<img alt="" src="https://secure.badb5refl.com/165368.png" style="display:none;">
 

Understanding the NIST Cybersecurity Framework

Your Complete Guide to NIST CSF Compliance

NIST-CSF Dashboard v2.1

What is the NIST Cybersecurity Framework?

NIST-CSF Implement

The NIST Cybersecurity Framework, commonly referred to as NIST CSF is a set of industry-recognized best practices for cybersecurity. Overseen by the National Institute of Standards and Technology (NIST), the CSF framework creates a foundation from which your organization can measure and manage your cybersecurity risk. Essentially, it’s a way to manage and mitigate cyber threats in a way that’s beneficial to your overall business goals.

NIST CSF is often used by organizations that operate critical infrastructure as well as other private-sector businesses, but the best practices are applicable to a range of organizations of varying sizes across all industries.

In this NIST CSF knowledgebase, we’ll help you better understand the framework, how it works, how you can put it to use within your organization, its history, and ways it works together with other existing controls you have in place now or want to add to your overall cybersecurity program in the future.

Here’s What You’ll Find:

What is NIST CSF?

NIST CSF is a voluntary cybersecurity framework your organization can use to establish or mature a cybersecurity program.

Learn More

Your Guide to NIST CSF Compliance

Simplify your NIST CSF strategy with this CSF compliance guide that includes a framework overview and much more

Learn More

Should My Organization be NIST CSF Compliant?

Organizations of all sizes can benefit from implementing best practices outlined within this voluntary cybersecurity framework.

Learn More

NIST CSF Five Core Functions

NIST CSF’s five core functions align with the cybersecurity lifecycle: identify, protect, detect, respond, and recover.

Learn More

How to Implement NIST CSF

The NIST Cybersecurity Framework has four implementation tiers that help determine where you are with total CSF compliance.

Learn More

NIST CSF Profile

By understanding your current security profile, you can build an action plan to mature your program and evolve to your target profile.

Learn More

Steps for NIST CSF Compliance

There are 23 total CSF requirements, and fully compliant organizations can successfully implement all with a proactive approach to security.

Learn More

Preparing for a NIST CSF Assessment

While CSF compliance is voluntary, you can undergo a CSF assessment to determine which controls work as required and identify gaps.

Learn More

NIST CSF Blog Bytes

There are increasing risks up and down your supply chain and that’s why supply chain management is part of CSF compliance.

Learn More

NIST CSF Webinar Snapshots

In addition to CSF, your organization may need to implement other frameworks. How do you know which is right for you?

Learn More

NIST CSF Frequently Asked Questions

Have questions about the NIST Cybersecurity Framework? This FAQ is a great place to start.

Learn More

NIST CSF Marketplace

Searching for tools, guidance, and assistance with NIST CSF compliance? Try the NIST CSF Marketplace in CyberXchange.

Learn More

The Apptega Solution for NIST CSF

See how you can simplify and streamline all of your NIST CSF compliance needs for better security oversight and management with Apptega.

Learn More

Understanding NIST Cybersecurity Framework Compliance

The National Institute of Standards and Technology (NIST) has developed its NIST Cybersecurity Framework (CSF) as a voluntary set of standards your organization can use to manage and mitigate cyber risks for your organization. The framework is made up of standards, guidelines, and other best practices. Because it is voluntary, compliance for your organization is not mandated, however, adopting the NIST CSF framework provides a great foundation to build, implement, manage, and mature your organization’s cybersecurity practices.

The first version of NIST CSF became public in 2014. It was the result of work NIST did with private-sector and government agencies in response to the 2013 Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” to develop a cybersecurity framework. Response to the framework was widely positive and that same year Congress formally ratified the framework as part of NIST requirements in its Cybersecurity Enhancement Act of 2014. This version remained in place through 2018 when, in April of that year, NIST released an update as version 1.1.

Among the many benefits of NIST CSF is that it not only helps your organization identify cyber risks, but it also helps you determine what you should do to address those risks as they relate specifically to your organization and business goals.

