The NIST Cybersecurity Framework (CSF) was first published by the National Institute of Standards and Technology, an agency of the US Department of Commerce, in 2014. It provides taxonomy and methodology to proactively manage and reduce risk in the cybersecurity infrastructure. Organizations use this framework in tandem with an assessment of the specific threats and security challenges they face. While compliance with the framework is voluntary, some organizations require that their vendors do comply, and regulators are calling for compliance, including the Federal Financial Institutions Examination Council (FFIEC).
Implementation Categories
The NIST CSF focuses on the business drivers that guide cybersecurity efficacy and includes cybersecurity risks as part of an organization’s management processes, including core, profile, and implementation categories:
- Core – Consists of five (5) main functions: Identify, Protect, Detect, Respond, and Recover, with multiple subcategories addressing cybersecurity outcomes and controls.
- Profile – Typically split into Current and Target Profiles, defines an organization’s baseline security and the required final configuration and outcomes, based on assessment and tailoring of critical infrastructure and processes.
- Tiers – Aids in clarifying and communicating cybersecurity implementation across an organization.
(Source: https://www.nist.gov/document-3764: 01/11/2018.)