What is the NIST CSF?
The NIST Cybersecurity Framework (CSF) is a risk-based framework designed to help organizations manage and reduce cybersecurity risks. It provides a structured approach to identifying, protecting, detecting, responding to, and recovering from cyber threats.
The NIST CSF is not as prescriptive as other standards you might be aware of, like NIST 800-171 or NIST 800-53. Instead, it provides a flexible, risk-based approach to managing and improving cybersecurity that makes it a good fit for almost any industry or business size.
The first version of the NIST CSF was released in 2014 in response to growing concerns about cybersecurity vulnerability in the U.S. It also helped organizations meet mandatory Federal Information Security Modernization Act (FISMA) requirements first instituted in 2002.
While the NIST CSF was originally voluntary, it became mandatory for all U.S. government agencies in 2017 with memo M-17-25.
Version 2.0 introduces a stronger emphasis on governance (with the new ‘Govern’ function), expands implementation guidance for supply chain risk management, and enhances alignment with other frameworks such as ISO 27001.
What does the NIST CSF include?
While NIST does not certify businesses, organizations can document their cybersecurity maturity through internal assessments or third-party audits. Organizations can perform self-assessments using NIST’s provided resources, such as quick-start guides and worksheets. NIST offers quick-start guides and worksheets on its site—including guides geared towards specific industries such as healthcare—to help prepare for NIST CSF self-assessment.
Let’s explore a few key terms when it comes to understanding how the NIST CSF works: Core, Tiers, and Profiles.
Core
The heart of the CSF comprises six high-level functions—keyed to desired high-level outcomes—that an organization will then translate into concrete action.
These six Core Functions are not chronological, and all may be going on at once. In particular, the Govern function determines how an organization handles the other five outcomes and is continuously informed by them. As shown in the diagram, it’s a continuous, overarching process that encompasses the other five, creating a decision-making foundation and integrating cybersecurity with business goals.
Each function is subdivided into categories and subcategories, touching on all aspects of cybersecurity. These categories and subcategories give you confidence that you’re covering all your bases.
Beyond the six Core Functions and their categories and subcategories, NIST CSF also uses the terms “Tiers” and “Profiles.”
Tiers
Four tiers indicate an organization’s level of cybersecurity maturity, ranging from lowest (Partial: Tier 1) to highest (Adaptive: Tier 4).
At Tier 1, an organization will have limited awareness of cybersecurity risk and take an irregular or ad hoc approach to cybersecurity processes. At Tier 4, on the other hand, they will have established an organization-wide approach with risk-informed processes, using real-time or near-real-time information to ensure consistent response. Cybersecurity has become part of the organization’s culture.
Keep in mind that organizations do not necessarily progress through these tiers in a linear fashion. Instead, they may focus on different aspects of cybersecurity maturity depending on risk appetite, industry requirements, and regulatory pressures.
Profiles
Profiles help you understand your organization’s current situation as well as your cybersecurity goals (which will help you tailor the CSF to your unique needs). There are two main Profiles you need to consider:
Current Profile: Reflects your organization's current cybersecurity state
Target Profile: Reflects your desired future state of cybersecurity
Based on the principle that you need to know where you’re going before you can set out on the journey, these Profiles work together as a roadmap to identify gaps, prioritize improvements and allocate resources, and track progress towards your goals.
Example: Small aerospace manufacturer
To see how all these components fit together in practice, let’s look at how a small manufacturer producing parts for the aerospace industry might move towards NIST CSF alignment. Manufacturing is being increasingly targeted by attackers, and following NIST guidelines will strengthen the company’s security posture and also make them eligible for U.S. government contracts.
1. GOVERN (GV)
Purpose: Assess risk, including industry-specific and organization-specific risks
Steps to take include:
Acknowledging security gaps and aspirations based on the Current and Target Profiles
Starting to build a risk management framework to progress from Tier 1 (Partial) to Tier 3 (Repeatable) to become competitive for defense contracts. By Tier 3, they will have formal policies in place and consistent practices around security.
