Guidelines & Procedures

There’s no better time than now to implement the CSF: It’s still relatively new, and it could position you as a leader in forward-looking cyber security practices.

How can I implement the NIST Cyber security Framework?

Our team has been implementing the methods and processes according to NIST and SANS for more than 10 years. The vast experience of our people in large organizations all over the world brings the added value to you. Our people are the source of knowledge and experience in our society and our experience is our tool and yours for success.

What is the NIST Cyber security Framework?

President Obama signed Executive Order 13636 in 2013, titled Improving Critical Infrastructure Cybersecurity, which set the stage for the NIST Cybersecurity Framework. The CSF’s goal is to create a common language, set of standards, and easily executable series of goals for improving cybersecurity.

The CSF standards are completely optional—there’s no penalty to organizations that don’t wish to follow its standards. That doesn’t mean it isn’t an ideal jumping off point though—it was created with scalability and gradual implementation so any business can benefit.

The framework itself is divided into three components: core, implementation tiers, and profiles.

Framework core

The core is “a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.” It is further broken down into four elements: functions, categories, subcategories, and informative references.

Functions: There are five functions used to organize cybersecurity efforts at the most basic level: identify, protect, detect, respond, and recover. Together these five functions form a top-level approach to securing systems and responding to threats—think of them as your basic incident management tasks.

Categories: Each function contains categories used to identify specific tasks or challenges within it. For example, the protect function could include access control, regular software updates, and anti-malware programs.

Subcategories: These are further divisions of categories with specific objectives. The regular software updates category could be divided into tasks like making sure wake on LAN is active, that Windows updates are configured properly, and manually updating machines that are missed.

Informative references: Documentation, steps for execution, standards, and other guidelines would fall into this category. A prime example in the manual Windows update category would be a document outlining steps to manually update Windows PCs.

Implementation tiers

There are four tiers of implementation, and while CSF documents don’t consider them maturity levels, the higher tiers are considered more complete implementation of CSF standards.

Tier 1: Called partial implementation, organizations at Tier 1 have an ad-hoc and reactive cybersecurity posture. They have little awareness of organizational risk and any plans implemented are often done inconsistently.

Tier 2: Risk informed organizations may be approving cybersecurity measures, but implementation is still piecemeal. They are aware of risks, have plans, and have the proper resources to protect themselves but haven’t quite gotten to a proactive point.

Tier 3: The third tier is called repeatable, meaning that an organization has implemented CSF standards company-wide and are able to repeatedly respond to crises. Policy is consistently applied, and employees are informed of risks.

Tier 4: Called adaptive, this tier indicates total adoption of the CSF. Adaptive organizations aren’t just prepared to respond to threats—they proactively detect threats and predict issues based on current trends and their IT architecture.


Profiles are both outlines of an organization’s current cybersecurity status and roadmaps toward CSF goals. NIST said having multiple profiles—both current and goal—can help an organization find weak spots in its cybersecurity implementations and make moving from lower to higher tiers easier.

Profiles also help connect the functions, categories, and subcategories to business requirements, risk tolerance, and resources of the larger organization it serves. Think of profiles as an executive summary of everything done with the previous three elements of the CSF.

Why does the NIST Cyber security Framework matter?

The cybersecurity world has a problem: It’s incredibly fragmented despite its ever-growing importance to daily business operations. Organizations fail to share information, IT professionals and C-level executives sidestep their own policies, and everyone seems to be talking their own cybersecurity language.

NIST’s goal with the creation of the CSF is to help eliminate the utterly fragmented cybersecurity landscape we find ourselves in, and it couldn’t matter more at this point in the history of the digital world.

Cybersecurity threats continue to increase, and the latest disasters seemingly come out of nowhere and the reason why we’re constantly caught off guard is simple: There’s no cohesive framework tying the cybersecurity world together.