NIST CSF provides a common language so you can communicate your cyber risks both inside and outside of your organization to help establish and mature your cybersecurity posture. In its nature, the CSF framework is itself high-level, meaning your organization has a lot of flexibility when it comes to implementing CSF requirements. One set of controls may be applicable for your organization today, while another may be better for you in the future.

There are three main components of NIST CSF: its core, implementation tiers, and profiles. The NIST CSF core outlines activities and outcomes in a unified language that’s easy for internal and external stakeholders to understand. The implementation tiers provide a way that your organization can implement a cybersecurity framework and then mature it as your organization changes, and the profile helps align your organization’s specific requirements to your objectives, resources, and risk appetite.

One of the unique parts of this framework is how will it connects your cybersecurity risk activities with your business drivers and outcomes.

The Apptega Solution for NIST CSF Compliance

NIST-CSF Dashboard v3

Implementing, managing and maturing a cybersecurity framework has never been easier than with Apptega’s cybersecurity framework management solution. With NIST, you can:

  • Easily implement the NIST CSF controls that are applicable to your organization today
  • Identify where you have gaps and weaknesses
  • Crosswalk CSF against your other existing controls
  • Mature your practices and decrease your cybersecurity risks as your organization changes with continuous insight

Learn how you can use Apptega to simplify and streamline control identification and management, enabling you to modify your frameworks as you need and adjust controls to meet the demands of today’s evolving threat landscape.

Watch Video Now

Building a Successful NIST CSF Engagement Strategy

The NIST Cybersecurity Framework aligns with the cybersecurity lifecycle: identify, protect, detect, respond, and recover. As such, this voluntary set of cybersecurity standards makes it easy for your organization to set a foundation for your cybersecurity program and mature it in phases.

In our NIST CSF compliance guide, we break down the big picture of the CSF framework to help you understand its origins and intent so you can “Build a Successful NIST CSF Engagement Strategy to Secure Your Business.”

The guide walks you through the three core framework components: core, implementation tiers, and profiles. Then take a deeper dive into the lifecycle alignment with a breakdown of security functions, and summarizes the key 23 framework requirements, which is managed within Apptega through categories related to the framework core.

The guide is also an invaluable tool in helping your organization prepare for a CSF assessment, including a walkthrough of five basic steps your organization can take to ensure a successful framework implementation and adoption. You’ll also find a detailed resource guide to help connect your organization with any additional CSF support you may need.

Does Your Organization Need to be NIST CSF Compliant?

All organizations, regardless of size or industry, can benefit from NIST CSF compliance. Although the framework consists of voluntary standards that are not legally bound to compliance, the framework serves as a solid foundation that any organization—even those with limited people, tools, resources, and financial support—can implement and then mature over time.

Because the NIST CSF framework has implementation tiers, it’s a great resource that can meet you where you are today in relation to your existing cybersecurity risks and business goals, and then provide a way to add additional layers of security to your program as your needs and objectives change, and the cyber risk landscape continues to evolve.

If you’re an organization that provides products and services to the federal government, there may be other NIST standards that your organization must comply with, for example, NIST 800-53 and NIST 800-171. If you’re already using those frameworks, you can crosswalk those controls and map them to the NIST CSF framework, simplifying control management and giving you a better picture of all the ways your organization is committed to reducing cyber risks. If you have not yet implemented those standards, but are expected to do so, the NIST CSF framework can be a great place to start.

Crosswalk Multiple Compliance Frameworks with Ease

While the NIST CSF framework is a great starting point for developing a program to address cyber risks, many organizations quickly find that through various legal and compliance mandates, there are a range of other frameworks they are obligated to implement and manage. If your organization tries to manage all of these different controls and requirements through spreadsheets or GRC tools, you may be quickly overwhelmed and struggle to get the insight you need to efficiently manage your program. Those tools often leave your organization with gaps in visibility, causing duplicated work and the unnecessary use of manual, repetitive tasks.

Apptega’s Harmony tool makes streamlining your control and framework management a breeze. Through Harmony, you can crosswalk your existing frameworks and their controls to get instant, easy-to-understand insight into your current security posture, including where you have gaps, from the big picture of compliance, all the way down to a granular sub-control level.

