Skip to Main Content
Main Menu

The National Institute of Standards and Technology (NIST) Cybersecurity Framework

The NIST Cybersecurity Framework 2.0 is a voluntary tool that provides organizations with industry best practices to improve organizational cybersecurity posture and resilience, and to enable organizations to consider cybersecurity risks as part of the organization’s risk management process.

Are you subject to the NIST Cybersecurity Framework?

The application of the NIST Cybersecurity Framework (CSF) is voluntary. Any organization – of varying sizes, level of cybersecurity risk or expertise, and industries – may apply the recommendations provided by the framework.

The CSF is particularly beneficial for individuals responsible for overseeing organizational cybersecurity programs and risk management activities and policies, including:

  • Board of directors;
  • Risk managers;
  • Lawyers;
  • Cybersecurity and risk management auditors; and
  • Cybersecurity policy-makers and regulators.

Key requirements of the NIST CSF

CSF Organizational Profiles

The CSF Profile is a procedure to describe and assess an organization’s current and/or target cybersecurity posture based on its Core cybersecurity outcomes. Organizational Profile helps facilitate continuous improvement of organization’s cybersecurity that may be grounded in Current Profiles and/or Target Profiles, and steps can be taken to achieve this, including:

  • Scoping the Organizational Profile;
  • Gathering information (e.g. risk management policies) needed to prepare the Organizational Profile;
  • Creating the Organizational Profile;
  • Analyzing gaps between Current and Target Profiles;
    Creating and implementing an action plan; and
  • Updating the Organizational Profile.

CSF Tiers

Tiers describe an organization’s benchmark for achieving a certain level of security governance and risk management robustness. There are four Tiers that organizations may strive to achieve, including:

  • Tier 1 (partial);
  • Tier 2 (risk-informed);
  • Tier 3 (repeatable); and
  • Tier 4 (adaptive).

CSF Core

The CSF Core establishes a set of predefined and broad cybersecurity outcomes to help organizations identify and breakdown desired cybersecurity goals intended to be achieved. Cybersecurity outcomes can be arranged by “Functions” – which includes: Govern, Identify, Protect, Detect, Respond, and Recover – and are further broken down into specific “Categories” of outcomes and “Subcategories”.


Mitigating Third-Party Risk: Best Practices for CISOs

Join us for an insightful and informative webinar as we delve into mitigating third-party risks. This webinar will provide essential strategies and best practices to ensure robust security and privacy measures when collaborating with external entities.


  • Are organizations expected to use and apply the CSF?

    The application of the CSF is voluntary and is used by many organizations. In 2017, U.S. federal agencies are mandated to adopt the CSF within federal information systems, in accordance with the Executive Order 13800 – Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.

  • Will my organization receive a certificate for demonstrating compliance with the CSF?

    NIST is not a regulatory agency, and does not issue certificates, endorsements, and/or an assessment program for the implementation of CSF best practices.

  • How should the CSF be applied?

    To reap the full benefits of the CSF, organizations are encouraged to implement the guide throughout its risk management program and/or entire system infrastructure, rather than strictly in its IT department and servers.

  • How can I measure the effectiveness of the CSF in my business operations?

    NIST does not provide a standardized method or tool for measuring effectiveness; alternatively, it is up to the organization to determine the level of success. Organizations should consider:

    • The intended outcomes for applying the CSF (e.g. enhancing cybersecurity management with vendors); and
    • The scope of measuring the effectiveness (e.g. will the entire organization’s IT infrastructure and network servers be evaluated, or only internal policies?).

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top