In February 2014, the United States National Institute of Standards and Technology (NIST) released the first version of the Cybersecurity Framework (CSF). The initial NIST CSF release has provided a valuable set of optional standards and best practices to assist business leaders with efforts to ward off threats like ransomware, stolen data, and anything else flowing from the devious minds of cybercriminals.

The NIST Cybersecurity Framework gives organizations a five-point structure to improve their cybersecurity posturing for economic security. While this is not regulatory, it is widely considered best practice — and as such, it offers organizations powerful ways to take charge of their cybersecurity strategy. Organizations can use the NIST Cybersecurity Framework to assess their exposure, evaluate their cybersecurity measures, and decrease risk.

Since its establishment, the NIST cybersecurity framework has significantly improved for a stronger and more inclusive system. As a gold standard for organizations regarding cybersecurity control, the NIST has consistently implemented improvements to the Framework.

Key Takeaways

1. The NIST Cybersecurity Framework’s main objective is improving critical infrastructure cybersecurity for different organizations handling data.

2. The NIST Cybersecurity Framework is systematically implemented by following five framework core steps: identify, protect, detect, respond, and recover functions.

3. I.S. Partners, LLC can help you thoroughly understand the core values of the NIST CSF and help you evaluate your operation’s compliance with the Framework.

What Is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (NIST CSF) is a voluntary systematic program for organizations seeking to improve their cybersecurity status. The program includes standards and strategies to help proactively reduce cybersecurity risk and protect their assets.

It was developed to assist organizations in becoming proactive about managing their risk. The NIST CSF is regularly used for cybersecurity planning and is trusted because of its reputation as a best practice.

The NIST Cybersecurity Framework includes a list of prescriptive activities and control techniques for improving cybersecurity – the framework core, implementation tiers, and profile. The Framework consists of a benchmark system to help organizations assess whether their current security complies with the NIST CSF program. The system is composed of four main tiers.

functions of nist cybersecurity framework

Its implementation tiers help organizations self-assess and manage cybersecurity risk and mitigation strategies. The tiers help stakeholders understand how the organization compares to the NIST CSF standards and see where improvements are needed.

  • Tier 1: Partial
  • Tier 2: Risk-Informed
  • Tier 3: Repeatable
  • Tier 4: Adaptive

The Framework encourages organizations to develop a current profile of data protection and then identify the targeted implementation tier. The tiers provide ways to measure improvement.

Benchmarking allows organizations to determine opportunities to make the most direct improvements. Organizations can close the gaps between the two and create a road map outlining actionable steps by comparing their current level with their desired tier.

In this way, the NIST CSF encourages the continual improvement of security strategies, critical infrastructure services, and mitigation of cybersecurity risks. It also helps the organization connect its business requirements, risk tolerance, and resources to the cybersecurity plan for greater clarity.

5 Core Functions of the NIST Cybersecurity Framework

These five elements are the five pillars of a successful and holistic cybersecurity program assisting organizations in developing a high-level cybersecurity risk management strategy.

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

The five functions of the NIST CSF all work continuously and concurrently. They are the foundation upon which all other important elements are built for effective high-level risk management.


Download our FREE NIST Cybersecurity Framework checklist and get a clear path to compliance.


The NIST CSF requires organizations to understand their environment fully to manage cybersecurity risks at the data, asset, and systems levels. The identify function is the point at which you evaluate the context of your business.

Organizations must thoroughly inventory and identify their assets to comply with this framework aspect. It is not enough to know what assets the organization owns; you must understand how the different pieces are connected and what employees’ roles or responsibilities are regarding data. Following are the five key categories within this function describing what needs to be done:

  • Asset Management. This step requires you to identify all assets, including personnel, data, devices, systems, and facilities used to achieve core business purposes.
  • Business Environment. Defines the organization’s objectives, mission, stakeholders, and general activities. This also includes identifying the role of the business in the supply chain market.
  • Governance. Covers policies, procedures, and processes necessary to monitor and manage the business’s legal, risk, regulatory, environmental, and operational requirements.
  • Risk Assessment. Understanding the cyber risks and vulnerabilities to all organizational operations, assets, and individuals.
  • Risk Management Strategy. Establishing an organization’s constraints, priorities, and risk tolerances are used to support operational decisions.

The NIST risk assessment stage is critical as it sets the tone for the entire framework. This means that the risk assessment results will be used for the following steps.

Remember that the identify function is not static, like the Framework itself; it’s constantly growing and evolving. Threats, systems, and people change rapidly, so staying vigilant and repeating this crucial function is important.

As such, regular listing and reviewing of assets is a must to ensure that everything is properly accounted for.


Only once you have a full and accurate picture of these risks can you determine how your current cybersecurity policies protect your organization and where they fall short. The protect function supports limiting and containing any impact resulting from a cybersecurity event.