Here are some of the other key benefits of Apptega’s Harmony:

  • Manage multiple frameworks at the same time
  • Get insight into thousands of controls and sub-controls, all within a consolidated view
  • Improve program efficiencies 60% or more by automating tasks and removing duplicated efforts
  • Make the most of your existing resources without having to hire additional staff
  • Monitor and report on individual frameworks or a combination as needed

Understanding the NIST CSF Framework: The Five Core Functions

The five core functions of the NIST Cybersecurity Framework directly align with the cybersecurity lifecycle:  identify, protect, detect, respond, recover.

These five functions represent the five core pillars of the CSF framework. At the highest level, they can help your organization build a holistic cybersecurity program, one that can be matured as your needs evolve. These five core functions also help your organization implement a common language for communicating your program maturity both internally and externally.

Each function has related categories. There are 23 total requirements representing those categories and there are additional sub-categories related to the 23 core categories.

Identify
Protect
Detect
Respond
Recover
Identify

Identify

This function helps your organization understand how you can manage your cyber risks as they relate to your people, assets, data, systems, and other capabilities. The identification process helps your team better understand your cyber risks in actual business context, for example, by identifying your organization’s most critical functions and related assets and then homing in on cyber risks that can affect your organizational resilience.

Here is a quick look at some of the things your organization might tackle as part of the identify phase:

  • Inventorying all of your assets and systems as part of an asset management program
  • Locating and understanding your existing cybersecurity policies and practices
  • Determining which functions and assets are critical to operational resilience across your entire organization, including through your supply chain
  • Discovering all of your vulnerabilities and other security weaknesses, including internal and external threats
  • Conducting risk assessments
  • Conducting business impact analyses
  • Developing a risk management strategy
Protect

Protect

This function helps your organization identify necessary safeguards that ensure you’re able to deliver critical services, for example, during and after a cybersecurity event.

This may include steps such as:

  • Creating Identity and Access Management (IAM) policies
  • Developing data security policies and standards
  • Managing assets, devices, and systems to ensure they meet existing standards and policies
  • Educating staff and other stakeholders about cyber risks and how to avoid them
Detect

Detect

This function helps your organization develop activities to determine when you’re experiencing a cybersecurity incident so you can quickly respond.

This may include steps such as:

  • Event and anomaly detection and response
  • Understanding event impact and scope
  • Identifying interconnectivity and opportunities for lateral movement within your network and systems
  • Ensuring your organization utilizes continuous monitoring to discover vulnerabilities and weaknesses, as well as ongoing cybersecurity monitoring for any abnormalities
Respond

Respond

This function helps your organization understand steps required to respond to a cybersecurity event. Your goal is to respond in a way that contains and mitigates the impact of the event.

This may include steps such as:

  • Routinely testing and exercising your response plans
  • Ensure your response plans are effective and up to date for your current environment
  • Managing how your organization responds internally and externally during and after an event
  • Conducting forensic analysis and related steps to determine how the incident occurred and what its full impacts are
  • Mitigation techniques to decrease the impact of the event
  • Steps to resolve the incident
Recover

This function helps you determine which activities you need to take to recover from an incident and return to business as usual as quickly as possible, including restoration of your critical services and processes.

This may include steps such as:

  • Ensuring the effectiveness of your recovery plans and making modifications as needed, including the ability to effectively restore your critical systems and functions in a timely manner
  • Applying lessons learned from an event to decrease the likelihood of a similar or related event in the future
  • Evaluating existing internal and external communication plans for effectiveness and making adjustments for better future response to protect the brand from reputational damage

How to Implement NIST CSF: Framework Tiers

There are four implementation tiers in the NIST Cybersecurity Framework. In simplest terms, the tiers determine how well your organization’s cybersecurity risk management practices meet requirements defined in the framework, not specifically your program’s maturity levels. The tiers range from partial all the way up to adaptive.

Tier 1: Partial

Cybersecurity activities aren’t directly informed by your risk objectives, business requirements, or threat landscape. Your activities are ad hoc and reactive.

Tier 2: Risk Informed

Cybersecurity activities are directly informed by your risk objectives, business requirements, or threat landscape. Your activities are piecemealed with some risk awareness, but they are not proactive.

