What is NIST CSF?

The NIST Cyber Security Framework is a security framework developed by the US government and required for all federal agencies

Book a Demo

NIST Distilled


NIST CSF is an abbreviation that refers to the National Institute of Standards and Technology Cyber Security Framework, which was developed in 2014 in the US. NIST CSF is a policy framework of computer security guidance that describes how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyberattacks.

The framework provides a high-level taxonomy of cybersecurity outcomes as well as a methodology to assess and manage them. As of May 2017, all US federal agencies are required to implement it.

NIST is designed with the intent that companies and other organizations use an assessment of the business risks they face to guide their use of the framework in a cost-effective way. The framework proposes using business drivers to guide cybersecurity activities and considers cybersecurity risks as part of the organization’s risk management processes. The framework comprises three main components: Framework CoreFramework Profile, and Framework Implementation Tiers.

The Framework Core is a set of cybersecurity activities, outcomes, and informative references which are common across critical infrastructure sectors. Security architects can use this detailed guidance to develop individual organizational Profiles that closely reflect the realities of their situation. By enabling them to set up these Profiles, the framework helps organizations align their cybersecurity activities with business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risks. They effectively tell organizations how their present cybersecurity risk management capabilities compare to the best practices featured in the framework. The four Tiers of maturity are:

Tier 1: Partial 
Risk management is ad-hoc, with limited awareness of risks and no collaboration with other stakeholders.

Tier 2: Risk Informed 
There are risk management processes set up, but these are not consolidated enterprise-wide; collaboration is understood yet there are no formal capabilities.

Tier 3: Repeatable 
Formal policies for risk management processes are in place enterprise-wide, with external collaboration also present.

Tier 4: Adaptive 
Risk management processes are based on first-hand experience and well-embedded in the company’s culture, while collaboration is proactive.

Title / Statement 


Title / Statement 


Resource download

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.


Are you ready to architect your digital future?


Book a free demonstration of iServer365 to see how it can solve your governance, risk and compliance issues


Discuss your requirements

Please include country code

Receive Updates?

By submitting the form you agree to Orbus Software processing your data and agree to our Terms and Conditions.