What is NIST CSF hero(1)

What Is NIST CSF? Everything You Need to Know

There’s another NIST?! Yup. There does seem to be a never-ending list of letter and number combinations in information security. So, what is NIST CSF? Is it the same as the other NIST frameworks?

There may be a whole lot of NIST out there. But each framework and existing standard has its own unique function, purpose and role. NIST CSF does not replace NIST 800-171 or NIST 852, it builds on them.

So, does NIST CSF make sense for you? How do you develop and implement it at your organization? To find out, we sat down with Chika Nwajagu. She’s Tugboat Logic’s Information Security Senior Manager and previous Information Systems Auditor at Union Bank of Nigeria.



NIST CSF (The National Institute of Standards and Technology’s Cybersecurity Framework) or the NIST Cybersecurity Framework is a set of guidelines for organizations to manage and reduce cybersecurity risks.

You could call it the gold standard of all things cybersecurity.

This security standard does not explicitly prescribe controls (unlike PCI DSS for example). The framework guides businesses to implement relevant activities or practices to strengthen their overall security posture (more on that later). So, using this security standard will look different for every business.

This is one of many reasons some organizations use compliance software to guide them through the implementation and demonstration of NIST CSF compliance. Software provides control design guidance, policy templates and repositories to manage your NIST CSF compliance program.

Is NIST CSF Compliance Mandatory?

No, it’s a voluntary framework. So, unlike HIPAA, NIST CSF is not mandatory to do business in any industry.

Who Should Get NIST CSF? 

By design, this security framework is for businesses in every industry. It was created by stakeholders across different sectors like finance, fintech, healthcare, retail, academia and government.

NIST is flexible and easy to customize. It’s a great option for any organization in any sector looking to improve or gain more insights into their cybersecurity.

How Does NIST CSF Work? 

Five Functions

According to NIST, it’s designed to cover five functions. These include:


  • What are your critical assists that need protection? The Identity Function develops an organizational understanding of how to manage cybersecurity risks associated with systems, people, assets, data, and capabilities. It focuses on the business context, the resources that support critical functions, and the related cybersecurity risks.


  • The Protect Function ensures the delivery of critical infrastructure services. It also supports the ability to limit or contain the impact of potential cybersecurity activities.


  • The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. It further enables the timely discovery of cyber attack or breaches.


  • The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. This function supports the ability to contain the impact of a potential cybersecurity incident.


  • The Recover Function identifies appropriate activities to maintain plans for resilience. And, to restore any capabilities or services that were impaired due to a cybersecurity incident. It supports timely recovery to normal operations to reduce the impact of a cybersecurity incident.

NIST CSF understands and acknowledges that even the most secure organizations are susceptible to cybersecurity breaches or attacks. This is what makes the framework unique! And, in tune with the realities of our world today.

NIST CSF moves beyond data protection to best practices for detecting, responding and recovering from a breach or incident.

Categories, Subcategories and Informative References 

NIST’s further breaks down functions into categories, subcategories and informative references. Let me use an example for this one.

NIST CSF is outcome-driven. Categories are desired outcomes. A category under the Protect Function is “Identity Management, Authentication and Access Control.” Meaning, the identity of data users will always be managed, authenticated and controlled. So, no unauthorized employee can access your customer data within the organization, for instance.

The subcategory is a safeguard for the category. Sticking with the “Identity Management, Authentication and Access Control” category, one of the subcategories is “identities are proofed and bound to credentials and asserted in interactions.”

This subcategory simply means that users in the organization need unique IDs and passwords. This is for identification, authentication and to control each user’s access to information systems. This is what ensures the desired outcome, or category.

NIST CSF has a lot of overlap with other popular security frameworks like ISO 27001, SOC 2, HIPAA and GDPR. Informative references highlight where you can find these overlaps in other frameworks. 

One informative reference for the “Identity Management, Authentication and Access Control” category is “A.7.1.1 – Screening.” This is a control in ISO 27001. A.7.1.1 ensures background checks on all candidates for employees in accordance with relevant laws, business goals, and perceived risks.

Informative references make it easy for people aligning themselves with NIST CSF to understand how close they are to being compliant with other security standards.

Are There NIST CSF Audits? 

No. When you work towards ISO 27001 or SOC 2 there is a formal audit process. If you pass your audit, you’ll receive an attestation at the end to show your compliance.

This is not the case for NIST CSF. There is no formal audit process or attestation. So a customer or prospect wouldn’t request you have a NIST CSF to do business with you.

However, NIST is an internationally recognized and respected cybersecurity standard. You can tell customers and prospects you are aligned with NIST CSF. Or, that your cybersecurity practices are based on NIST CSF.

This is an international signifier that your organization prioritizes best practices for protecting critical assets and maintaining a strong security posture.

But, how can you demonstrate your alignment with this security standard? Some organizations use compliance software.

Software can create reports for prospective customers around your security practices and environment with a few clicks. A report like this can show how you’ve aligned your business with the NIST CSF framework.

How Much Does It Cost? 

The short answer is way less than any security framework that requires an audit.

A SOC 2 audit, for example, can cost anywhere from $15,500 – $100,000 depending on the size and scope of your organization.

NIST CSF is a great cost effective option because there’s no audit costs. You get to decide how much you invest in aligning your business with NIST CSF standards.


If NST CSF isn’t mandatory, why would you use it?

Information security frameworks are not the most exciting or easy to understand. It’s okay, you can say that.

This is actually why NIST CSF was created! It’s purpose is to be accessible to everyone. This is why it’s written in plain language and simplified.

The framework allows teams across your organization (like marketing, sales, engineering, HR etc.) to speak a common cybersecurity language.

As I’m sure you can imagine, this makes it much easier for teams to understand organizational cybersecurity goals and how to get there. Especially in a work from home environment.

Organizations choose the NIST CSF framework because it:

  • Describes desired security outcomes, instead of controls that can be confusing.
  • Understandable by everyone, despite their background.
  • Applicable to any type of risk management across industries.
  • Defines the breadth of cybersecurity.
  • Spans data breach prevention and reaction.

NIST CSF above all else is a measurement tool. It’s a pathway for helping you understand your security maturity and risk level. Along with the current security processes you’ve implemented.

In other words, the framework gives your team a common language to describe where your cybersecurity program is and where you want it to be.

Risk management is foundational to any secure environment. NIST CSF functions also help you to better manage cyber risk in a more organized, preventative and effective way.

NIST CSF and Tugboat Logic 

Tugboat Logic’s platform and easy-to-use workflows will give you everything you need to become aligned with NIST CSF. And, any other information security framework.

Our security veterans can facilitate your compliance so that you can focus on what you do best. Still have questions? Our NIST CSF experts are always here to help.

Ready to use automation to easily align yourself with the gold standard of cybersecurity? Grab a free trial of our platform.