Blog

What is the NIST Cybersecurity Framework?

Discover the NIST Cybersecurity Framework’s six key functions, how to customize your strategy, and assess readiness with implementation tiers.

Happy Black African women engineer worker enjoy working in factory industry.

As an IT or OT security manager, you’re in a constant balancing act of trying to secure your ICS and navigate resource constraints. Luckily, the NIST Cybersecurity Framework can make your day-to-day a little easier since it provides a structured and proactive approach to effectively address these challenges.

The NIST CSF, or National Institute of Standards and Technology Cybersecurity Framework, is a standardized cybersecurity framework created by the U.S. Department of Commerce. It focuses on business outcomes rather than requirements and covers various cybersecurity objectives across cyber, physical, and personal domains.

Why NIST CSF Was Developed

This framework was developed in response to the need for a structured and proactive approach to cybersecurity, as traditional reactive measures proved insufficient against evolving threats. It was established following a presidential executive order in 2013 and has since undergone updates to stay relevant in the changing cybersecurity landscape. The latest update is version 2.0, which was developed by NIST in February 2024.

With the rise in cyberattacks, IT and OT teams don’t have time to waste. According to the SANS 2024 State of ICS/OT Cybersecurity white paper, approximately 45% of surveyed organizations now use the NIST Cybersecurity Framework for OT security. This post will highlight what you need to know about NIST CSF 2.0, profiles, and tiers.

Watch our webinar: Designing a Robust OT Cybersecurity Strategy Using the NIST Framework to strengthen your OT environment.

Watch Now

The 6 Functions of the NIST CSF Framework Core

NIST Cybersecurity Framework (CSF)
A reliable, approach for 360° protection

Organizational context

Risk management strategy

Roles and responsibilities

Policies and procedures

Asset management

Business environment

Risk assessment

Risk management strategy

Awareness control

Awareness and training

Data security

Info protection and procedures

Maintenance

Protective technology

Anomalies and events

Security continuous monitoring

Detection process

Response planning

Communications

Analysis

Mitigation

Improvements

Recovery planning

On-site restoration

Improvements

Communications

The ‘Framework Core’ offers accessible cybersecurity guidance with six primary functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each function has detailed categories and subcategories, like Asset Management under Identify, guiding organizations to inventory resources. It also includes references, standards, and guidelines to establish cybersecurity baselines and communicate status to stakeholders.

1. Govern

The “Govern” function maintains the organizations risk management strategy. It provides the direction for how an organization handles the outcomes from the remaining five functions.

What it includes:

Establishment and communication of OT cybersecurity policies.
Coordinate and align OT cybersecurity roles and responsibilities.
Educate on and manage legal and regulatory requirements.
Incorporate cybersecurity risks into corporate risk management processes.
Implement continuous oversight and checkpoints on ongoing initiatives

2. Identify

The “Identify” function is the second step in the NIST Cybersecurity Framework. It involves understanding an organization’s assets, its business context, governance, and assessing risks.

What it includes:

Asset Management: Creating an inventory of all assets.
Business Environment: Understanding the organization’s context and strategic goals.
Governance and Risk Management: Establishing policies for risk management.
Risk Assessment: Identifying cybersecurity risks.
Supply Chain Risk Management: Assessing third-party risks.

This function lays the groundwork for effective cybersecurity risk management by helping IT or OT security managers gain visibility into their enterprise networks and ICS so they know which infrastructure needs extra protection. For organizations, it informs decision-making and ensures alignment with strategic goals.

3. Protect

The “Protect” function focuses on safeguarding assets and data from cybersecurity threats through measures like access control, data security, awareness and training, and security policies.

What it includes:

Access Control: Controlling access to critical systems.
Data Security: Protecting data through encryption and secure storage.
Awareness and Training: Providing cybersecurity training.
Security Policies and Procedures: Implementing cybersecurity policies.
Incident Response Planning: Preparing for security incidents.
Secure Supply Chain Management: Ensuring third-party security.

