The National Institute of Standards and Technology (NIST) Cybersecurity Framework has been touted as a gold-standard framework for managing cybersecurity risk. The NIST CSF comprises three main elements: The Framework Core, Profiles, and Implementation Tiers. The NIST Cybersecurity Framework Core is broken down into five core functions: identify, protect, detect, respond, and recover. These high-level functions are designed to foster communication around cybersecurity activities between technical practitioners and business-side stakeholders, enabling risk related to cyber to roll up into the overall risk management strategy for the organization. While the CSF does not prescribe controls expressly, each of the Framework Functions has a series of categories, subcategories, and informative references nested within it to enable organizations to implement the appropriate capabilities and services to improve the cybersecurity posture of the organization. In this post, we’ll explain the 23 categories within NIST CSF Version 1.1 to help you understand the Framework Core as you begin your journey to implement the CSF.
The Guide to The NIST CSF Categories
NIST charges activities within the identify function to develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. The primary activities around the identify function to focus on baselining and gathering information around the information security program. This expands beyond resource allocation (although that is a fundamental element) to include the business context and the related cybersecurity risks associated with the business as it relates to business objectives.
- Asset Management (ID.AM): To what extent are all physical assets (devices and systems), software, communication workflows, external information systems, prioritized resources, and roles relating to cybersecurity documented and inventoried?
- Business Environment (ID.BE): To what extent is the organization’s place in its supply chains and industry sector, business mission, objectives, dependencies on critical resources, and resilience and requirements to support the delivery of critical services established and documented?
- Governance (ID.GV): To what extent is the organization’s cybersecurity policy, roles, responsibilities, legal and regulatory requirements, and governance and risk processes documented and understood?
- Risk Assessment (ID.RA): To what extent is the organization’s asset vulnerabilities identified and documented, threat intelligence received, threats identified and documented along with potential business impacts from said threats, use of threats and impacts used to determine risk, and risks identified and prioritized within the organization?
- Risk Management Strategy (ID.RM): To what extent are risk management decisions established, managed, and agreed to by key stakeholders? How well is the organization’s risk tolerance clearly expressed and understood by leadership? To what extent is risk tolerance informed by the organization’s role in the business ecosystem and sector-specific risks?
- Supply Chain Risk Management (ID.SC): To what extent are vendor management processes established and managed, third parties identified and assessed using those risk management processes, and contracts with third parties used to implement measures to maintain cybersecurity posture?
Following the inventories of the identify function, the next step is to identify the measures that your organization uses to protect and ensure the delivery of critical services. The protect function’s goal is to reduce the impact of a potential cyber event through proactive safeguards to ensure the ongoing achievement of business objectives.
- Identity Management and Access Control (PR.AC): To what extent are identities and credentials managed for authorized devices and users, physical access to assets managed and protected, remote access managed, access permissions and authorizations managed to incorporate principles of least privilege and separation of duties? To what extent is network integrity protected, identities proofed and bound to credentials and asserted in interactions, and users and devices authenticated measured against the risk of the transaction within the organization?
- Awareness and Training (PR.AT): To what extent are all users informed and trained, do privileged users/third-party stakeholders/senior executives/physical and cybersecurity personnel understand their roles and responsibilities within the organization?
- Data Security (PR.DS): To what extent are data-at-rest and data-in-transit protected and assets formally managed throughout the organization's removal/transfers/disposition? To what extent is adequate capacity available, protections against data leaks implemented, integrity mechanisms implemented, development and testing environments kept separate from production environments, and integrity checking mechanisms used to verify hardware integrity (as available) within the organization?
- Information Protection Processes and Procedures (PR.IP): To what extent is there a baseline configuration created and maintained incorporating security principles, a Systems Development Lifecycle implemented, configuration change control processes in place, backups conducted and maintained, policies and regulations met? To what extent are protection processes improved and effectiveness measured, response plans in place and regularly tested, vulnerability management plan developed and implemented, and cybersecurity program included in human resources practices within the organization?
- Maintenance (PR.MA): To what extent are maintenance and repair of organizational assets performed and logged with approved and controlled tools, remote maintenance of organizational assets approved and performed in a manner that prevents unauthorized access within the organization?
- Protective Technology (PR.PT): To what extent are audit logs documented and reviewed, removable media protected and use restricted as necessary, communications and control networks are protected, and mechanisms implemented to achieve resilience requirements in most situations within the organization?
The detect function categories are designed to enable the prompt discovery of a cybersecurity event within the organization.
- Anomalies and Events (DE.AE): To what extent is there a baseline of network operations and expected data flows for users and systems established and managed within the organization? To what extent are detected events analyzed to understand attack targets and methods, event data collected and correlated from multiple sources, the impact of events determined, and incident alert thresholds established within the organization?
- Security and Continuous Monitoring (DE.CM): To what extent is the digital and physical environment monitored to detect potential cybersecurity events, malicious code detected, external service provider activity monitored to detect potential cybersecurity events and monitoring for unauthorized access and vulnerability scans performed within the organization?
- Detection Processes (DE.DP): To what extent are roles and responsibilities for detection well defined to ensure accountability, detection activities comply with all applicable requirements, detection processes tested and continuously improved, and event detection information communicated within the organization?
Arguably the most critical and sellable function to business-side stakeholders, the respond categories support an organization’s ability to mitigate the impact of a cybersecurity incident.
- Response Planning (RS.RP): To what extent is the response plan executed during and/or after an incident?
- Communications (RS.CO): To what extent do personnel know their roles and order of operations when a response is needed are incidents reported, coordination with stakeholders, and information shared based on response plans within the organization.
- Analysis (RS.AN): To what extent are notifications from detection systems investigated, the impact of an incident understood, forensics performed, incidents categorized consistent with response plans, and processes established to receive/analyze/respond to vulnerabilities disclosed to the organization from internal and external sources?
- Mitigation (RS.MI): To what extent are incidents contained and mitigated and newly identified vulnerabilities mitigated or documented as accepted risks within the organization?
- Improvements (RS.IM): To what extent do response plans incorporate lessons learned and updated strategies within the organization?
Most critical to events following a cyber event, the recover categories lay the groundwork and outline activities to maintain plans for resilience following a cybersecurity incident.
- Recovery Planning (RC.RP): To what extent are response plans executed during or after a cybersecurity incident within the organization?
- Improvements (RC.IM): To what extent do recovery plans incorporate lessons learned and response strategies updated within the organization?
- Communications (RC.CO): To what extent are public relations managed and reputation repaired after a cyber incident, and are recovery activities communicated to internal and external stakeholders and executive management teams within the organization?
Where To Go From Here
The NIST CSF categories outline the next layer of granularity under the five functions of the Framework Core. When beginning to outline your NIST CSF implementation strategy, use the categories and these questions to begin thinking about where you stand in the context of the five functions and where to begin. For more on the NIST risk management framework, check out our infographic. Contact us if you have any questions about how the NIST CSF categories work and want to implement a more secure risk management system.