The NIST Cybersecurity Framework (CSF) is the most widely adopted cybersecurity risk management framework in the United States, and increasingly worldwide. Developed by the National Institute of Standards and Technology, it provides a flexible, risk-based approach to managing cybersecurity that can be adapted to any organization size or industry.
π₯ Free Cloud Security Framework Cheat Sheet
Includes NIST CSF core functions, implementation tiers, profiles, and cross-reference to other frameworks.
Download Free PDF βTable of Contents
- NIST CSF Overview
- CSF 1.1 vs CSF 2.0
- The 6 Core Functions
- Implementation Tiers
- Profiles & Gap Analysis
- Categories & Subcategories
- Implementation Steps
- Mapping to Other Frameworks
- Best Practices
NIST CSF Overview
Originally released in 2014 for critical infrastructure, NIST CSF has become the de facto cybersecurity framework for organizations of all sizes. It is voluntary (except for US federal agencies), risk-based, and designed to complement β not replace β existing security programs.
NIST CSF consists of three main components:
- Framework Core β 6 Functions, 22 Categories, and 106 Subcategories that describe cybersecurity activities
- Implementation Tiers β 4 tiers describing the degree of rigor and sophistication
- Profiles β Customized alignment of the Framework Core to business requirements
CSF 1.1 vs CSF 2.0
NIST CSF 2.0, released in February 2024, introduced significant changes:
| Change | CSF 1.1 | CSF 2.0 |
|---|---|---|
| Core Functions | 5 (Identify through Recover) | 6 (added Govern) |
| Scope | Critical infrastructure focused | All organizations |
| Supply Chain | Limited guidance | Expanded supply chain risk management |
| Governance | Part of Identify function | Standalone Govern function |
| Community Profiles | Not available | Shared community profiles |
The 6 Core Functions
GOVERN (GV) β New in CSF 2.0
Establishes cybersecurity governance and risk management strategy. This function ensures cybersecurity is integrated into enterprise-wide risk management and is supported by leadership.
- GV.OC β Organizational Context: mission, stakeholders, legal requirements
- GV.RM β Risk Management Strategy: risk appetite, risk tolerance
- GV.RR β Roles, Responsibilities & Authorities
- GV.PO β Policy: establish and communicate cybersecurity policy
- GV.OV β Oversight: review and adjust strategy
- GV.SC β Cybersecurity Supply Chain Risk Management
IDENTIFY (ID)
Develop understanding of your organization to manage cybersecurity risk.
- ID.AM β Asset Management: hardware, software, data, systems inventory
- ID.RA β Risk Assessment: identify vulnerabilities, threats, likelihood, impact
- ID.IM β Improvement: lessons learned, continuous improvement
PROTECT (PR)
Implement safeguards to ensure delivery of critical services.
- PR.AA β Identity Management, Authentication, Access Control
- PR.AT β Awareness and Training
- PR.DS β Data Security
- PR.PS β Platform Security (hardening, configuration management)
- PR.IR β Technology Infrastructure Resilience
DETECT (DE)
Develop and implement activities to identify cybersecurity events.
- DE.CM β Continuous Monitoring: network, physical, personnel activity
- DE.AE β Adverse Event Analysis
RESPOND (RS)
Take action regarding detected cybersecurity incidents.
- RS.MA β Incident Management: triage, escalation, containment
- RS.AN β Incident Analysis: forensics, root cause
- RS.CO β Incident Response Reporting and Communication
- RS.MI β Incident Mitigation
RECOVER (RC)
Maintain plans for resilience and restore capabilities after an incident.
- RC.RP β Incident Recovery Plan Execution
- RC.CO β Incident Recovery Communication
Implementation Tiers
| Tier | Name | Risk Management | Integration |
|---|---|---|---|
| 1 | Partial | Ad hoc, reactive | Limited awareness of risks |
| 2 | Risk Informed | Approved but not org-wide | Cyber risk awareness exists |
| 3 | Repeatable | Formal, regularly updated | Org-wide policy and process |
| 4 | Adaptive | Continuous improvement | Adapts based on indicators |
Profiles & Gap Analysis
Profiles are the most practical part of NIST CSF. They allow you to:
- Create a Current Profile β Document which subcategories you currently implement and at what level
- Define a Target Profile β Set desired state based on business requirements, risk tolerance, and industry regulations
- Perform Gap Analysis β Compare Current vs. Target to identify priorities
- Build an Action Plan β Prioritize improvements based on business risk and available resources
Key Categories & Subcategories
NIST CSF 2.0 contains 22 categories across the 6 functions. Here are the most critical subcategories for cloud environments:
| ID | Subcategory | Cloud Implementation |
|---|---|---|
| ID.AM-1 | Physical devices inventoried | Cloud asset discovery tools, CMDB |
| PR.AA-1 | Identities managed | IAM policies, SSO, lifecycle management |
| PR.AA-3 | MFA implemented | FIDO2 keys, authenticator apps |
| PR.DS-1 | Data-at-rest protected | AES-256 encryption, KMS |
| PR.DS-2 | Data-in-transit protected | TLS 1.3, mTLS, VPN |
| DE.CM-1 | Networks monitored | VPC Flow Logs, CloudTrail, SIEM |
Implementation Steps
- Step 1: Prioritize and Scope β Define business objectives and scope of the NIST CSF implementation
- Step 2: Orient β Identify related systems, assets, regulatory requirements, and threat landscape
- Step 3: Create a Current Profile β Assess existing cybersecurity practices against Framework subcategories
- Step 4: Conduct Risk Assessment β Analyze threats, vulnerabilities, likelihood, and impact
- Step 5: Create a Target Profile β Define desired cybersecurity outcomes
- Step 6: Determine Gaps β Compare Current and Target profiles
- Step 7: Implement Action Plan β Prioritize and address gaps based on risk and resources
Mapping to Other Frameworks
| NIST CSF Function | ISO 27001 | CIS Controls | SOC 2 |
|---|---|---|---|
| Govern | Clauses 4-7 | CIS 15 | CC1.x |
| Identify | A.5.9-13 | CIS 1, 2 | CC3.x |
| Protect | A.6-8 | CIS 3-6, 14 | CC5-6 |
| Detect | A.8.15-16 | CIS 8, 13 | CC7.x |
| Respond | A.5.24-28 | CIS 17 | CC7.3-5 |
| Recover | A.5.29-30 | CIS 11 | A1.2 |
Best Practices
- Start with governance β Get leadership buy-in before implementation
- Use Community Profiles β Leverage pre-built industry profiles as starting points
- Focus on high-priority gaps β You don't need to implement every subcategory at once
- Integrate with existing processes β NIST CSF should complement, not replace, what you already do
- Review annually β Update profiles as your threat landscape and business requirements change
- Map to technical controls β Use CIS Controls or NIST 800-53 for specific implementation guidance
π₯ Download the Cloud Security Cheat Sheet
NIST CSF core functions, implementation tiers, and framework cross-reference in a printable PDF.
Download Free PDF β
