NIST CSF Compliance guide


What is NIST CSF?

The National Institute of Standards and Technology (NIST), a US federal agency, was tasked in 2013 with building a technology-neutral cybersecurity framework (CSF) in collaboration with the private sector. The aim was to protect critical infrastructure from security attacks by developing a cybersecurity framework from existing standards such as ISO/IEC 27001, Federal Information Processing Standards (FIPS), Common Criteria (CC) for Information Technology Security Evaluation, and other industry best practices.

NIST cybersecurity framework is a collection of voluntary security standards that apply to managing and reducing cybersecurity risks. Organizations can use it to assess their current cybersecurity capabilities, formulate a target security posture, and evaluate the progress towards it. This framework also enhances the ability of an enterprise to communicate potential cybersecurity risks to their internal and external stakeholders.

The cybersecurity principles found in the NIST CSF are written in simple language to help employees at all levels in an organization understand their role in countering security threats. Over time, reduced risk and enhanced resilience make the effortful implementation worthwhile.

Who must comply with NIST CSF?

Complying with the NIST CSF is mandatory for US federal government agencies. Although developed as policy for the US federal agencies, the NIST CSF is also designed to accommodate the various approaches of the global business ecosystem. Thus, the framework can be adopted by organizations from any country, size, and business vertical to strengthen their cybersecurity resilience.

Consequences of NIST CSF non-compliance

Non-compliance to the NIST CSF places organizations that work with federal agencies at risk of being charged under the Federal Acquisition Regulation (FAR) or losing federal contracts. It can also be detrimental to marketing and future contract negotiations, bringing unwarranted lawsuits and negative public sentiment. Furthermore, depending on the governing body, the significance of data handled, and potential breach implications, the agency might face direct and indirect consequences such as dismissal for negligence, imprisonment, termination of the contract, or dissolution of the concerned department.

NIST CSF requirements for compliance

The NIST CSF is made of three categories to help organizations evolve a cybersecurity strategy:

  • Framework core assists organizations with planning cybersecurity activities.
  • Implementation tiers describe the cyber risk level of the organization and the degree to which the characters mentioned in the framework are exhibited.
  • Profiles present the cybersecurity readiness status of an organization at any specified time, thus supporting the organization in planning an implementation roadmap.

NIST CSF functions and categories

The core of the NIST CSF is divided into five functions: identify, protect, detect, respond, and recover. Each of these functions is further divided into categories and subcategories. The NIST CSF core is made up of 23 categories and 108 subcategories, which reinforce the comprehensive approach recommended by the framework.


The identify function of the NIST CSF establishes the foundational attributes that influence the direction of cybersecurity-related actions. This function focuses on thorough documentation of assets on the network and along the operational pipeline. These assets include systems, people, assets, data, and capabilities.

The Identify function consists of six categories:

  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy
  • Supply Chain Risk Management


The protect function of the NIST CSF serves the goal of defending the most critical assets from increasingly sophisticated cybersecurity threats. By limiting or containing the impact radius of a potential cybersecurity threat, the protect function ensures the continued availability of critical services.

The protect function consists of six categories:

  • Awareness and Training
  • Data Security
  • Maintenance
  • Protective Technology
  • Information Protection Processes and Procedures
  • Identity Management and Access Control (IAM)


The detect function of the NIST CSF necessitates the deployment of monitoring systems and practices to effectively spot cybersecurity events. It involves the use of intrusion detection systems that notify or block unusual network activities.

The detect function consists of three categories:

  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Processes


The respond function of the NIST CSF counters a cybersecurity event by restricting and mitigating the effects of the attack. This is carried out by implementing attack action plans and setting up response teams based on the identified threats.

The respond function consists of five categories:

  • Response Planning
  • Communications
  • Analysis
  • Mitigation
  • Improvements


The recover function of the NIST CSF gears the organization toward timely recovery and resumption of business operations. This helps in planning alternate strategies for continued business operations and reducing the impact of a cyberattack.

