You might be hearing the buzz of the NIST Cybersecurity Framework (CSF). What started as a popular framework to help track and secure critical infrastructure in 2014 is now becoming widely adopted by all types of organizations.

There are plenty of predictive statistics to suggest that adoption will rise to a high enough percentage to warrant mandatory adoption in order to do business with key vendors and government entities.

Why It’s So Successful

It’s based on other best practices such as COBIT, ISO, and other NIST publications.

It helps measure the maturity of systems against the framework’s 98 sub-categories of controls. The maturity is rated on a scale from 1 to 4. Not to worry, there is guidance on prioritization.

Here’s a video on why managers think it has been so successful.

Cybersecurity Framework Makeup

It’s understandable why you’re interested in becoming compliant in this program. But before you do so you should learn what the framework is and how it’s used.

Let’s briefly start at the beginning. Check out the original document – Framework for Improving Critical Infrastructure Cybersecurity (History page). It’s actually quite short.

After the intro, we’ll also talk about the recent 1.1 version.

Framework Core

The framework core focuses on five functions of cybersecurity management. That is to:

  1. Identify (ID)
  2. Protect (PR)
  3. Detect (DE)
  4. Respond (RS)
  5. Recover (RC)

Under each function houses categories and subcategories.

Each subcategory is paired with a list of standards (the best practices mentioned earlier) to follow. Pretty simple but it’s worth mentioning that organizations will need to make their own choices on measurements.

Framework Implementation Tiers

The tiers range from 1 – Partial to 4 – Adaptive.

There are suggestions for organizations to grade their cybersecurity competence in 3 areas. Again, these suggestions do not actually measure the subcategories according to NIST.

Those 3 areas are:

  1. Risk Management Process
  2. Integrated Risk Management Program
  3. External Participation

Framework Profile

Your profile should be based on resources, requirements, and risk tolerance to be able to meet the requirements with your resources.

From here you essentially create your own guide in order to begin or grade your existing cybersecurity program. Grading can help identify a snapshot in your progress.

Grading? Can the Framework Be Used as a Cybersecurity Report Card?

In a way, yes. The good news is this framework:

  • Is concise, efficient and adaptable.
  • Approaches from a top down view instead of focusing on a list of technical controls.
  • Uses the tiers system to measure improvements in a straight forward manner.

But if you break it down, the framework can be viewed at as a glorified checklist. Therefore the framework can provide illusory benefits if the implementation team:

  • Assumes by complying with the checklist, the overall risk is lower. This is not necessary true simply because the framework doesn’t help measure risk.
  • Attempts to use the checklist in a business case to show return on investment. This checklist doesn’t measure ROI.
  • Thinks measurable guidance is available to accurately guide which tier the organization should be in.

Shout out to FAIR model author Jack Jones in his series of blog posts that outline a pretty clear picture of what the CSF is capable of. His work influenced this pros and cons section.

Mr. Jones mentions the framework is comprehensive, which is awesome. Unfortunately, he mentions it can be tough to navigate. He goes on further with: “the odds of an organization accurately measuring and appropriately prioritizing its control improvements are extremely low.”

As someone who helped an organization do an SAQ for PCI compliance, I give this observation 2 thumbs up.

Version 1.1 of the Cybersecurity Framework

If more businesses are using the CSF does that mean it’s a business tool? Yes, it’s a cost-effective, voluntary framework that focuses on security first.

So with constant business and overall security analysis, we’re due for an update. Nearly 9 months ago, Version 1.1 came out.

Version 1.1 refines, clarifies, and enhances Version 1.0 according to Matt Barrett, program manager for the Cybersecurity Framework.

If you have the time, check out this overview video (it’s 1 hour).

Great, So Now What? How Do I Get Started?

Here’s a great article on Dark Reading that lays out how to Turn the NIST Cybersecurity Framework into Reality: 5 Steps. Pretty useful for turning lifeless documents into action.

Otherwise, what you will look into is to be able to map the CSF to other frameworks. In the next few headings, I’ll provide links to some resources that can help explain the other requirements and frameworks.

Comparing NIST CSF to Other Frameworks

Cybersecurity Framework

NIST Cybersecurity Framework – Everything You Need to Know | Kaseya

Cybersecurity Framework


A Tale of Two Frameworks: The NIST CSF and NIST RMF Are Not the Same – Telos

HIPAA Security Rule vs CSF



NERC vs. NIST: Choosing the Right Infrastructure Cybersecurity Framework | RSI Security


NIST, ISO, CIS or COBIT? Comparing Comprehensive Cybersecurity Frameworks

CSF, 800-53, 800-171

Complete Guide to NIST: Cybersecurity Framework, 800-53, 800-171 | Reciprocity


NIST vs SOC 2: What’s the Difference? | Reciprocity

Cybersecurity Maturity Model Certification (CMMC)

NIST 800-171 vs CMMC | CMMC Certification | CMMC Policy | CMMC Compliance | CMMC Standards

Why Do We Need CMMC?

The Cybersecurity Maturity Model (CMMC): Part 1 – Why Do We Need Another Framework?

CMMC vs. NIST 800-171

CMMC vs. NIST 800-171

CMMC vs DFARS 800-171

CMMC 1.0 vs. NIST 800-171 – Eight Essential Differences

DFARS Info 800-171


NIST 800-171 Compliance

DFARS Compliance: The Definitive Guide for DoD Contractors

NIST SP Publications

SP 800-171 Rev. 2NIST Special Publication (SP) 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

SP 800-171 Rev. 1

SP 800-171

800-171 or CMMC Costs Considered Reimbursable?

Are NIST 800-171 or CMMC Cybersecurity Costs Considered Reimbursable by the DoD? – CyberSheath

How Do I Know if I Need to Be Compliant?

How Do I Know If I Need to Be DFARS Compliant?

NIST 800-171 (DFARS) And NIST 800-53 (FISMA)

The Differences Between NIST 800-171 (DFARS) & NIST 800-53 (FISMA)

One More Thing, the Risk Management Framework

The CSF should not be confused with the RMF even though they appear similar. The steps may be similar in tone but the process is slightly different. Not to mention the CSF doesn’t directly measure risk.

The RMF essentially groups and quantifies. If you use both frameworks, you’ll have a pretty comprehensive security program.

Here’s a brief overview:

  • Step 0: Prepare – carry out essential activities and prepare to manage risks using the framework.
  • Step 1: Categorize – categorize the system and perform impact analysis on information.
  • Step 2: Select – select baseline security controls based on categories and assessment of risk.
  • Step 3: Implement – implement security controls and document how they are deployed in the environment.
  • Step 4: Assess – assess security controls to determine whether they are implemented correctly.
  • Step 5: Authorize – authorize systems based upon acceptable risk.
  • Step 6: Monitor – monitor security controls on an ongoing basis to determine effectiveness. Document changes, perform security impact analyses, and report security state of system to organizational officials.

You can view the 2009 Risk Management Framework presentation slides with associated security standards and guidance documents.

Again, this is just a general overview. You can get more context by reading up on their Risk Management Framework (RMF) Overview at NIST CSRC.

Wrapping Up

So what do you think? Have you bought into the CSF or have plans to review it this year?

What has you stuck? Any additional points you would like to see written about? Sound off in the comments below.

Pin It on Pinterest