NIST CSF: The NIST CSF components


The National Institute of Standards and Technology (NIST)’s Cybersecurity Security Framework (CSF) consists of three main components. They are:

  • Implementation tiers
  • Framework core
  • Profiles

These CSF components can help both governmental and non-governmental organizations to improve their critical infrastructure cybersecurity. It provides the basic knowledge required to understand the additional online learning pages of the Framework.

According to the White House’s Executive Order – Improving Critical Infrastructure Cybersecurity (2013), “the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” 

This article will serve as a brief but comprehensive overview of all NIST CSF components.

NIST CSF: Implementation tiers

The NIST CSF isn’t designed to be used by every organization as it is. This is because every organization has unique risks, varied risk tolerances and different threats and vulnerabilities that will influence how the guidelines of the framework are implemented. 

Moreover, implementing the NIST CSF in an identical manner will also affect large and small organizations. For example, large businesses may already have various security measures in place that will overlap with those of the framework. Likewise, small organizations may have fewer channels for potential data breaches and their data security processes are at the beginning stage.

In order to meet the varied security requirements of different organizations, NIST CSF implementation tiers elaborate the degree to which their cybersecurity risk management practices exhibit the characteristics described in the NIST CSF. 

The four implementation are listed below:

  1. Tier 1 (Partial)
  2. Tier 2 (Risk-Informed)
  3. Tier 3 (Repeatable)
  4. Tier 4 (Adaptive)

These tiers help organizations consider the appropriate level of rigor (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Fakhar Imam. Read the original post at: