NIST-CSF

Almost everyone knows about the NIST Cybersecurity Framework (NIST-CSF). Developed by the National Institute of Standards and Technology—a U.S. agency under the Department of Commerce—this framework provides a structured and comprehensive approach to help organizations identify, assess, and manage cyber risks. It specifically aims to strengthen the security of critical infrastructures, but its application actually extends to all sectors, regardless of the organization’s size or field of activity. Let’s take a closer look.

Partage

NIST-CSF: THE ESSENTIALS

The NIST published the first version of the Cybersecurity Framework in February 2014. What few people know is that it was created in response to U.S. Presidential Executive Order 13636, titled Improving Critical Infrastructure Cybersecurity. Signed by Barack Obama in 2013, it recognized the importance of critical infrastructure for national security and economic stability—and, consequently, the need to better protect these infrastructures against cyber threats.

Much like NIS 2, “critical infrastructures” encompass many sectors: energy, healthcare, transportation, finance, telecommunications, etc. The NIST-CSF framework was designed to provide these entities with a set of best practices, standards, and recommendations to better manage and reduce the cyber risks they face.

Note: NIST-CSF does not impose rigid requirements! It primarily aims to encourage organizations to assess their own context, resources, and risks to choose the most appropriate practices. Such flexibility is ultimately an advantage, as it has contributed to its rapid adoption across several sectors.

WHAT IS THE NIST-CSF COMPOSED OF?

The Five Core Functions

The principle of the five core functions aims to provide an overview of the essential capabilities that organizations must have to effectively manage cybersecurity risks. These five functions are:

  • Identify

    Understand the risks and assets that need to be protected. This includes identifying systems, data, human resources, and processes critical to the organization’s operation..

  • Protect

    Once risks are identified, measures must be implemented to protect critical systems and data:

    • Implementing access controls
    • Training employees in security
    • Managing protective technologies…
  • Détecter

    Being able to identify cybersecurity incidents as they occur ensures a better response. This function covers:

    • Monitoring activities for networks and systems
    • Detecting anomalies and events
    • Maintaining real-time threat detection capabilities
  • Répondre

    This involves responding quickly and effectively to incidents through efficient communication and techniques to mitigate the effects of the security breach.

  • Récupérer

    After an attack or cybersecurity incident, the organization must recover to return to a normal state. This involves restoring affected systems and services, as well as identifying lessons learned from the event to improve future preparedness.

Categories and Subcategories

Indeed, each core function is further divided into categories and subcategories, which provide additional details on the specific activities to be implemented.

For example, the “Protect” function contains several categories, including “protection of sensitive information.” This category is then divided into subcategories, such as the use of encryption, management of user credentials, and auditing access.

Does this seem unnecessarily complicated? However, this system allows general security objectives to be linked to concrete and actionable steps. Bonus: it also enables the organization’s practices to align with specific frameworks and standards, such as—just a guess—ISO standards.

WHY ADOPT THE NIST-CSF?

One of the main advantages of the NIST-CSF is its flexibility. It is designed to be used by any organization, regardless of its sector or size, and can be customized to meet the specific needs of each entity.

For example, a small e-commerce business can use the same fundamental principles as a large financial institution, but adapt them to its limited resources and risk level.

Moreover, the NIST-CSF allows for gradual implementation: an organization can choose to adopt certain parts of the framework based on its level of cybersecurity maturity and then expand its use over time. Convenient, isn’t it?

Standardization and Interoperability

The growing importance of harmonization and international collaboration against cyber threats is well-known, with NIS 2 being one of many examples.

The NIST-CSF addresses this challenge: built on widely recognized standards and best practices, it is particularly useful for organizations operating in regulated environments or needing to comply with multiple regulatory frameworks.

By adopting this framework, such organizations can better align their cybersecurity practices with regulatory requirements while using a common language to communicate with partners, clients, and regulators.

Enhancing Security Posture

Last but not least: the primary goal of the NIST-CSF is to help organizations better manage and reduce their cyber risks! By following the five core functions, organizations can establish a comprehensive cybersecurity framework that covers all phases of risk management—from prevention to detection, response, and recovery.

In short, the NIST-CSF helps businesses better protect themselves by:

  • Encouraging them to proactively identify potential vulnerabilities and take measures to address them
  • Creating robust response and recovery processes to minimize the impact of incidents when they occur

HOW TO IMPLEMENT THE NIST-CSF IN YOUR COMPANY?

#1 Assess Risks

The first step in any implementation of the NIST-CSF is to conduct a comprehensive risk analysis, which includes:

  • Identifying the organization’s critical assets
  • Understanding potential threats
  • Assessing existing vulnerabilities

This step helps prioritize cybersecurity investments by targeting the most sensitive areas. It is largely covered by the “Identify” function of the NIST-CSF, which encourages businesses to have a clear understanding of their assets, environments, and associated risks.

#2 Develop a Security Plan

This plan should cover the other four functions of the framework: “Protect,” “Detect,” “Respond,” and “Recover.”

Note: Each function must be addressed comprehensively! For example, protective measures should include not only technical controls such as firewalls and encryption but also policies such as employee training and credential management.

#3 Monitor the Plan’s Implementation

Once the plan is in place, the organization must implement it and monitor its effectiveness over time. This monitoring is particularly important within the “Detect” function, as it allows for the identification of security incidents in real-time.

It also plays a key role in the continuous evaluation of security controls and the organization’s ability to respond to emerging threats.

#4 Improve Continuously

The NIST-CSF is not a static framework! Organizations must regularly review their security plan, assessing the effectiveness of existing measures, and adjusting them based on the evolution of threats, technologies, and the company’s needs.

All of this is essential to maintain a strong security posture in an ever-changing environment…

Limitations of the NIST-CSF

Complex Implementation for Small Businesses

For small organizations, the full implementation of the NIST-CSF is often complex and/or costly. Despite its near-unmatched flexibility, this framework can require significant resources that not all organizations have available:

  • Qualified personnel
  • Appropriate technological tools
  • Time to devote to risk assessment and the implementation of security measures
Lack of Legal Obligation

Since the implementation of the NIST-CSF framework is voluntary, it does not constitute a legal obligation for most organizations. Although a handful of government agencies and private companies have adopted this framework as a benchmark to strengthen their cybersecurity, there is no universal requirement forcing organizations to comply with it.

Meanwhile, in certain regulated sectors (such as finance, energy, or healthcare), authorities may impose specific cybersecurity regulations. Even if there are overlaps with the NIST-CSF, the requirements can differ. This situation can limit the adoption of the framework by some companies, which prioritize compliance with legal regulations over voluntary frameworks. It’s understandable, but unfortunate.

The Evolution of Threats

The NIST-CSF framework, while robust, cannot always keep up with the rapid pace of evolving cyber threats.

For example, the emergence of new types of attacks, such as sophisticated ransomware or AI-related threats (to name a few), may require faster adjustments than what a formal update of the framework allows.

It is therefore up to companies to find ways to complement the use of NIST-CSF with internal processes for technological monitoring and regular cybersecurity skill updates. Not always an easy task.

A Necessary Technical Expertise

Implementing the NIST-CSF often requires a high level of technical expertise. Organizations without cybersecurity experts on their teams may struggle to understand and apply certain specific subcategories, especially those related to advanced technologies or complex threats

This challenge can be overcome by hiring external consultants or managed security service providers (MSSPs). However, this comes with additional costs.

The good news is that the NIST-CSF framework is available in Tenacy! The tool can generate automated action plans tailored to your current context, helping you achieve compliance. You can also track all your data and actions on a single platform, improving both speed and efficiency.

Request a demo