The NIST Cybersecurity Framework (NIST CSF) is a set of standards outlining the best practices in cybersecurity. Created by the National Institute of Standards and Technology (NIST), this framework can help your organization measure and manage your cybersecurity risk, while aligning your cybersecurity practices to your organization’s business goals.

NIST manages several other frameworks as well, for example, NIST 800-53 and NIST 800-171, each with varying levels of requirements.

NIST CSF is a voluntary framework and does not require formal certification. Instead, your organization can choose which NIST standards are applicable to your needs, and then add additional standards later as you work to close gaps and improve your cybersecurity.

Your organization may consider adopting NIST CSF to help identify cyber risks and make plans to address them as they relate to your business goals and objectives.

NIST Cybersecurity Framework is made up of three areas: the core, implementation tiers, and profiles.


The NIST CSF core outlines five functions that align directly with the cybersecurity lifecycle: identify, protect, detect, respond, and recover. These functions are the pillars of any cybersecurity framework and are frequently referenced as a baseline within the more formal cybersecurity certifications.

Each of the five core functions has requirements representing 23 categories, with additional subcategories in each.

Would you like to take a closer look at these core functions? Check out our NIST CSF Fundamentals page for an in-depth look.

There are four implementation tiers:

Tier 1: Partial

  • Cybersecurity activities are not directly informed by risk objectives, business requirements, or threat landscape.
  • Activities are ad hoc and reactive.

Tier 2: Risk-Informed

  • Cybersecurity activities are directly informed by your risk objectives, business requirements, or threat landscape.
  • Activities are piecemealed.
    Some risk awareness, but not proactive.

Tier 3: Repeatable

  • Cybersecurity activities are updated when applying risk management processes to your changing business requirements and threat landscape.
  • You’ve implemented these activities throughout your organization.
  • Activities are repeatable in response to cyber events.

Tier 4: Adaptive

  • Cybersecurity activities are built into organizational culture
  • Complete adoption of the NIST CSF framework.
  • You can respond to cyber events as they happen.
  • You take proactive steps to detect issues.
  • You can respond to threats based on trends and other relevant risk information.

The NIST CSF Profile

The final NIST CSF component is the profile, essentially a cybersecurity self-audit which helps you align your objectives, goals, risk appetite, and resources to a CSF score. You begin by creating a profile before implementing the new framework. From there, you will evaluate your current profile compared to your target profile (how mature you want your cybersecurity program to be) and apply additional elements from the CSF to close those gaps.

While NIST CSF got its start as a risk-based framework for organizations dealing with critical infrastructure in the United States, today it is one of the most highly implemented security frameworks worldwide for both government and the private sector.

If you’d like to implement the NIST Cybersecurity Framework in your organization or would like to raise your CSF profile to a higher level, contact CBM for a consultation. Our cybersecurity experts will help you identify which elements of the CSF will cover your needs.