Tier 3: Repeatable

Cybersecurity activities are updated as you apply your risk management processes to your changing business requirements and threat landscape. You’ve implemented these activities throughout your company and they are repeatable so you can respond to cyber events.

Tier 4: Adaptive

Cybersecurity activities are built into your overall organizational culture and represent complete adoption of the NIST CSF framework. You can respond to cyber events and take proactive steps to detect issues and respond to them based on trends and other relevant risk information.

What Our Customers Are Saying

Ed Myers headshot
Ed Myers
Associate Compliance Director, Cape Henry Associates

“With Apptega, we now have the visibility needed to know the true status of our program at any time.”

Desiree D. Headshot
Desiree Davis
Operations Manager, Leap Credit

"I would absolutely recommend Apptega for anyone looking to elevate their compliance program from a static source to something that can be used to actively track and manage your compliance."

Chris Farrow headshot
Chris Farrow
Director of Global Cybersecurity, IJM

"I find Apptega amazingly easy to use. What I like best is the pre-built framework content covering topics like NIST CSF, CIS, GDPR, and CCPA. The reports are extremely valuable for reporting to executive and board stakeholders."

How Framework Profiles Help You Improve Your Security Posture

In the NIST Cybersecurity Framework, framework profiles help you align your organization’s goals, objectives, risk appetite, and available resources to the CSF core. Where you are now is your current profile. Where you want to go with your cybersecurity maturity is your target profile. You can use the CSF framework to build an action plan to move you from your current profile to your target profile.

You can use the framework’s profiles to find areas of improvement so you can improve your cybersecurity posture by essentially evaluating your organization’s objectives against the current threat landscape and your existing controls and then determining the profile you want to get to next.

Organizations often use the target profile as a way to plan for future improvements and program investments. For example, your organization might be comfortable implementing a specific set of controls and sub-controls in your first year, and from there you can build a plan to prioritize and implement additional controls and sub-controls in the coming months and years.

Steps to Become NIST CSF Compliant

To become fully NIST CSF compliant at implementation tier 4, you’ll need to implement all of the framework’s controls and sub-controls, and demonstrate you can effectively respond to a cybersecurity event and are proactively and continuously seeking out risks and effectively remediating them even as your organization and threat landscape evolves and expands.

There are 23 total CSF requirements and each requirement grouping aligns with the cybersecurity lifecycle.

Identify

  • 1. Asset management: Identify and consistently manage all data, personnel, devices, systems, and facilities that enable your organization to achieve business purposes as relevant to the importance of your business objectives and risk strategies.
  • 2. Business environment: Understand and prioritize your mission, objectives, stakeholders, and activities to inform your cybersecurity roles, responsibilities and risk management decisions.
  • 3. Governance: Understand your policies, procedures, and processes used to manage and monitor your regulatory, legal, risk, environmental, and operational requirements and use them to inform your cybersecurity risk management.
  • 4. Risk assessment: Understand your cybersecurity risk related to your organization’s operations, such as your functions, mission, reputation, etc.), your assets, and individuals.
  • 5. Risk management strategy: Establish and use your organization’s priorities, constraints, risk tolerances, and assumptions to support your operational risk decisions.
  • 6. Supply chain risk management: Establish your organization’s priorities, constraints, risk tolerances, and assumptions and use them to support the risk decisions associated with supply chain management, including establishing and implementing processes to identify, assess, and manage your supply chain risks.

Protect

  • 7. Identify management, authentication, and access controls: Limit access to physical and virtual assets and associated facilities to authorized users, processes, and devices, and consistently manage in the context of the assessed risk of unauthorized access.
  • 8. Awareness and training: Ensure your personnel and partners are provided with cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.
  • 9. Data security: Consistently manage your information and records (data) with your organization’s risk strategy to ensure protection of the confidentiality, integrity, and availability of information.
  • 10. Information protection processes and procedures: Maintain and use security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures to manage protection of information systems and assets.
  • 11. Maintenance: Perform maintenance and repairs of industrial control and information system components consistent with policies and procedures.
  • 12. Protective technology: Manage technical security solutions to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