Protecting assets and data is paramount for maintaining data integrity, confidentiality, and availability. These measures are instrumental in helping IT or OT security managers safeguard access controls for critical systems and secure industrial equipment configurations to reduce the overall attack surface and ensure the organization’s resilience.

4. Detect

The “Detect” function emphasizes early and effective detection of cybersecurity events, including monitoring for unusual activities and incidents.

What it includes:

Anomalies and Events: Monitoring for unusual activities.
Security Continuous Monitoring: Real-time threat detection.
Incident Detection and Response: Responding to security incidents.
Detection Processes: Formalized processes for detecting and reporting events.
Threat Intelligence Sharing: Sharing threat information.

Early detection is essential for identifying threats promptly. It allows IT or OT security managers to respond quickly, contain incidents, and minimize damage and downtime, ultimately improving cybersecurity risk management.

5. Respond

The “Respond” function involves actions taken after detecting a cybersecurity incident, including incident response planning, coordination, analysis, mitigation, recovery, and communication.

What it includes:

Incident Response Planning: Preparing for incident responses.
Incident Coordination and Communication: Coordinating responses and communication.
Incident Analysis: Understanding the incident’s nature and scope.
Incident Recovery: Restoring affected systems.
Coordination with Law Enforcement: Collaborating with law enforcement.

This function also helps IT or OT security managers develop an aligned and clear incident response plan that maintains stakeholder trust. The result is effective action that can limit impact, restore normal operations, and comply with legal and regulatory requirements.

6. Recover

The “Recover” function focuses on restoring services and operations after a cybersecurity incident, including recovery planning, coordination, communication, and lessons learned.

What it includes:

Recovery Planning: Developing and maintaining recovery plans.
Recovery Coordination: Coordinating recovery efforts.
Communication and Reporting: Transparent communication.
Lessons Learned: Identifying areas for improvement.

A swift and efficient recovery process helps IT or OT security managers limit downtime, return to normal business functionality, and bolster the organization’s resilience.

NIST CSF Profiles

What is a NIST CSF Profile?

In essence, NIST CSF Profiles are your customized roadmaps. This means you can tailor the framework's outcomes to your specific risks, business objectives (i.e., uptime), and available resources. You can also compare your current and target profiles to gain a clear, prioritized action list that strengthens your security posture across both domains.

How do NIST CSF Profiles Work?

Here’s how it works:

Selecting Outcomes: Organizations choose specific cybersecurity outcomes from various categories and subcategories provided by the NIST framework. These outcomes represent what they want to achieve in terms of cybersecurity.

Customization: The selected outcomes are tailored to fit the organization’s unique needs. This customization takes into account the organization’s business objectives, risk tolerance, available resources, and current cybersecurity practices.

Comparison: Organizations create two profiles—a ‘Current’ Profile reflecting their existing cybersecurity activities and a ‘Target’ Profile representing their ideal cybersecurity state. By comparing these two profiles, they can see the gaps between their current practices and their desired level of cybersecurity.

Why are NIST CSF Profiles Helpful?

Profiles are helpful for several reasons:

Customization: They allow organizations to adapt the NIST framework to their specific circumstances. This acknowledges that every organization has different goals, risks, and available resources.

Clarity: Profiles provide a clear roadmap, making it easy for organizations to understand what cybersecurity improvements they need to make.

Prioritization: Organizations can prioritize their efforts by identifying gaps between the ‘Current’ and ‘Target’ Profiles. They know which areas require immediate attention to enhance their cybersecurity posture.

Alignment: Profiles help align cybersecurity activities with the organization’s overall business objectives. This allows cybersecurity efforts to support and enhance the organization’s mission.

In summary, a Profile is a tailored plan that helps organizations set specific cybersecurity goals, customize their approach, and prioritize actions to improve their cybersecurity practices. It allows organizations to align their cybersecurity efforts with the organization’s unique needs and objectives.

