Updated On 9 February, 2023
NIST Cybersecurity Framework Compliance

The first version of the NIST Cybersecurity Framework was published in 2014, and it was updated for the first time in April 2018. Although there have not been any substantial changes, however, there are a few new additions and clarifications. Appendix A of this framework is often called the Framework Core, and it is a twenty-page document that lists five functions – Identify, Protect, Detect, Respond, and Recover. They consist of various categories and sub-categories. Here, it must be noted that Appendix A is a knight in shining armor if utilized correctly while implementing this framework.
As per NIST, this framework guides the decision-makers to take the lead on cybersecurity activities and consider cybersecurity risks as a part of their organization’s overall risk management process. It is clear that NIST does not expect all the organizations to comply with all the contents of the framework. Instead, it expects that organizations will consider their business requirements and material risks before taking a well-informed and reasonable decision.
One of the most significant additions in version 1.1 of the NIST Cybersecurity Framework is a section titled “Self-assessing Cybersecurity Risk with the Framework.” Under this section, the organizations are encouraged to perform either internal or external risk assessments using the framework. To lead this exercise, the individuals responsible must possess sufficient expertise so that they can inform the decision-makers of the organization’s existing risk profile, initiate vital discussions, and agree on a targeted risk profile. These activities must drive an organization’s adoption, implementation, and execution of a remediation plan for addressing the gaps between what an organization has and what it needs to improve its security posture.
Cybersecurity Process
The process diagram given below illustrates how the NIST Cybersecurity Framework is implemented as a cybersecurity process.

Figure 1: Process diagram for the implementation of the NIST Cybersecurity Framework (Source: NIST)
Core Controls
Apart from the five functions of this framework stated previously, the controls given in this framework are classified into the following categories –
Category | Explanation |
Asset Management (ID.AM) |
|
Business Environment (ID.BE) |
|
Risk Assessment (ID.RA) |
|
Risk Management Strategy (ID.RM) |
|
Access Control (PR.AC) |
|
Awareness and Training (PR.AT) |
|
Data Security (PR.DS) |
|
Information Protection Processes and Procedures (PR.IP) |
|
Maintenance (PR.MA) |
|
Protective Technology (PR.PT) |
|
Anomalies and Events (DE.AE) |
|
Security Continuous Monitoring (DE.CM) |
|
Resource Planning (RS.RP) |
|
Communications (RS.CO) |
|
Analysis (RS.AN) |
|
Mitigation (RS.MI) |
|
Improvements (RS.IM) |
|
Recovery Planning (RC.RP) |
|
Improvements (RC.IM) |
|
Communications (RC.CO) |
|
Why should an organization adopt the NIST Cybersecurity Framework?
The first version of the NIST Cybersecurity Framework was published in 2014, and it was updated for the first time in April 2018. Although there have not been any substantial changes, however, there are a few new additions and clarifications. Appendix A of this framework is often called the Framework Core, and it is a twenty-page document that lists five functions – Identify, Protect, Detect, Respond, and Recover. They consist of various categories and sub-categories. Here, it must be noted that Appendix A is a knight in shining armor if utilized correctly while implementing this framework.
As per NIST, this framework guides the decision-makers to take the lead on cybersecurity activities and consider cybersecurity risks as a part of their organization’s overall risk management process. It is clear that NIST does not expect all the organizations to comply with all the contents of the framework. Instead, it expects that organizations will consider their business requirements and material risks before taking a well-informed and reasonable decision.
One of the most significant additions in version 1.1 of the NIST Cybersecurity Framework is a section titled “Self-assessing Cybersecurity Risk with the Framework.” Under this section, the organizations are encouraged to perform either internal or external risk assessments using the framework. To lead this exercise, the individuals responsible must possess sufficient expertise so that they can inform the decision-makers of the organization’s existing risk profile, initiate vital discussions, and agree on a targeted risk profile. These activities must drive an organization’s adoption, implementation, and execution of a remediation plan for addressing the gaps between what an organization has and what it needs to improve its security posture.
Cybersecurity Process
The process diagram given below illustrates how the NIST Cybersecurity Framework is implemented as a cybersecurity process.