The NIST CyberSecurity Framework (CSF) is a voluntary set of standards, best practices and recommendations developed by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST). The purpose of the standard is to help both government and private sector organization’s improve their security posture by formalizing the documentation and management of cybersecurity risks.
The latest version of the framework (v1.1), released on April 16, 2018, better explains how the NIST CyberSecurity Framework can be used within an organization to understand and assess cybersecurity risks. It also clarifies that the framework itself IS NOT a certification standard, but is rather intended to be paired with other frameworks and/or certification standards (such as NIST 800‐171) to achieve desired outcomes.
The NIST CyberSecurity Framework include three primary components:
- Core: The Framework Core defines/outlines core principles, activities and outcomes.
- Implementation tiers: Implementation tiers position the framework within an organization’s overall risk management strategy.
- Profiles: Framework profiles describe specific implementation scenarios.
Taken together, the components of the NIST CyberSecurity Framework provide a flexible, cost-effective starting point for cybersecurity risk awareness, analysis and improvement initiatives. They also serve as a basis (common starting point) for achieving compliance with specific cybersecurity standards (such as NIST 800-171) within an organization … or within an organization’s entire supply chain (Supply Chain Risk Management). Visit the CyberSecurity Services section of our website for more information about the NIST CyberSecurity Framework and our NIST 800-171 Compliance Program.