NIST CSF Implementation Tiers

Understanding the NIST CSF Implementation Tiers allows you to assess your organization’s current cybersecurity maturity. Whether you’re just starting to address OT security (Tier 1) or have a more established OT security program (Tier 3 or 4), these tiers provide you with a framework for continuous improvement and an opportunity to align your security investments with your business objectives.

NIST CSF Tier 1: Partial – Beginning to Implement the Appropriate Activities

Organizations at Tier 1 have a Partial approach to cybersecurity. They may recognize the importance of cybersecurity but have not yet fully established the processes needed to manage cyber risks effectively. Characteristics include:

Ad Hoc Responses: Cybersecurity practices are typically reactive and implemented ad hoc.
Limited Awareness: There is an overall awareness of cybersecurity within the organization, but it is not comprehensive or formalized.
Inconsistent Implementation: Cybersecurity activities are performed, but they may not be consistent across the organization, often due to a lack of standardized policies.
Informal Risk Management: Risk management is conducted informally, without a structured approach or comprehensive understanding of the organization’s risk profile.

Tier 2: Risk Informed – Developing Cybersecurity Risk Management Strategies

At Tier 2, organizations are Risk-Informed. They have taken steps to develop cybersecurity risk management strategies and are aware of the risks but may not have fully implemented a companywide approach. Features include:

Risk Awareness: Management is aware of and understands cybersecurity risks at a high level.
Approval of Practices: Management may approve cybersecurity practices, but they are not yet standardized across the organization.
Informal Processes: While there may be some established processes, they are not yet formalized or fully integrated into business practices.
Prioritized Actions: The organization begins prioritizing cybersecurity actions based on its understanding of risk.

Tier 3: Repeatable – Standardizing Respond and Recover Procedures

Tier 3 organizations have Repeatable processes. They have established formalized cybersecurity practices that are consistently implemented across the organization. Characteristics include:

Formalized Policy: There is a formalized and documented cybersecurity policy that is regularly updated.
Consistent Implementation: Cybersecurity practices are consistently implemented, with a clear understanding of the organization’s risk profile.
Integrated Risk Management: Cybersecurity risk management is integrated into the organizational processes and is part of the overall business risk management.
Effective Communication: There is effective communication about cybersecurity risks within the organization and with external partners.

Tier 4: Adaptive – Continuously Improving Implementation Tiers

Organizations at Tier 4 are Adaptive. They have a sophisticated and advanced cybersecurity posture that adapts proactively to evolving cyber threats and business needs. Features include:

Advanced Risk Management: Cybersecurity practices are based on advanced risk management strategies and are adapted proactively to keep pace with the changing threat landscape.
Continuous Improvement: The organization continuously learns and improves its cybersecurity practices based on lessons learned and predictive indicators from current and past cybersecurity activities.
Organizational Collaboration: There is a companywide approach to cybersecurity, with strong collaboration across all levels of the organization.
External Engagement: The organization actively engages with external partners and collectively shares information to improve security posture.

Each tier builds on the previous, offering a more comprehensive approach to managing cybersecurity risk. Organizations use these tiers to assess their status, find areas for improvement, and make strategic cybersecurity decisions, aiming to align with their risk tolerance, resources, and business needs.

Securing the Future: NIST Cybersecurity Framework for IT and OT

The NIST Cybersecurity Framework is a proactive yet versatile tool that provides organizations with a north star to navigate the complex landscapes of IT and OT security. Whether you’re operating in the digital realm of IT or the physical realm of OT, the NIST CSF stands as a valuable resource for enhancing cybersecurity practices and safeguarding critical operations.

By embracing the proactive elements of the NIST CSF framework, you can build greater resilience and help secure your organization's critical infrastructure.

Looking to improve your industrial cybersecurity program? Download our workbook to build the right business case.

Download Now

Published September 11, 2025