The first version of the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) was published in 2014 to provide guidance for organizations looking to bolster their cybersecurity defenses. It was created by cybersecurity professionals from government, academia and various industries at the behest of President Obama and later made into federal government policy by the Trump administration.   

While the vast majority of organizations recognize the value in such a universally recommended, collaborative effort to improve cybersecurity in businesses of all sizes, adapting and implementing the framework is easier said than done. The content of the NIST CSF is freely available for all, so we’re not going to discuss it in great depth here. Instead, we’re going to set out five steps to help you turn the NIST CSF into a reality for your organization. (See image 1 above.)


Set Your Target Goals

Before you even think about how to implement the NIST CSF, you must take aim at setting up your target goals. The first hurdle that many organizations encounter is establishing agreement throughout the organization about risk tolerance levels. There is often a disconnect between upper management and IT about what constitutes an acceptable level of risk.

Draft a definitive agreement on governance for your organization to clarify precisely what level of risk is acceptable. Everybody must be on the same page before you proceed. It’s also important to work out your budget, set high level priorities for the implementation and establish which departments you want to focus on.

It makes a lot of sense to start with a single department or a subset of departments within your organization. Run a pilot program so that you can learn what does and doesn’t work and identify the right tools and best practices for wider deployment. This will help you to craft further implementations plans and accurately estimate the cost.

Create a Detailed Profile

The next step is to drill a bit deeper and tailor the framework for your specific business needs. The Framework Implementation Tiers will help you to understand your current position and where you need to be. They’re divided into three areas:

  • Risk Management Process
  • Integrated Risk Management Program
  • External Participation

Like most of the NIST CSF, these should not be taken as set-in-stone. They can be adapted for your organization. You may prefer to categorize them as people, process and tools, or to add your own categories to the framework.

Each one runs from tier one to tier four.

  • Tier 1 – Partial generally denotes an inconsistent and reactive cybersecurity stance.
  • Tier 2 – Risk Informed allows for some risk awareness, but planning is consistent.
  • Tier 3 – Repeatable indicates organization-wide CSF standards and consistent policy.
  • Tier 4 – Adaptive refers to proactive threat detection and prediction.

Higher levels are considered a more complete implementation of CSF standards, but it’s a good idea to customize these tiers to ensure they’re aligned with your goals. Use your customized tiers to set target scores and ensure all key stakeholders agree before you proceed. The most effective implementations will be closely tailored for specific businesses.

Assess Your Current Position

Now it’s time to conduct a detailed risk assessment, so that you can establish your status. It’s a good idea to conduct an independent risk assessment. Identify software tools capable of scoring your target areas and train up staff to use them, or hire a third-party to run your risk assessment. It’s crucial that the people performing the risk assessment have no knowledge of your target scores.

The final scores should be aggregated and validated before they’re presented to the key stakeholders. At the end of this process, your organization should have a clear understanding of the cybersecurity risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals. Vulnerabilities and threats should be identified and fully documented.

Analyze Gaps and Identify Necessary Actions

Armed with a deeper knowledge of cybersecurity risks and the potential business impacts for your organization, you can move on to a gap analysis. The idea is to compare your actual scores with your target scores. You may want to create a heat map to illustrate the results in an accessible and digestible way. Any significant differences immediately highlight areas that you’ll want to focus on. (See image 2 above.)

Work out what you need to do to close the gaps between your current scores and your target scores. Identify a series of actions that you can take to improve your scores and prioritize them through discussion with all key stakeholders.

Specific project requirements, budgetary considerations and staffing levels may all influence your plan.

Implement an Action Plan

With a clear picture of the current health of your cybersecurity defenses, a set of organizationally aligned target goals, a comprehensive gap analysis and a set of remediation actions, you are finally ready to implement the NIST CSF. Use your first implementation as an opportunity to document processes and create training materials for wider implementation down the line.

The implementation of your action plan is not the end. You need to set up metrics to test its efficacy and continuously reassess your cybersecurity framework to ensure that it’s meeting expectations.

There should be an ongoing continual process of iteration and validation. Keep up the dialogue about risk and ensure key decision-makers remain engaged. To get the maximum benefit for your organization, you should continue to hone the implementation process and further customize the NIST CSF to fit your business needs.