The recover function consists of three categories:

  • Recovery Planning
  • Improvements
  • Communications

Implementation Tiers

The NIST CSF classifies the framework-core implementation into four tiers. This four-tiered model helps the executives evaluate (or rate) the organization’s data security initiatives and determine areas requiring improved measures to line up with the controls defined in the framework core. Additionally, the implementation tiers function as a measure that accommodates every organization’s distinct operating environment, acceptable risk level, financial limitations, and other subjective regulatory requirements.

The four implementation tiers outlined in the NIST cybersecurity framework are as follows.

  • Partial – Tier 1 Organizations that fall under the partial tier have a limited grasp of the potential cyberthreats. These organizations lack documented processes and proactive measures to handle cyber risks. They tend to deal with cybersecurity events in an offhand manner, pushing their employees, customers, and external collaborators into a reactive mode.
  • Risk informed – Tier 2 Organizations that fall under the risk informed tier have a fragmented security strategy. The decision-makers in these organizations understand specific threats in their environment and implement measures to protect against these threats. They lack a unified approach and robust governance policy toward risk management.
  • Repeatable – Tier 3 Organizations that fall under the repeatable tier have strong internal policies and documented procedures to combat cyberthreats. Their defense strategy enables them to quickly respond to incidents while remaining repeatable over time. Moreover, they engage in the process of reviewing and updating their protection measures as new cyberthreats emerge.
  • Adaptive – Tier 4 Organizations that fall under the adaptive tier have a comprehensive solution, as recommended by the framework, to protect against cyberthreats. They undertake an integrated approach to cybersecurity protection by implementing policies and procedures that yield an adaptive response to the evolving threat landscape.


A framework profile renders the cybersecurity readiness of an organization at a specified time. The profile maps the policies, procedures, and risk appetite of the organization to the controls and guidelines defined by the framework core. Profiles are especially helpful in outlining areas that need increased attention to improve overall risk management. This is accomplished by comparing the organization’s current and target cybersecurity profile. Furthermore, it ensures that all the stakeholders involved understand their role in securing the organization and achieving the target profile. Documenting and building a roadmap helps in identifying the risks and budget planning.

NIST CSF roadmap

The NIST CSF governance model empowers organizations to handle risk based on its potential impact using a variety of techniques. Organizations can choose to avoid the risk entirely, manage the risk internally, or transfer the risk using managed solutions. This flexibility gives organizations of all sizes the ability to pursue compliance and optimize their approach to cybersecurity.

Understanding and communicating cybersecurity threats and requirements form a key component in implementing the NIST cybersecurity framework. Given the complex, contextualized, and interconnected business relationships, notifying the stakeholders in the supply chain of the risks and measures enhances the overall security.

The target profile of the organization specifies the cybersecurity requirements. Based on these demands, appropriate products and services can be procured to supplement the internal security policies.

NIST CSF best practices: A checklist


The identify phase involves taking stock of all the devices and systems in the network and establishing the responsibilities of all the employees and stakeholders.

  • Asset management: Audit and list the risk profile of systems, assets and personnel.
  • Risk assessment: Identify and validate the potential threats to the organization to inform the strategy.
  • Governance: Regulate the risk and operating environment of the organization by formulating cyber policies and programs.
  • Risk management strategy: Determine the organization's risk tolerance and operational priorities to shape the target roadmap.
  • Business environment: Prescribe the cybersecurity roles by establishing the mission, objectives and long-term goals of the organization and stakeholders.
  • Supply chain risk management: Build a target blueprint for the supply chain by assessing risks and developing a risk management strategy.


The protect phase requires technical and administrative actions to eliminate the risks identified by the organization.

  • Identity management and access control: Administer user access through a strong and efficient access control system, like privileged account management and multi-factor authentication.
  • Awareness and training: Engage employees and all stakeholders in a training program to clarify the standards, guidelines, and policies of the organization.
  • Data security: Implement encryption technologies to protect data at rest and data in motion. Ensure all the devices and permissions are logged.
  • Information protection processes and procedures: Once the responsibilities of different stakeholders are established, formulate a mechanism to enforce the same.
  • Maintenance: Formulate a program that mandates regular maintenance of all data hosting and processing infrastructure.
  • Protective technology: Implement baseline protection measures to resist common cyberthreats. Some of the solutions that perform such tasks are antivirus, anti-spyware, and network security solutions.


