top of page

How-To Guide: NIST Cybersecurity Framework 2.0

Updated: Jun 26



Preface:


This guide will explain how to use the latest version of the NIST Cybersecurity Framework.


There are many ways to use the NIST CSF but this is my personal simplified application of it in hopes of educating through a simple example. It won't cover the entire frameworks nuances but it will show how its practically used.


Not everyone understands technical jargon. It's important to understand senior executives don't want to have a Bill Gates standing before them speaking in bits and bytes. Senior executives understand cents and dollars as this is their native language. You need to be able to translate the impact of bits and bytes into cents and dollars for everything to translate efficiently.


Purpose:


The NIST CSF is designed to provide guidance for reducing cybersecurity risks by helping organizations understand, assess, prioritize, and comunicate about those risks and the actions that will reduce them. This can be understood by a broad audience, including executies who may not be cybersecurity professionals.


The CSF is commonly used in conjunction with other frameworks, standards, guidelines and other leading practices to better manage and shine light on all risks across all management.


Real World Application:


Organizations handle risk in different ways dependent on the company. The options of handling risks includes mitigating, transferring, avoiding, or accepting the risks. That's where NIST CSF comes in.


These are the options of how to use NIST CSF. For this example we will be building framework profiles as I feel this is the most effective method.



A framework profile serves as a method for describing an organization's current or target security posture. These profiles are used to understand, assess, prioritize, and tailor the outcomes based on the organization's mission objectives. Organizations can then prioritize their actions to acheive specific outcomes and translate that information to stakeholders.



The two types of profiles are current profiles and target profiles. The current profile is the organizations current security posture in terms of what its acheiving and to what extent its being acheived. The target profile is the desired outcome of the organization in terms of acheiving its cyber risk objectives. The target profile takes into account the anticipated changes to the orgs security posture such as new technology adoption, new requirements, and threat intelligence trends. We create these profiles with comprehensive questionaires that go across the organzations departments so we can properly gauge the status quo of how tasks are accomplished. This is why efficient communication and empathy are essential.


The quesionaires could be in spreadsheet format covering the various phases. For example the Identify phase could ask something like this:



Once the questionaires are complete and we have our current profile and target profile set we can use the profiles in many ways. Alot of this has to do with the organizations unique compliance and regulatory obligations as well as what frameworks they're using. From there we create categories and subcategories of action plans that upon completion will lead to our target profile.



Some of you may recognize the disparity between current and target profiles as what is acheived via gap analysis where you take a snapshot of the current state and compare it to the target state. There is no one size fits all solution so we must use our profiles to develop a prioritized tailored roadmap to acheive the desired outcomes of the framework. There are many ways to use the profiles we created from our questionaires:



Once we have implemented the action plans and updated the profiles we have to schedule this as a repeatable process. We follow the action plans to adjust security practices to address gaps and move toward the target profile. This is a continuous effort and implementing action plans can take months or years. The current profile should be updated to assess progress and the target profile should be updated to reflect changes in the organization and its cybersecurity risk. Over time changes in either profile will require revising the action plan and repeating these steps.


I hope this has been helpful in demystifying what a framework is and more specifically what the NIST CSF framework offers. This example has been extremely simplified but still reflects what its like in a real world application as I've done this myself as an information security architect. If you wish to dive deeper into the nuances of this framework you can visit NIST's website: https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd


If you have any questions or wish to discuss anything please contact me on LinkedIn.


Thank you for reading.


bottom of page