What is the NIST framework?

What is a NIST framework

RiskXchange will not only help you understand the NIST framework but will find a cybersecurity framework that works for you and your business.

Published by the US National Institute of Standards and Technology (NIST), the NIST cybersecurity framework is a set of guidelines used for mitigating organisational cybersecurity risks. The framework is based on existing guidelines, standards, and practices.  

The NIST framework provides guidance on the protection of civil liberties and privacy in a cybersecurity context, and a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes. The framework has today been translated into many different languages and is used by various governments and a wide range of organisations and businesses worldwide. 

Let’s take a look at how to strengthen your cybersecurity and prevent attacks by using a powerful tool, a NIST cybersecurity framework.  

Why should you use the NIST cybersecurity framework? 

Devised through collaboration between industry and government, the voluntary cybersecurity framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure, including third-party risk. The prioritised, flexible, repeatable, and cost-effective approach of the framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.  

The NIST cybersecurity framework comes from a risk-based approach which enables an integrated risk management approach to cybersecurity management aligned with business goals. The result is better decision-making and communication throughout the organisation. 

The NIST framework supports and guides businesses to keep pace with changes in technology, cyber threats, and other factors. The framework is a “living” document that is constantly updated to ensure it meets the needs of critical infrastructure owners and operators in an ever-evolving environment. 

There are three main elements to the framework: core, tiers, and profiles. The core presents five key functions—identify, protect, detect, respond, and recover—that taken together allow any organisation to understand and shape its cybersecurity program.  

The tiers describe the degree to which an organisation’s cybersecurity risk management meets goals set out in the framework and “range from informal, reactive responses to agile and risk-informed.” The profiles help organisations progress from a current level of cybersecurity sophistication to a target improved state that meets business needs. 

What is the NIST framework used for? 

What is NIST framework? The main aim of the NIST framework is to help organisations charged with providing a nation’s energy, financial, healthcare, and other critical systems better protection of their information and physical assets. The NIST cybersecurity framework provides a structure that regulators, organisations, and customers can use to assess, guide, create or improve comprehensive cybersecurity programs. 

“The framework provides a consensus description of what’s needed for a comprehensive cybersecurity program,” said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher at the time of launch in 2013. “It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business.” 

NIST Director, Patrick D. Gallagher

The NIST framework allows organisations of all sizes to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure. 

Organisations can use the NIST cybersecurity framework to determine their current level of security, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity. It also offers a methodology to protect privacy and civil liberties to help organisations incorporate those protections into a comprehensive cybersecurity program. 

5 key functions of the NIST 

According to the official NIST website, there are five key functions of the NIST: identify, protect, detect, respond and recover. Let’s take a closer look: 


The Identify Function assists in developing an organisational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organisation to focus and prioritise its efforts, consistent with its risk management strategy and business needs. 

Examples of outcome Categories within this Function include: 

  • Identifying physical and software assets within the organisation to establish the basis of an Asset Management program 
  • Identifying the Business Environment the organisation supports including the organisation’s role in the supply chain, and the organisations place in the critical infrastructure sector 
  • Identifying cybersecurity policies established within the organisation to define the Governance program as well as identifying legal and regulatory requirements regarding the cybersecurity capabilities of the organisation 
  • Identifying asset vulnerabilities, threats to internal and external organisational resources, and risk response activities as a basis for the organisations Risk Assessment 
  • Identifying a Risk Management Strategy for the organisation including establishing risk tolerances 
  • Identifying a Supply Chain Risk Management strategy including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks 


The Protect Function outlines appropriate safeguards to ensure delivery of critical infrastructure services. It supports the ability to limit or contain the impact of a potential cybersecurity event. 

Examples of outcome Categories within this Function include: 

  • Protections for Identity Management and Access Control within the organisation including physical and remote access 
  • Empowering staff within the organisation through Awareness and Training including role based and privileged user training 
  • Establishing Data Security protection consistent with the organisation’s risk strategy to protect the confidentiality, integrity, and availability of information 
  • Implementing Information Protection Processes and Procedures to maintain and manage the protections of information systems and assets 
  • Protecting organisational resources through Maintenance, including remote maintenance, activities 
  • Managing Protective Technology to ensure the security and resilience of systems and assets are consistent with organisational policies, procedures, and agreements 


The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. 

Examples of outcome Categories within this Function include: 

  • Ensuring Anomalies and Events are detected, and their potential impact is understood 
  • Implementing Security Continuous Monitoring capabilities to monitor cybersecurity events and verify the effectiveness of protective measures including network and physical activities 
  • Maintaining Detection Processes to provide awareness of anomalous events 


The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident. 

Examples of outcome Categories within this Function include: 

  • Ensuring Response Planning process are executed during and after an incident 
  • Managing Crisis Communications during and after an event with stakeholders, law enforcement, external stakeholders as appropriate 
  • Analysis is conducted to ensure effective response and support recovery activities including forensic analysis, and determining the impact of incidents 
  • Mitigation activities are performed to prevent expansion of an event and to resolve the incident 
  • The organisation implements Improvements by incorporating lessons learned from current and previous detection / response activities 


The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident. 

Examples of outcome Categories within this Function include: 

  • Ensuring the organisation implements Recovery Planning processes and procedures to restore systems and/or assets affected by cybersecurity incidents 
  • Implementing Improvements based on lessons learned and reviews of existing strategies 
  • Internal and external Communications are coordinated during and following the recovery from a cybersecurity incident 

The 3 types of security controls 

Security controls play a foundational role in shaping the actions cybersecurity professionals take to protect an organisation. The management, operational, and technical controls (i.e., countermeasures or safeguards) prescribed for an information system protect the confidentiality, integrity, and availability of the system and its information. 

Let’s take a closer look: 

Management controls 

Management controls are actions taken to manage the maintenance, development, and use of the system, including system-specific procedures, policies, and rules of behaviour, individual accountability, individual roles and responsibilities, and personnel security decisions. 

Operational controls 

Operational controls maintain the integrity and security of ID system facilities, data centres, and equipment which are key for protecting personal data. Operational controls for an information system are primarily implemented and executed by people (as opposed to systems). 

Technical controls 

Technical controls consist of the software and hardware components that protect a system against cyberattack. Firewalls, encryption, intrusion detection systems (IDS), and identification and authentication mechanisms are examples of technical controls. 

How to implement the NIST framework 

RiskXchange will not only help you understand the NIST framework but will find a cybersecurity framework that works for you and your business. 

RiskXchange is the only platform that provides a complete 360-degree view of your attack surface, including that of your vendors. RiskXchange’s integrated cybersecurity risk platform helps you discover, continuously monitor, and reduce the risk across your enterprise and supply chain.  

Get in touch with RiskXchange to find out more about the NIST framework.