Below are the six categories of safeguards designed to mitigate the impact of cyber threats that fall under protection:

  • Access Control. Access to your assets and network should be limited to the least possible privileges. Role-based access should be utilized for facility access, running processes, and user access to allow just enough access for each process/user to perform their job functions.
  • Awareness and Training. Easy access to awareness education for personnel and partners on reducing cybersecurity risk. Such training empowers your team to perform their information security-based responsibilities pursuant to the organization’s policies, procedures, and agreements.
  • Data Security. Management of the company’s sensitive data by the business’s risk management strategy developed to protect the integrity, confidentiality, and availability of vital information.
  • Information Protection Processes & Procedures. This refers to security policies, procedures, and processes maintained and used for protecting data, such as the organization’s information assets and systems.
  • Maintenance. Performed following the organization’s policies and procedures; maintenance also includes any necessary repairs of the industrial control and information system components.
  • Protective Technology. Utilize a mixture of manual and automated tools to ensure optimal security and resilience of your systems and assets.

This pillar aims to determine how current cybersecurity policies protect your organization and any potential points for improvement.


Speed matters when it comes to threat mitigation. Detection defines the requisite to identify the occurrence of a cybersecurity event.

This NIST CSF function secures the timely discovery of a cybersecurity event. The following categories support the quick detection of dangerous cybersecurity events on the horizon so that the proper response can be implemented.

  • Anomalies and Events. Ensuring that all anomalies and cybersecurity activities are detected as quickly as possible. This category requires you and your I.T. team to detect and understand each event. You need to define “detection promptly” according to any relevant regulations or compliance obligations for your organization and the responsibility owed to stakeholders.
  • Security Continuous Monitoring. Monitoring your assets and information in real-time or at defined intervals allows you to identify cybersecurity events and ensure the effectiveness of protective measures for the network and physical activities.
  • Detection Processes. Proper maintenance of detection systems ensures their readiness at all times to provide reliable awareness of detected anomalous events.

The faster and more effective the detection processes established, the more likely risks would cause damage to the organization’s integrity.

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.



This function supports the ability to contain the negative impact of any cybersecurity event. Response covers all activities that you may use to take action once a cybersecurity incident is detected.

To do this, your organization must create a detailed response plan and analyze the effectiveness of the response following actual cybersecurity events. The five categories encompassed in this function are:

  • Response Planning. Allows timely response to detected cybersecurity events by well-maintained and properly executed processes and procedures.
  • Communications. Response activities regarding communications between your organization and your internal and external stakeholders. There are times when such occurrences may include the need to communicate with law enforcement agencies depending upon the sensitive data your organization is holding.
  • Analysis. Reviews are done during response activities to ensure the correct process is followed and support recovery activities.
  • Mitigation. Activities performed to prevent the expansion of a cybersecurity event while mitigating its effects and neutralizing or eradicating the event.
  • Improvements. Each time an organization works through response activities, new opportunities exist to strengthen the process by incorporating lessons learned through detection and response. Your team should review what worked and didn’t and update your response plan accordingly.

To create a complete response program, your team must be able to identify all sources of risks and understand their nature. Through this process, you can take appropriate safeguards for your cybersecurity.


Getting back to business as usual is a top priority. To streamline and speed up recovery, developing a plan is crucial before you need it. This function offers a chance to identify the best activities for organizational resilience.

This fundamental step entails recovering lost data, restoring impaired capacities, and ensuring everything functions as intended. All steps required to restore normal functions most efficiently must be performed.

Following are the three essential categories within the recover function:

  • Recovery Planning. Organize recovery processes and procedures according to priority. The actions most critical to protecting systems and assets should be placed at the beginning of the plan. During the recovery, your team should be able to move from the highest priority down the list to accomplish tasks quickly.
  • Improvements. After the systems run again, your organization should review the event and note important lessons learned. The recovery plan should then be updated to reflect what you’ve learned.
  • Communications. To restore activities, it’s important to coordinate with internal and external parties. Such parties may include internet service providers, victims, vendors, owners of attacking systems and coordinating centers.

As part of this framework component, your team must have a particular evaluation method to determine if the recovery function is performing as intended.

Is Your System NIST-Compliant?

Do you want to know if your company needs a comprehensive assessment? Use our free compliance checker tool and allow us to help you determine which audit program your operations require.


How Can You Implement the NIST CSF in Your Organization?

The NIST CSF is a systematic cybersecurity program. As such, its five core functions act as step-by-step instructions that will help you better understand and lay out plans for your organization.

Each step allows organizations to assess which assets require the most attention and decide the most appropriate protective measures. All steps must be carefully considered in implementing this cybersecurity framework as they work synergistically.