Detect

  • 13. Anomalies and events: Detect anomalous activities in a timely manner and understand the potential impact of events.
  • 14. Security and continuous monitoring: Monitor your information system and assets at discrete intervals to identify cybersecurity events and verify effectiveness of protective measures.
  • 15. Detection processes: Maintain and test detection processes and procedures to ensure awareness of anomalous events.
    Respond
  • 16. Response planning: Execute and maintain response processes and procedures to ensure timely response to detected cybersecurity incidents.
  • 17. Communications: Coordinate response activities with internal and external stakeholders as appropriate including external support from law enforcement agencies.
  • 18. Analysis: Conduct analyses to ensure adequate response and support recovery activities.
  • 19. Mitigation: Perform activities to prevent an event’s expansion, mitigate its effects, and resolve the incident.
  • 20. Improvements: Improve organizational response activities by incorporating lessons learned from current and previous detection/response activities

Recover

  • 21. Recovery planning: Execute and maintain recovery processes to ensure timely restoration of systems or assets affected by cybersecurity incidents
  • 22. Improvements: Improve organizational response activities by incorporating lessons learned into future activities.
  • 23. Communications: Coordinate restoration activities with internal and external stakeholders such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.
Learn More

Preparing for a NIST CSF Assessment

NIST-CSF Assessments

Although the NIST Cybersecurity Framework is voluntary and there are no legal requirements for compliance, undergoing a NIST CSF compliance assessment can help you better understand your current security posture and help your organization make plans to move to your target profile.

Whether you’re conducting an internal audit or having an external assessment, here are a few tips that can help ensure you’re on the journey to CSF compliance, regardless of your current implementation tier.

And, remember, this is not a set-it-and-forget-it process. Your cybersecurity processes and evaluations should be continuous to keep up with your rapidly change threat landscape.

Steps to Prepare for an Assessment

Step 1: Set Goals

Develop a governance agreement for your organization that defines your organization’s risk appetite. Use this time to set goals for your cybersecurity program including a budget related to CSF implementation and management, your implementation priorities and objectives, and outlining roles and responsibilities.

Step 2: Select Your Implementation Tier

There are four tiers for NIST CSF implementation. Evaluate the current profile for your organization’s existing cybersecurity measures and then select the appropriate tier for implementation.

Step 3: Assess Risk

Conduct a risk assessment, possibly using an independent external party to solidify your current security posture and then develop goals related to your current security risks, including an inventory of your existing assets, vulnerabilities, and other security issues. Don’t forget to document.

Step 4: Identify Security Gaps

Use your risk assessment to compare your current security posture scores against your target profile scores. Develop an action plan to address areas where you have gaps, including steps to improve your scores and close your gaps.

Step 5: Implement the Action Plan

Next, implement your action plan, including documenting all of your processes. Consider developing training and education materials to help facilitate organizational-wide adoption as appropriate. Establish key metrics that will help you continue to assess the effectiveness of your cybersecurity program and help you meet expectations and requirements.

NIST CSF Blogs

Choosing a Cybersecurity Framework Webinar Image

How to Choose Which Cybersecurity Framework to Follow

While the NIST Cybersecurity Framework is a great resource for any organization looking to implement or improve a cybersecurity program, the reality today is that many organizations, because of various mandates, often find themselves balancing the implementation and management of multiple frameworks, often simultaneously. With so many frameworks in the market and getting attention, how do you know which framework is right for your organization? This blog takes a closer look at some of the most common frameworks, for example, SOC 2, CIS, ISO, PCI, and others, to help you identify what they’re used for and what they’re intended to do.

Read Now
Choosing the RIght Framework WEbinar

Choose the Right Framework to Navigate the Convergence of Data Privacy and Cybersecurity

The lines that define cybersecurity and privacy have been distinct, but that’s rapidly changing. Today, because of evolving regulatory and compliance obligations, these lines are blurring and it’s becoming ever-more challenging to clearly discern who is responsible for what within your organization. It’s a situation further complicated by many organization’s cultures where old roles have been grandfathered down a chain over time, leaving some responsibilities not even within the department that should handle them. Check out this blog to learn more about how to clarify where there are questions, understand what got us to this point, and get tips to overcome common convergence challenges.

