Search More Newsletters Forums Resource Library Join / Sign In

NIST Cybersecurity Framework: A cheat

sheet for professionals
by Brandon Vigliarolo in Security
| on March 5, 2021, 7:30 AM PST WHITE PAPERS, WEBCASTS, AND
DOWNLOADS

The US National Institute of Standards and Technology's Ultimate SQL Bootcamp

framework defines federal policy, but it can be used by Training from TechRepublic
Academy
private enterprises, too. Here's what you need to know.
LEARN MORE

Hiring Kit: System

Integration Specialist
Tools & Templates from
TechRepublic Premium

VIEW THIS NOW

The Ultimate Learn to Code

Bundle
Training from TechRepublic
Academy

LEARN MORE

Become an Ethical Hacker

Bonus Bundle
The tech world has a problem: Security fragmentation. There’s no standard set Training from TechRepublic
of rules for mitigating cyber risk—or even language—used to address the Academy

growing threats of hackers, ransomware and stolen data, and the threat to LEARN MORE
data only continues to grow.
Information Security
SEE: NIST Cybersecurity Framework: A cheat sheet for professionals (free Certification Training
PDF) (TechRepublic) Bundle
Training from TechRepublic
Academy
President Barack Obama recognized the cyber threat in 2013, which led to his
cybersecurity executive order that attempts to standardize practices. President LEARN MORE

Donald Trump’s 2017 cybersecurity executive order went one step further and
made the framework created by Obama’s order into federal government
policy. DOWNLOAD OUR
WHITEPAPER NOW!
The framework isn’t just for government use, though: It can be adapted to
businesses of any size.

TechRepublic’s cheat sheet about the National Institute of Standards and 20 Pro Tips to Make
Technology’s Cybersecurity Framework (NIST CSF) is a quick introduction to Windows 10 Work the Way
this new government recommended best practice, as well as a “living” guide You Want
No matter how you look at it, adjusting
that will be updated periodically to reflect changes to the NIST’s configuration settings in Microsoft Windows
documentation. 10 can get complicatedvery quickly

SEE: All of TechRepublic’s cheat sheets and smart person’s guides

Executive summary
What is the NIST Cybersecurity Framework? The NIST CSF is a set
DOWNLOAD NOW
of optional standards, best practices, and recommendations for
improving cybersecurity and risk management at the organizational
level. NIST wrote the CSF at the behest of Obama in 2014.
Why does the NIST Cybersecurity Framework matter? As
cyberattacks become more complex, repelling them becomes more Cybersecurity
difficult, especially without a single cohesive strategy for information
Insider
security and private sector organizations. The CSF aims to Stay abreast of the latest
standardize practices to ensure uniform protection of all US cyber cybersecurity news,
assets. solutions, and best practices.
Who does the NIST Cybersecurity Framework affect? The CSF
Email Address
affects anyone who makes decisions about cybersecurity and
Please select your country.
cybersecurity risks in their organizations, and those responsible for
implementing new IT policies.
When is the NIST Cybersecurity Framework happening? Obama I agree to the Terms of Use , Privacy Policy and
Video Services Policy . I understand I will
called for the creation of the CSF in an executive order issued in receive a complimentary subscription to
TechRepublic's News and Special Offers
newsletter, and Top Story of the Day newsletter
2013, and NIST released the guidelines a year later. Trump’s 2017 (you can opt out at any time).

cybersecurity executive order made it federal government policy,

and  in 2018 NIST released an updated version of the CSF, version Subscribe

1.1.
How can I implement the NIST Cybersecurity Framework? NIST
has thorough documentation of the CSF on its website, along with
links to FAQs, industry resources and other information necessary Top Story of the Day
to ease enterprise transition into a CSF world. If you can only read one tech
SEE: Governments and nation states are now officially training for story a day, this is it.
cyberwarfare: An inside look (PDF download) (TechRepublic)
Email Address

What is the NIST Cybersecurity Please select your country.