2. IDENTIFY (ID)
Purpose: Determine which assets to protect (data, hardware, identities) through data discovery, attack surface mapping, as well as risk and vulnerability analysis
Steps to take include:
Rigorously auditing digital infrastructure for potential vulnerabilities
Mapping out which assets and resources need the highest protection for more stringent requirements
3. PROTECT (PR)
Purpose: Ensure confidentiality, integrity, and availability (the “CIA triad”) through strategies like encryption, MFA, passkeys, and a backup system
Steps to take include:
Implementing foundational security controls, protecting critical IP like parts design data
Establishing a security foundation with access control policies and other protection
4. DETECT (DE)
Purpose: Analyze real-time data for adverse events using endpoint and network monitoring and metrics, threat intelligence feeds, telemetry, and more
Steps to take include:
Implementing telemetry and logging/monitoring to catch potential security incidents
Bolstering threat detection to help proactively manage cyber risks
5. RESPOND (RS)
Purpose: Mitigate incidents in progress using playbooks with automation and human intervention
Steps to take include:
Developing incident response procedures and prioritization based on actual risks and exposure
Defining incident management roles and responsibilities
6. RECOVER
Purpose: Verify that restored data is secure and that CIA has been maintained; handle stakeholder communication and regulatory repercussions
Steps to take include:
Testing backup and restore processes to ensure business continuity
Developing a transparent, professional communication strategy for all stakeholders
What are the main benefits of adopting the NIST CSF?
Perhaps the largest benefit of the NIST CSF is preventing and mitigating security incidents. This avoids ransom payments, fines, and personnel time, in addition to costs from operations disruptions and inconvenience to your customers.
Adopting the NIST CSF enhances security maturity and can help organizations align with regulatory requirements (e.g., FISMA, CMMC). However, unlike frameworks such as PCI DSS or HIPAA, CSF adoption is voluntary for most organizations.
Another major benefit is ensuring accountability for your security program. This can be especially useful for a growing business. You can create “SMART” goals—goals that are specific, measurable, achievable, relevant, and time-bound—and tie them to metrics that let you measure and track progress, like percentage of encryption coverage, mean time to respond (MTTR) to incidents, and rate of false positives/negatives.
Examples of function-specific metrics to track your NIST CSF implementation:
Identify: Percentage of assets inventoried, vulnerability remediation rates
Protect: MFA adoption rate, percentage of encrypted data, security awareness training completion
Detect: Mean time to detect (MTTD), security event false positive rates
Respond: Mean time to respond (MTTR), incident containment rates
Recover: Recovery time objectives (RTOs), successful backup restoration rates
Govern: Policy compliance rates, risk assessment completion percentages
Other benefits of NIST CSF compliance may include:
Streamlining everyday security processes
Earning trust from customers, partners, and stakeholders
Simplifying regulatory and contractual obligations (e.g., SLAs)
How does the NIST CSF help in cloud environments?
By nature, cloud environments evolve quickly, making it tough to maintain cloud security best practices. You need to consistently monitor and control assets and resources, but cloud providers’ shared responsibility model also creates confusion. You may not know who’s responsible for what, you may have multiple control panels for configuration, and you probably won’t have clear visibility across multiple cloud platforms.
The NIST CSF can help address these cloud risks with its focus on continuous monitoring, proactive risk management and prioritization, and agility and scalability.
It also embraces advanced solutions such as automation, which lets you cut management overhead, improve scalability, and reduce performance impact while providing optimal coverage; and agentless visibility, which can greatly simplify NIST CSF compliance.
How a CNAPP helps you align naturally with the NIST CSF
Given the complexity of modern cloud security, organizations need tools that provide continuous monitoring, automated compliance checks, and unified risk management. This is where a Cloud-Native Application Protection Platform (CNAPP) can help.
Wiz is a modern CNAPP solution that provides continuous, automated compliance assessments across 100+ frameworks, including NIST, giving you a real-time pulse on your security posture.
Better still? Wiz goes far beyond cloud compliance, giving you code-to-cloud security visibility across your entire cloud ecosystem.
This lets you streamline security by consolidating multiple tools into a single platform, including: cloud security posture management (CSPM), cloud workload protection platform (CWPP), cloud infrastructure entitlement management (CIEM), and data security posture management (DSPM).
While all these tools are valuable on their own, they’re even more effective when they share information and insights as part of the Wiz CNAPP solution. That way, you get context-enriched visibility around every risk, cutting noise and alert fatigue.
And when it comes to compliance, Wiz’s cross-framework, cross-application heatmap lets you quickly spot compliance gaps and focus your security teams where it matters most.
Wiz automatically routes compliance issues to the right teams, enriched with context and remediation guidance. The result? All alerts are meaningful and help you fix vulnerabilities fast. And beyond the NIST CSF and other industry-standard compliance frameworks, Wiz also supports custom framework creation so you can tailor compliance to your organization's unique needs.
With Wiz, compliance goes from being a checkbox exercise to part of your holistic risk management strategy.
Ready to turn NIST CSF compliance from a headache into a strategic advantage? Book a demo and find out how Wiz can turn your compliance goals into reality—simply and easily.
100+ Built-In Compliance Frameworks
See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.