Read Now
Managing Supply Chain

Managing Cybersecurity Risks Up and Down the Supply Chain, Part 2

Supply chain risks are of increasing concern for all organizations, regardless of industry. For example, in the past year, in light of the coronavirus pandemic, we’ve seen a breakdown in several critical physical supply chain delivery channels and digital suppliers have experienced an increasing number of breaches, making every organization vulnerable to supply chain risks. So how can you effectively and efficiently manage cybersecurity risks up and down your supply chain, even beyond tier-1 vendors? This blog increasing supply chain risks caused by third-party vendors and offers actionable tips to help you prepare for and mitigate these risks, including using a cybersecurity framework that includes supply chain risks.

Read More

NIST CSF Webinars

Which Cybersecurity Framework image

How to Choose Which Cybersecurity Framework to Follow

There are more than 20 commonly used frameworks used today, with others popping up with increasing frequency. While some industries may mandate specific framework requirements, many modern organizations often face the common reality that they have to manage more than one. So how do you know which one (or combination of frameworks) you should use? Watch this webinar to learn more about common frameworks, including similarities and what sets them apart, and learn more about how you can use Apptega to help you manage your frameworks and meet your compliance requirements.

Watch Now
Cybersecurity for SaaS Image

Building Cybersecurity Programs in SaaS Companies

As more and more organizations move to adopt cloud-based technologies, software as a services (SaaS) companies provide an increasingly important role in operational resilience. And those SaaS companies can’t overlook inherit cyber risks that may negatively affect their clients and customers, but some struggle with meeting cybersecurity requirements, especially when they’re associated with compliance mandates outside of their core industry. Watch this webinar to learn more about customer-driven cybersecurity, how to build your program with limited resources, and draw on real-world insight and advice to help you manage your program.

Watch Now

NIST CSF Videos

NIST CSF to ISO Audits with play

NIST CSF to ISO Audits Simplified

Maybe you started your cybersecurity program with a compliance assessment based on the CSF framework and are now working towards maturing your program further with the addition of ISO. Or, you may be preparing for an audit. Watch this 3-minute video to see:
1. How to identify and address gaps in your CSF program
2. How you can eliminate redundancy with automatic crosswalking
3. How to monitor and report on combined or individual frameworks, and
4. The best way to streamline your audit process

Watch Video Now
Crosswalking Cybersecurity to Privacy with play

Crosswalking from Cybersecurity to Privacy

Since having great cybersecurity is the foundation for protecting consumer data and privacy, you may be following a framework such as NIST CSF. But as you work towards maturing your privacy program, you may be looking to add frameworks such as CCPA or GDPR. Watch this 3-minute video to see:

1. An assessment of the current state of your NIST CSF and privacy compliance
2. How to gain an instant head-start on compliance with each new Privacy framework added
3. How to monitor and report on combined or individual frameworks
4. Automated reporting capabilities for executive visibility and your Board of Directors

Watch Now

Frequently Asked Questions about NIST CSF (FAQs)