Framework?
I agree to the Terms of Use , Privacy Policy and
Video Services Policy . I understand I will
Obama signed Executive Order 13636 in 2013, titled Improving Critical receive a complimentary subscription to
TechRepublic's News and Special Offers
newsletter, and Top Story of the Day newsletter
Infrastructure Cybersecurity, which set the stage for the NIST Cybersecurity (you can opt out at any time).

Framework that was released in 2014. The CSF’s goal is to create a common
language, set of standards and easily executable series of goals for improving Subscribe
cybersecurity and limiting cybersecurity risk.

The CSF standards are completely optional—there’s no penalty to

organizations that don’t wish to follow its standards. That doesn’t mean it isn’t
an ideal jumping off point, though—it was created with scalability and gradual
implementation so any business can benefit and improve its security practices
and prevent a cybersecurity event.

The framework itself is divided into three components: Core, implementation

tiers, and profiles.

SEE: Why ransomware has become such a huge problem for businesses 

(TechRepublic)

Framework core
The core is “a set of activities to achieve specific cybersecurity outcomes, and
references examples of guidance to achieve those outcomes.” It is further
broken down into four elements: Functions, categories, subcategories and
informative references.

Functions: There are five functions used to organize cybersecurity

efforts at the most basic level: Identify, protect, detect, respond and
recover. Together these five functions form a top-level approach to
securing systems and responding to threats—think of them as your
basic incident management tasks.
Categories: Each function contains categories used to identify
specific tasks or challenges within it. For example, the protect
function could include access control, regular software updates and
anti-malware programs.
Subcategories: These are further divisions of categories with
specific objectives. The regular software updates category could be
divided into tasks like making sure wake on LAN is active, that
Windows updates are configured properly and manually updating
machines that are missed.
Informative references: Documentation, steps for execution,
standards and other guidelines would fall into this category. A prime
example in the manual Windows update category would be a
document outlining steps to manually update Windows PCs.
SEE: Ransomware attack: Why a small business paid the $150,000
ransom (TechRepublic)

Implementation tiers
There are four tiers of implementation, and while CSF documents don’t
consider them maturity levels, the higher tiers are considered more complete
implementation of CSF standards for protecting critical infrastructure.

Tier 1: Called partial implementation, organizations at Tier 1 have an

ad-hoc and reactive cybersecurity posture to protect their data.
They have little awareness of organizational cybersecurity risk and
any plans implemented are often done inconsistently.
Tier 2: Cybersecurity risk-informed organizations may be approving
cybersecurity measures, but implementation is still piecemeal. They
are aware of risks, have plans and have the proper resources to
protect themselves from data breach but haven’t quite gotten to a
proactive point.
Tier 3: The third tier is called repeatable, meaning that an
organization has implemented CSF standards company-wide and
are able to repeatedly respond to cyber crises. Policy is consistently
applied, and employees are informed of risks.
Tier 4: Called adaptive, this tier indicates total adoption of the CSF.
Adaptive organizations aren’t just prepared to respond to cyber
threats—they proactively detect threats and predict issues based on
current trends and their IT architecture.

Profiles
Profiles are both outlines of an organization’s current cybersecurity status and
roadmaps toward CSF goals for protecting critical infrastructure. NIST said
having multiple profiles—both current and goal—can help an organization find
weak spots in its cybersecurity implementations and make moving from lower
to higher tiers easier.

Profiles also help connect the functions, categories and subcategories to

business requirements, risk tolerance and resources of the larger organization
it serves. Think of profiles as an executive summary of everything done with
the previous three elements of the CSF.