The detect phase shapes the ability of an organization to guard against emerging new and complex threats.

  • Anomalies and events: Develop and implement tools that detect anomalous user or application behavior.
  • Security continuous monitoring: Use detection and response solutions to monitor all the assets of the organization around the clock.
  • Detection processes: Establish policies and guidelines that supplement threat detection and ensure active participation of employees and key stakeholders.


The respond phase plays a key role in averting and neutralizing cyberattacks in progress and reducing their impact.

  • Response planning: Manage who authorizes an incident response, along with when and how the plans are maintained and deployed.
  • Communications: Delineate the key responsibilities of the internal event response teams, contracted personnel, third parties, and law enforcement.
  • Analysis: Constitute a program to analyze the incident, support the response team, and contribute in shaping future security policies.
  • Mitigation: Take appropriate actions to reduce the impact of the attack on the organization.
  • Improvements: Formulate a plan to audit the response, and improve based on the learnings.


The recover phase shifts the focus from preventing and managing a threat to addressing the effects of the attack after the event. In addition, it plays an important role in restoring the services damaged by the attack.

  • Recovery planning: Outline the disaster recovery process and associated actions to restore the affected functions and services.
  • Improvements: Audit and analyze the recovery process to determine areas of improvement.
  • Communications: In order to ensure a smooth recovery phase, all the actions taken by the organization must be communicated to the employees and stakeholders based on the responsibilities and privileges assigned to their roles.

NIST CSF: Key subcategories to consider

NIST CSF subcategory Code definition Compliance recommendations
ID.AM (Identify: Asset Management) The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
  • Asset management is vital in identifying and monitoring those areas where data is accessed and processed.
  • Organizations are required to establish and maintain a list of all the devices used by the employees, for both on-premises and cloud platforms.
  • It can help with reducing the attack surface by revealing those assets no longer in use or requiring updates.
  • IT inventory management tools can be used to manage this process effectively.
ID.RA (Identify: Risk Assessment) The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
  • Organizations have to understand the risks that come with their assets to manage the risks better and bring them down to acceptable levels.
  • A formal risk assessment methodology should be used periodically to document and analyze all the asset vulnerabilities, along with its potential impacts.
PR.AC (Protect: Identity Management, Authentication, and Access Control) Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.
  • Organizations are required to regulate access to their network and information by implementing authentication systems.
  • Limiting access based on privilege helps in reducing the insider threat potential.
  • Identity and access management tools help in managing this process at scale.
PR.DS (Protect: Data Security) Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
  • Data, both at-rest and in-transit, is vulnerable to breaches.
  • Threat of a breach is mitigated by implementing robust access control mechanisms across all information systems.
DE.AE (Detect: Anomalies and Events) Anomalous activity is detected and the potential impact of events is understood.
  • All systems are invariably vulnerable to some form of threat.
  • Intrusion detection and prevention systems need to be implemented to establish a baseline user activity, perform vulnerability scans, and detect anomalous activities.
DE.CM (Detect: Security Continuous Monitoring) The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.
  • Organizations must implement a continuous network monitoring solution that detects unauthorized personnel or devices, malicious behavior in both internal and internet-bound traffic.
  • Sustained monitoring and rapid response help in preventing data breaches.
RS.AN (Respond: Analysis) Analysis is conducted to ensure effective response and support recovery activities.

The goal of the NIST cybersecurity framework is for organizations to attain an optimal security posture rather than only fulfilling specific controls to meet management goals. This allows organizations to establish a strong security foundation while supplementing compliance with newer regulations as they come into existence. In addition, small and medium businesses find the NIST framework to be an affordable opening into the cybersecurity space. NIST CSF is advantageous for organizations of all sizes, as it:

  • Carries industry recognition and applies to different sectors.
  • Is easy to adopt, while shrinking the effects of successful attacks.
  • Supports regulatory and compliance requirements while strengthening the data protection of the organization.