NIST Cybersecurity Framework (CSF)
What is the NIST Cybersecurity Framework?
The Framework for Improving Critical Infrastructure Cybersecurity, more commonly referred to as simply the Cybersecurity Framework (CSF), was originally published by the National Institute for Standards and Technology (NIST) in February 2014. This framework was published in response to Executive Order 13636, Improving Critical Infrastructure Cybersecurity. The NIST CSF is an evolving framework developed to improve cybersecurity risk management in critical infrastructure. While the framework itself is not mandatory, there is increasing pressure from regulating agencies for critical infrastructure operators to improve cybersecurity and NIST CSF acts as a guide for doing so.
Who is the intended audience?
While NIST CSF was originally developed to improve cybersecurity risk management in critical infrastructure, it can be leveraged by organizations of any size across any industry.
Where can I find more information?
The following resources can be found on the National Institute for Standards and Technology website:
- Cybersecurity Framework v1.1
- Cybersecurity Framework v1.1 Frequently Asked Questions
- Journey to CSF 2.0
How can runZero help me with these controls?
The following illustrates how runZero aligns with NIST CSF v1.1. The framework is based on 5 core functions: Identify, Protect, Detect, Respond, and Recover. Within each function are categories of controls. Each category is further divided into subcategories or outcomes. Where Strong alignment is noted, runZero can play a significant role in helping an organization implement safeguards. Where Partial alignment is noted, runZero can play a complementary role in helping an organization implement safeguards.
| ID | Function | Category | Strong alignment | Partial alignment |
|---|---|---|---|---|
| ID.AM | Identify | Asset Management | ✔ | |
| ID.BE | Identify | Business Environment | ||
| ID.GV | Identify | Governance | ||
| ID.RA | Identify | Risk Assessment | ✔ | |
| ID.RM | Identify | Risk Management Strategy | ||
| ID.SC | Identify | Supply Chain Risk Management | ||
| PR.AC | Protect | Identity Management, Authentication and Access Control | ||
| PR.AT | Protect | Awareness and Training | ||
| PR.DS | Protect | Data Security | ||
| PR.IP | Protect | Information Protection Processes and Procedures | ✔ | |
| PR.MA | Protect | Maintenance | ||
| PR.PT | Protect | Protective Technology | ||
| DE.AE | Detect | Anomalies and Events | ||
| DE.CM | Detect | Security Continuous Monitoring | ✔ | |
| DE.DP | Detect | Detection Processes | ||
| RS.RP | Respond | Response Planning | ||
| RS.CO | Respond | Communications | ||
| RS.AN | Respond | Analysis | ||
| RS.MI | Respond | Mitigation | ||
| RS.IM | Respond | Improvements | ||
| RC.RP | Recover | Recovery Planning | ||
| RC.IM | Recover | Improvements | ||
| RC.CO | Recover | Communications |