Additional resources

How to choose the right cybersecurity framework (TechRepublic)

Microsoft and NIST partner to create enterprise patching
guide (ZDNet)
Microsoft says SolarWinds hackers downloaded some Azure,
Exchange, and Intune source code (ZDNet)
11+ security questions to consider during an IT risk assessment
(TechRepublic)
Kia outage may be the result of ransomware (TechRepublic)
Information security incident reporting policy (TechRepublic
Premium)

Why does the NIST Cybersecurity

Framework matter?
The cybersecurity world is incredibly Must-read security coverage
fragmented despite its ever-growing importance
8 enterprise password
to daily business operations. Organizations fail managers and the
to share information, IT professionals and C- companies that will love
level executives sidestep their own policies and them

everyone seems to be talking their own Cyber threat intelligence

software: How to choose the
cybersecurity language.
right CTI tools for your
business
NIST’s goal with the creation of the CSF is to
List of the most spoofed
help eliminate the chaotic cybersecurity brands in 2021
landscape we find ourselves in, and it couldn’t End user data backup policy
matter more at this point in the history of the (TechRepublic Premium)
digital world.

Cybersecurity threats and data breaches continue to increase, and the latest
disasters seemingly come out of nowhere and the reason why we’re
constantly caught off guard is simple: There’s no cohesive framework tying the
cybersecurity world together.

As time passes and the needs of organizations change, NIST plans to

continually update the CSF to keep it relevant. Updates to the CSF happen as
part of NIST’s annual conference on the CSF and take into account feedback
from industry representatives, via email and through requests for comments
and requests for information NIST sends to large organizations. 

“If NIST learns that industry is not prepared for a new update, or sufficient
features have not been identified to warrant an update, NIST continues to
collect comments and suggestions for feature enhancement, bringing those
topics to the annual Cybersecurity Risk Management Conference for
discussion, until such a time that an update is warranted,” NIST said.

Additional resources

Ransomware: The smart person’s guide (TechRepublic)

Zero day exploits: The smart person’s guide (TechRepublic)
Cyberwar: The smart person’s guide (TechRepublic)
FBI, CISA: Russian hackers breached US government networks,
exfiltrated data (ZDNet)
Cybersecurity: Even the professionals spill their data secrets –
Video (ZDNet)
Study finds cybersecurity pros are hiding breaches, bypassing
protocols, and paying ransoms (TechRepublic)
4 questions businesses should be asking about cybersecurity
attacks (TechRepublic)
10 fastest-growing cybersecurity skills to learn in 2021 (TechRepublic)

Who does the NIST Cybersecurity

Framework affect?
The CSF affects literally everyone who touches a computer for business. IT
teams and CXOs are responsible for implementing it; regular employees are
responsible for following their organization’s security standards; and business
leaders are responsible for empowering their security teams to protect their
critical infrastructure.

The degree to which the CSF will affect the average person won’t lessen with
time either, at least not until it sees widespread implementation and becomes
the new standard in cybersecurity planning.

If it seems like a headache it’s best to confront it now: Ignoring the NIST’s
recommendations will only lead to liability down the road with a cybersecurity
event that could have easily been avoided. Embrace the growing pains as a
positive step in the future of your organization.

Additional resources

Risk management tips from the SBA and NIST every small-business
owner should read (TechRepublic)
NIST’s Cybersecurity Framework offers small businesses a vital
information security toolset (TechRepublic)
IBM’s 2020 Cost of Data Breach report: What it all means –
Video (ZDNet)
DHS CISA and FBI share list of top 10 most exploited
vulnerabilities (ZDNet)
Can your organization obtain reasonable cybersecurity? Yes, and
here’s how (TechRepublic)
Kroger data breach highlights urgent need to replace legacy, end-
of-life tools (TechRepublic)
DevSecOps: What it is and how it can help you innovate in
cybersecurity (ZDNet)

When is the NIST Cybersecurity

Framework happening?
President Obama instructed the NIST to develop the CSF in 2013, and the CSF
was officially issued in 2014. President Trump’s cybersecurity executive order
signed on May 11, 2017 formalized the CSF as the standard to which all
government IT is held and gave agency heads 90 days to prepare
implementation plans.

Private sector organizations still have the option to implement the CSF to
protect their data—the government hasn’t made it a requirement for anyone
operating outside the federal government.

