practices are regularly updated and change with business requirements.
- Integrated Risk Management Program: Policies and processes are defined, implemented, and reviewed regularly. Communication is organization-wide.
- External Participation: The organization knows where it stands in the overall threat landscape. External feeds are generally acted upon and baselined.
Tier 4 : Adaptive
Adaptive risk management processes include information security as part of the organization culture and promotes active information sharing.
- Risk Management Process: Previous and current cyber activities inform cybersecurity practices. The threat landscape is examined and the program adapts based on the weather.
- Integrated Risk Management Program: The organization and cybersecurity are in lockstep. Business units implement best cybersecurity practices as part of the day to day business.
- External Participation: The organization not only understands its role in the cyber ecosystem but actively contributes to making it better.
Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile with a “Target” Profile.” Implementing profiles allows for prioritization of deployment and remediation of GAPS identified during a NIST CSF assessment. The key word to remember when it comes to profiles is optimizing, which enables the NIST framework to service an organization vs. bending an organization to a ridgid architecture.