Compass IT Compliance Blog

What is the NIST Cybersecurity Framework?

[fa icon="clock-o"] Jun 15, 2017 11:33:27 AM [fa icon="user"] Geoff Yeagley [fa icon="folder-open'] Cybersecurity, NIST


One of the most common questions that we get here at Compass is “What is an IT Security Framework?” This is a great question as folks sometimes confuse the various frameworks with different compliance requirements or regulations that they must adhere to based on their business. If you look at just the word framework, you will get a definition that uses words like support and structure. When it comes to Information Security Frameworks, the fundamental definition is the same. According to Joe Granneman from TechTarget, an IT Security Framework is:

“A series of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security controls.”

Think of this like a house. When you build a house, you "frame" out all the walls, divide the rooms, and provide the base layer of support for the house. When it comes to Information Security, the framework essentially tells your organization how to build your overall information security program to help mitigate your risk. There are a number of different frameworks to choose from based on your business. However, for the purposes of this blog post we will look at the NIST Cybersecurity Framework and the 5 key areas within the framework.

NIST stands for the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. In 2014, NIST introduced version 1.0 of the Cybersecurity Framework (version 1.1 is in development currently). This framework outlines 5 “functions”, or the core of the framework, which are then divided down into a total of 22 different “categories” of controls. In this blog post, we are going to look at the 5 functions and the various categories that are contained underneath each function. So, without further ado, let’s get to the core of the framework:

  1. Identify – According to the NIST Cybersecurity Framework, the goal of the Identify part of the framework is to “Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.” Categories contained within the Identify function are:
    1. Asset Management
    2. Business Environment
    3. Governance
    4. Risk Assessment
    5. Risk Management Strategy
  1. Protect – According to NIST, the goal of the Protect portion of the framework is to “Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.” Categories contained within the Protect function are:
    1. Access Control
    2. Awareness and Training
    3. Data Security
    4. Information Protection Processes and Procedures
    5. Maintenance
    6. Protective Technology
  1. Detect – According to NIST, the goal of the Detect portion of the framework is to “Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.” Categories contained within the Detect function are:
    1. Anomalies and Events
    2. Security Continuous Monitoring
    3. Detection Processes
  1. Respond – According to NIST, the goal of the Respond portion of the framework is to “Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.” Categories contained within the Respond function are:
    1. Response Planning
    2. Communications
    3. Analysis
    4. Mitigation
    5. Improvements
  1. Recover – According to NIST, the goal of the Recover portion of the framework is to “Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.” Categories contained within the Recover function are:
    1. Recovery Planning
    2. Improvements
    3. Communications

Those are the 5 core functions of the NIST Cybersecurity Framework as well as the categories contained within each function. This is intended to be a very, very high level overview of the Framework. Over the next 5 weeks, we will be developing a series of blog posts that hone in on each of the 5 core functions to provide some additional information to help educate you on what the Framework is and how to start thinking about implementing it in your organization. In the meantime, since the NIST Cybersecurity Framework is all about creating IT Security Policies and Procedures, feel free to download our IT Security Policies ebook for more information on some of the essential IT Security policies that your organization should have in place today! Click on the image to download your copy! Till next week…..

New Call-to-action

If you have any questions about your specific environment or circumstances, please contact us for more information.

Geoff Yeagley

Written by Geoff Yeagley

Geoff is the VP of Marketing for Compass IT Compliance. In this role, Geoff is responsible for the strategic direction and oversight of all Marketing related activities. Geoff has his MBA and holds several HubSpot certifications.