NIST CSF Categories and Cybersecurity Framework Tiers (Updated 2023)

One of the most useful and versatile frameworks to help organizations manage cybersecurity risk is the Cybersecurity Framework (CSF) from the National Institute of Standards and Technology (NIST). The CSF consists of best practices, standards, and guidelines to manage cybersecurity program risk. They provide a baseline to build your risk management protocols.

This voluntary framework is divided into three primary parts: the framework core, profiles, and tiers. The NIST CSF core comprises five functions, and each function is further broken down into categories and subcategories. There are currently 23 categories and 108 subcategories in the NIST CSF.

Not every organization needs to use all the CSF’s categories and subcategories to manage risk; in fact, probably no organization needs to use them all. Rather, the categories and subcategories are meant as a menu of options, where each company uses the categories and subcategories most relevant to its own operations and risk profile.

What Are the Five Functions of NIST CSF & What Are the NIST CSF 23 Categories?

The five functions of the NIST CSF, and the categories within each major function, are explored in detail below.

Identify function

Purpose: to Identify the risk to critical infrastructure, information systems, people, assets, and data.

1. Asset management. Inventory and manage all company assets, including people. It is also important to understand Bring Your Own Device (BYOD) behavior, as this class of devices generally carries a higher level of risk since the equipment isn’t company owned and secured.
2. Business environment. Understand the company’s mission, why the company exists, who the stakeholders are, and how objectives are accomplished. Understanding the business environment will aid in deciding where cybersecurity program activities are needed and what a potential risk profile looks like.
3. Governance. Manage and monitor the organization through formal procedures, policies, and processes. Proper governance leads to clear communication channels between management and the board, highlighting risk, regulatory compliance, and overall company operations.
4. Risk assessment. Assess and manage risk in the organization. Risk management includes people, processes, and technology, right down to individual assets.
5. Risk management strategy. There is no one size fits all risk strategy. Some organizations are risk-averse, while others tolerate risk better because of the industry vertical or location. Ultimately, a risk management strategy is designed to support operational risk remediation.

Protect function

Purpose: to protect critical services delivery, software development lifecycle (SDLC), and overall engineering of secure information systems.

1. Identity management and access control. Who has access to what? How did those users get the access, and what are they doing with it? Identity management and access control are at the core of how an organization’s employees are authorized to access applications and data. Multi-factor authentication, just-in-time access controls, password management, and single sign-on are all critical supporting technologies for identity management.
2. Awareness and Training. How effective are your security controls if your end users don’t know the security basics? Remember, phishing and spoofing are still the most successful attacks against most organizations. User awareness training is a cost-effective way of mitigating many forms of risk.
3. Data security. The three basics of data security are confidentiality, integrity, and availability. Data should be encrypted and hashed (in transit and at rest) whenever possible, regardless of device type. Rights management is also a good way to protect data, as it verifies the recipient’s identity before access is granted.
4. Policies and procedures. How successful would a security program be without policies and procedures? Policies should address roles, responsibilities, informative references, and coordination between organizational entities.
5. Maintenance. A well-oiled machine keeps running, but one without maintenance will eventually fail. Information protection programs require regular reviews and updates to remain operationally effective.
6. Protective technology. Supporting people and processes with technology assures an organization’s security resilience of information systems and assets.

Detect function

Purpose: to detect the occurrence of cybersecurity events continuously with situational awareness.

1. Anomalies and events. These need to be detected promptly and their effect on your data, systems, and operations must be well understood.
2. Continuous security monitoring. Systems and assets must be continuously monitored to identify events and verify the effectiveness of protective measures.
3. Detection process. Logging, alerting, and reporting must follow a specific detection process that evolves with the emerging threat landscape.

Respond function

Purpose: to respond in the event of cybersecurity events and have a tested contingency plan.

1. Response planning. In a cybersecurity incident, follow processes and procedures.
2. Communications. Coordinate response actions with internal and external stakeholders.
3. Analysis. Verify that response actions and recovery activities function continuously through testing.
4. Mitigation. Actions to take must prevent the event’s expansion and lead to resolution. Safeguards should be in place to assist in the prevention of expansion.
5. Improvements. Incident response actions should be examined for potential process improvements.