What does NIST CSF stand for?
NIST CSF is a common reference for the NIST Cybersecurity Framework. This voluntary framework, overseen by the National Institute of Standards and Technology, outlines best practices to implement and mature your organization’s cybersecurity program.
Why is NIST CSF important?
NIST CSF is important because it helps set a foundation for modern cybersecurity programs that can effectively stand up to and respond to our ever-evolving threat landscape. Because it is voluntary, it offers a lot of flexibility for organizations as you plan for implementation and adoption. Its industry-recognized best practices can help you identify where you have security issues within your existing security profile and make plans to address those weaknesses and close gaps to improve your program effectiveness.
Who uses NIST CSF?
While many private-sector and critical infrastructure organizations use NIST CSF, the standards are applicable across a wide range of organizations, of all sizes, across all industries.
Is NIST CSF compliance mandatory?
No. NIST CSF compliance is not mandatory. It is voluntary. However, becoming compliant to NIST CSF standards can not only improve your current security postures but may also help you meet other regulatory and compliance standards with additional frameworks that have similar controls.
Is there a NIST CSF certification?
No. There is not a formal NIST CSF certification or accreditation process. Instead, you can self-attest that you are compliant with NIST CSF standards, but you may find it beneficial to work with a third-party assessor to add an additional layer of assurance that you’re meeting all CSF requirements. A third-party assessment often concludes with a letter of attestation of compliance.
What are the five NIST CSF categories?
There are five core categories, called functions, within NIST CSF and these five functions directly align to the cybersecurity lifecycle: identify, protect, detect, respond, and recover. The core functions are comprised of additional categories (23) and sub-categories (108), often referred to as control families and controls, that address specific requirements related to those five core functions.
How many controls are there for NIST CSF?
There are 23 primary controls for NIST CSF, however, there are additional related sub-controls. How many controls and sub-controls your organization successfully implements directly correlates with your CSF implementation tier.
How are NIST CSF and NIST 800-53 related?
NIST Cybersecurity Framework is a subset of NIST 800-53. You can apply existing NIST 800-53 controls when you’re interpreting how to implement NIST CSF controls for your organization.
Can I map NIST CSF to other frameworks?
Yes. You can map NIST CSF to other frameworks. Apptega’s Harmony tool makes it easy to crosswalk all your frameworks and related controls into an easy-to-understand dashboard that gives you instant insight—down to the individual control level—of your progress toward compliance.
Who should be NIST CSF compliant?
Although NIST Cybersecurity Framework is voluntary, all organizations could benefit from compliance to NIST CSF standards. Implementing a voluntary framework, especially in addition to a mandatory framework, sends a compelling message of a strong commitment to cybersecurity to customers, partners, auditors and other constituents. This can create competitive advantages, helping to retain customers and win new business.
How do I become NIST CSF compliant?
To be fully compliant with NIST CSF, your organization will need to successfully implement all 23 categories and 108 sub-controls, demonstrate your program is effective, part of your organization culture, and that you’re proactively seeking out and defending against potential cyber-attacks.
What is the most current version of NIST CSF?

The most current version of NIST CSF is v 1.1, which was released in 2018. You can find a complete copy here: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.

Who oversees NIST CSF Standards?

The National Institute of Standards and Technology, commonly referred to as NIST, oversees NIST CSF standards.

Who is NIST?
NIST, the National Institute of Standards and Technology, is part of the U.S. Department of Commerce with its beginnings in 1901 as one of the oldest physical sciences laboratories in the country. The modern version of NIST develops standards that influence technology and related measurements and standard.
Where can I find NIST CSF compliance resources?

NIST Cybersecurity Framework compliance resources are in Apptega’s NIST CSF Marketplace. In the marketplace, you can quickly access products and services to help you with your FedRAMP authorization process, including access to consultants with expertise in your specific compliance areas.

Implement and Manage NIST CSF With Confidence

See how you can simplify your NIST Cybersecurity Framework compliance journey with Apptega, ensuring you’re continually closing security gaps and improving your security postures.

Here are some of the benefits of using Apptega to help ensure you’re meeting all of your NIST CSF requirements:

  • Use questionnaire-based assessments to auto-score and identify where you have security gaps
  • Report on the end-to-end management of all of your assets and your compliance status at any time, all from a simplified, easy-to-understand dashboard
  • Ensure you’re prepared for a CSF assessment and posed to receive a letter of attestation
  • Crosswalk your NIST CSF framework and controls with other frameworks you are following
  • Improve your process efficiencies without using additional resources
  • Demonstrate to your customers that you take cybersecurity seriously and you’re employing industry-recognized best practices to keep their data and sensitive information safe.
NIST CSF Marketplace

NIST CSF Marketplace

Searching for guidance, assistance, or tools as you prepare for NIST CSF compliance?

The NIST CSF Marketplace in CyberXchange is mapped to all the controls defined within the NIST CSF framework. For each of your gaps or compliance deficiencies, you can instantly find solutions mapped to your specific needs. Guesswork is eliminated. The research is already done for you.

Join thousands of CISOs, CIOs and other cyber professionals who are already finding perfect-fit solutions.

Companies on the Journey to Compliance

IJM_Logo
CounterTrade Logo
Cortland Logo
HCTec logo
Focus on the Family logo
Greenhouse Software logo-1