NIST Cyber Security Framework (CSF)

Security Takeaway

The NIST Cyber Security Framework is “voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.”

The NIST CSF is separated into the following sections which has multiple sub-categories:

  1. Asset Management (ID.AM)
  2. Business Environment (ID.BE)
  3. Governance (ID.GV)
  4. Risk Assessment (ID.RA)
  5. Risk Management Strategy (ID.RM)
  6. Supply Chain Risk Management (ID.SC)
  7. Identity Management, Authentication and Access Control (PR.AC)
  8. Awareness and Training (PR.AT)
  9. Data Security (PR.DS)
  10. Information Protection Processes and Procedures (PR.IP)
  11. Maintenance (PR.MA)
  12. Protective Technology (PR.PT)
  13. Anomalies and Events (DE.AE)
  14. Security Continuous Monitoring (DE.CM)
  15. Detection Processes (DE.DP)
  16. Response Planning (RS.RP)
  17. Communications (RS.CO)
  18. Analysis (RS.AN)
  19. Mitigation (RS.MI)
  20. Improvements (RS.IM)
  21. Recovery Planning (RC.RP)
  22. Improvements (RC.IM)
  23. Communications (RC.CO)

Each sub-category is linked to sources such as:

  • CIS
  • COBIT 5
  • ISA
  • ISO/IEC 27001:2013
  • NIST SP 800-53


The NIST CSF is available for download in Excel and PDF format.