In 2018, the first major update to the CSF, version 1.1, was released. Most of the
changes came in the form of clarifications and expanded definitions, though
one major change came in the form of a fourth section designed to help
cybersecurity leaders use the CSF as a tool for self-assessing current risks. 

While brief, section 4.0 describes the outcomes of using the framework for
self-assessment, breaking it down into five key goals:

Examining organizational cybersecurity to determine which target

implementation tiers are selected,
Determining current implementation tiers and using that knowledge
to evaluate the current organizational approach to cybersecurity,
Establish outcome goals by developing target profiles,
Assessing current profiles to determine which specific steps can be
taken to achieve desired goals,
Using the CSF’s informative references to determine the degree of
controls, catalogs and technical guidance implementation.
Additional resources

Expert: Manpower is a huge cybersecurity issue in 2021

(TechRepublic)
Ransomware threats to watch for in 2021 include crimeware-as-a-
service (TechRepublic)
This cybersecurity threat costs business millions. And it’s the one
they often forget about (ZDNet)
How will cybersecurity change with a new US president? Pros
identify the biggest needs (TechRepublic)
How the coronavirus outbreak will affect cybersecurity in 2021
(TechRepublic)

How can I implement the NIST

Cybersecurity Framework?
The NIST’s Framework website is full of resources to help IT decision-makers
begin the implementation process. It contains the full text of the framework,
FAQs, reference tools, online learning modules and even videos of
cybersecurity professionals talking about how the CSF has affected them.

Of particular interest to IT decision-makers and security professionals is the

industry resources page, where you’ll find case studies, implementation
guidelines, and documents from various government and non-governmental
organizations detailing how they’ve implemented or incorporated the CSF into
their structure.

There’s no better time than now to implement the CSF: It’s still relatively new, it
can improve the security posture of organizations large and small, and it could
position you as a leader in forward-looking cybersecurity practices and
prevent a catastrophic cybersecurity event.

Additional resources

Guidelines for building security policies (TechRepublic Premium)

Free cybersecurity tool aims to help smaller businesses stay safer
online (ZDNet)
2020 sees huge increase in records exposed in data
breaches (TechRepublic)
Three baseline IT security tips for small businesses (TechRepublic)
Ransomware attack: How a nuisance became a global threat
(ZDNet)
Cybersecurity needs to be proactive with involvement from
business leaders (TechRepublic)
Video: How to protect your employees from phishing and pretexting
attacks (TechRepublic)
Video: What companies need to know about blended threats and
their impact on IT (TechRepublic)

Image: iStock/monsitj

| Share: NIST Cybersecurity Framework: A cheat sheet for professionals

By Brandon Vigliarolo
Brandon is a Staff Writer for TechRepublic. He's an award-winning feature and how-to writer who previously worked as an
IT professional and served as an MP in the US Army.

| See all of Brandon's content

CHEAT SHEETS CXO SECURITY

EDITOR'S PICKS

TechRepublic Become a Linux How to deploy an Working with 5 Gmail 5 alternatives to

Editor-in-Chief Bill expert just in time iPad Pro as a PDFs is a breeze alternatives that Office 365 that
Detwiler bids for the 2022 desktop or laptop with PDF aren’t Outlook you’ve never
farewell, boom replacement Converter Pro considered
introduces new
Managing Editor,
Tamara Scott

SERVICES EXPLORE

Checklist: Microsoft About Us FAQ Downloads Resource Library

365 app and services

Membership Advertise TechRepublic Forums Photos
deployments on Macs

Systems downtime Newsletters Do Not Sell My Information Meet the Team Videos

expense calculator
RSS Feeds TechRepublic Academy

Research: The
Site Map TechRepublic Premium
complexities of
multicloud
Site Help & Feedback
deployments are often
worth the benefits,
even in uncertain times

Checklist: PC and Mac

migrations

© 2022 TechnologyAdvice. All rights reserved.

Privacy Policy Terms of Use Property of TechnologyAdvice