Recover function

Purpose: to recover from cybersecurity events and maintain plans to restore capabilities to impacted services.

1. Recovery planning. Recovery processes are similar to carpentry; the saying “measure twice, cut once” applies to procedures focused on restoring information systems or assets affected by an incident.
2. Improvements. Much like other areas of the framework profile, recovery processes should be reviewed for improvement on an ongoing basis.
3. Communications. One of the most important aspects of recovering from an incident is well-defined communication channels. People within the organization should know when an incident has happened and what they should or shouldn’t do in response. People outside the organization should also know how the incident might affect them.

NIST Cybersecurity Framework Tiers

The NIST CSF also contains four “framework implementation tiers” to help a company understand the maturity of its cyber risk program and its overall risk posture. The higher the tier you achieve, the more mature your program is.

Tier 1: Partial

This includes informal practices, limited awareness, and sparse cybersecurity coordination.

• Risk management process. Risk management processes are not formalized, and risk is handled ad hoc and reactively.
• Integrated risk management program. Limited awareness of cybersecurity risk. Any implemented cybersecurity risk management is irregular, and organizational communication is lacking.
• External participation. The organization does not collaborate with other entities to better understand the threat landscape.

Tier 2: Risk informed

Management approves the risk management practices, high-level awareness exists, and information is shared and coordinated.

• Risk management process. Management approves practices, but may not be adopted organization-wide. Information security activities are directly applied.
• Integrated risk management program. The organization is aware of cybersecurity risk, but the approach is not well managed. There are some small pockets of cybersecurity objectives and programs.
• External participation. A general understanding of the organization’s role in the larger risk assessment ecosystem exists. Information is available and consumed from external sources but is rarely acted upon.

Tier 3: Repeatable

Formal policies are defined with organizational-wide awareness, implemented processes, and regular formal coordination.

• Risk management process. Risk management is formally approved and expressed in policy. Practices are regularly updated and change with business requirements.
• Integrated risk management program. Policies and processes are regularly defined, implemented, and reviewed. Communication is organization-wide.
• External participation. The organization knows where it stands in the threat landscape. External feeds are generally acted upon and baselined.

Tier 4: Adaptive

Adaptive risk management processes include information security as part of the organization’s cybersecurity culture and promote active information sharing.

• Risk management process. Previous and current cyber activities inform cybersecurity practices. The threat landscape is examined and the program adapts based on the weather.
• Integrated risk management program. The organization and cybersecurity are in lockstep. Business units implement best cybersecurity practices as part of the day-to-day business.
• External participation. The organization understands its role in the cyber ecosystem and actively contributes to improving it.

Framework Profiles

Profiles are an organization’s unique alignment of its organizational requirements and objectives, risk tolerance, and resources to achieve the desired outcomes of the Framework Core. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” profile with a “Target” profile.

Implementing profiles allows for prioritization of deployment and remediation of gaps identified during a NIST CSF assessment. The key point to remember about profiles is optimization: you want to use the NIST framework to help the organization improve its cybersecurity, rather than bend your operations to comply with a rigid architecture that doesn’t make sense for your business.

NIST Cybersecurity Framework Core 2.0: What to Expect

To stay ahead of developing cyber threats and new cyberattacks, NIST is updating its Cybersecurity Framework Core to a 2.0 version. This includes incorporating feedback and suggestions from stakeholders and experts across the information security industry to create a stronger, more universal framework.

Business owners and IT professionals can expect modifications from CSF 1.1 (the version used today) that increase clarity, ensure a consistent level of abstraction, and address technology changes for improved national and international cybersecurity. The goal is to make CSF 2.0 easier and more accessible to implement than its 1.1 predecessor, so that CSF 2.0 can endure without major changes for at least a decade.

Manage Cybersecurity Risk with ROAR

With ROAR from RiskOptics, you can keep all your cybersecurity frameworks in one platform, helping you to adapt to growing risks and updated compliance requirements in real time. Maintain standards, share reports, and run regular internal audits all from one place with simple, user-friendly integration. ROAR’s unified contextual insight helps you do more than just see the current cyber risk—it helps you understand it.

Schedule a demo today.