Use a checklist where applicable to ensure that all areas of your security system are covered.

The NIST CSF is a living document requiring constant attention for improvement to become effective. Each area must be regularly updated to ensure the holistic protection of all assets.

The Latest NIST CSF Update and Its Impact on Businesses

Upon entering office, President Trump and his administration recognized that, while the NIST CSF’s original release was helping, it could become even more effective for businesses. In May 2017, the President signed a second executive order to provide the necessary updates to take NIST CSF to the next level, turning the Framework created by the Obama administration into a full-fledged federal government policy.

On April 16, 2018, the resulting update was released and titled Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. This new version reinforces the original intent of the CSF as a framework developed to benefit companies of every size, industry, and type. If you’re interested in learning about the future updates of this framework, you can read our detailed article on the proposed NIST 2.0.

The CSF Version 1.1 augments cybersecurity communication within organizations and with other organizations that may include vendors, partners, regulators, and auditors.

Most importantly, these updates fit in seamlessly with the original Framework. It is meant to benefit current framework users and businesses newly adopting and implementing the Framework.

five pillars of the nist cybersecurity framework

6-Point Summary of the Latest NIST CSF Update

The NIST CSF update aims to add clarity and guidance to its users. Still, it also adds additional requirements to help users tighten up their best practices in assessing and managing cybersecurity risks.

Let’s look at each of the six new updates to the Framework to learn more about how they can boost your organization’s cybersecurity efforts.

1. The Clarification of Terms Like “Compliance”

Framework stakeholders may not always understand the precise definition of terms like “compliance” and may need additional clarification to determine the context. The NIST CSF update has added clarity, highlighting that the Framework has its specific structure and language to organize and express compliance with a company’s cybersecurity requirements. Further, the update allows each organization to establish measures for meeting NIST CSF compliance.

2. The Addition of Section 4.0 for Self-Assessment Guidance

The newly added Section 4.0, entitled “Self-Assessing Cybersecurity Risk with the Framework,” lays out how companies can now use the Framework to understand and assess their organization’s cybersecurity risk, including using the business’s established measurements.

3. The Enhancement of Cyber Supply Chain Risk Management

Expanding on Section 3.3, “Communicating Cybersecurity Requirements with Stakeholders,” provides a better understanding of Cyber Supply Chain Risk Management (SCRM). Section 3.4, entitled “Buying Decisions,” features the value of using the Framework to understand all risks associated with commercial off-the-shelf (COTS) products and services.

The update also provides new Cyber SCRM criteria for the framework implementation tiers.

4. Strategies and Refinements to Better Account for Authorization, Authentication and Identity Proofing

The NIST CSF update provides a more specific and refined language in the Access Control Category by adding one Subcategory each for Authentication and Identity Proofing. The new name, Identity Management and Access Control (PR.AC), better represents the scope of the category and each associated Subcategory.

5. The Improved Explanation of the Relationship Between Implementation Tiers and Profiles Added

The 2018 update also explains the relationship between Profiles Added and the Implementation Tiers better. With language added to Section 3.2, entitled “Establishing or Improving a Cybersecurity Program,” when using Framework Tiers in Framework implementation, the update better reflects the integration of all Framework considerations within the context of the business’s risk management programs.

6. The Considerations Regarding Coordinated Vulnerability Disclosure

This new Subcategory was added to address concerns over the vulnerability disclosure lifecycle.

To date, talks about updating the NIST CSF to version 2.0 are in the works. Learn more about this here.

How Will the 2018 NIST CSF Updates Affect Your Organization?

The NIST CSF update is meant to guide you further and assist you and your I.T. team in your cybersecurity efforts. The update and the original Framework are scalable to work within your organization and your unique system’s specifications to assess and minimize cybersecurity risks.

In 2019, the NIST released a supplementary document, The Roadmap for Improving Critical Infrastructure Cybersecurity, to assist you in further achieving your goals of optimal cybersecurity.

Let Experts Guide You to NIST CSF Compliance Effortlessly

Knowing more about the NIST Cybersecurity Framework, you can review your organization’s posturing with a critical eye and make changes that deliver powerful protection from cyber threats.

If you are new to implementing the NIST CSF or not confident enough to do a comprehensive job, let our experts from I.S. Partners do the job for you.

Let I.S. Partners assist you with I.T. assurance. We offer cybersecurity assessments modeled on the NIST Cybersecurity Framework. These assessments help you move from being reactive to being proactive.

When your organization has the knowledge and skills to adapt to changing cyber threats, it is only future-ready. Call us at 215-675-1400 or request a quote today.

About The Author

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Analysis of your compliance needs
Timeline, cost, and pricing breakdown
A strategy to keep pace with evolving regulations

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Scroll to Top