NIST Cybersecurity Framework
Implement the NIST CSF for comprehensive cybersecurity with CyberOrigen.
Overview
NIST CSF (Cybersecurity Framework) provides a voluntary framework for managing cybersecurity risk. It's widely adopted across industries and serves as a foundation for many regulations.
Framework Structure
Core Functions
| Function | Code | Description |
|---|---|---|
| Identify | ID | Understand your cybersecurity risk |
| Protect | PR | Safeguard critical services |
| Detect | DE | Identify cybersecurity events |
| Respond | RS | Take action on incidents |
| Recover | RC | Restore capabilities |
Categories
Identify (ID)
- ID.AM: Asset Management
- ID.BE: Business Environment
- ID.GV: Governance
- ID.RA: Risk Assessment
- ID.RM: Risk Management Strategy
- ID.SC: Supply Chain Risk
Protect (PR)
- PR.AC: Access Control
- PR.AT: Awareness and Training
- PR.DS: Data Security
- PR.IP: Information Protection
- PR.MA: Maintenance
- PR.PT: Protective Technology
Detect (DE)
- DE.AE: Anomalies and Events
- DE.CM: Continuous Monitoring
- DE.DP: Detection Processes
Respond (RS)
- RS.RP: Response Planning
- RS.CO: Communications
- RS.AN: Analysis
- RS.MI: Mitigation
- RS.IM: Improvements
Recover (RC)
- RC.RP: Recovery Planning
- RC.IM: Improvements
- RC.CO: Communications
Implementation Tiers
| Tier | Name | Description |
|---|---|---|
| 1 | Partial | Ad hoc, reactive |
| 2 | Risk Informed | Some awareness, not organization-wide |
| 3 | Repeatable | Formal policies, organization-wide |
| 4 | Adaptive | Continuous improvement, predictive |
Getting Started
1. Enable Framework
- Go to GRC → Frameworks
- Click Enroll on NIST CSF
- Click Enable
2. Create Current Profile
Assess your current state:
- Go to GRC → Control Library
- Filter by NIST CSF
- Rate current implementation
- Document gaps
3. Set Target Profile
Define desired state:
- Identify business objectives
- Set target implementation levels
- Prioritize gaps
- Create roadmap
Key Subcategories
ID.RA - Risk Assessment
| Subcategory | Description | CyberOrigen Feature |
|---|---|---|
| ID.RA-1 | Asset vulnerabilities identified | Vulnerability scanning |
| ID.RA-2 | Threat intelligence received | MISP integration |
| ID.RA-5 | Threats, vulnerabilities, impacts used for risk | Risk register |
PR.AC - Access Control
| Subcategory | Description | CyberOrigen Feature |
|---|---|---|
| PR.AC-1 | Identities managed | Access scanning |
| PR.AC-3 | Remote access managed | Configuration checks |
| PR.AC-4 | Access permissions managed | Access reviews |
DE.CM - Continuous Monitoring
| Subcategory | Description | CyberOrigen Feature |
|---|---|---|
| DE.CM-4 | Malicious code detected | Quarantine system |
| DE.CM-8 | Vulnerability scans performed | 11-phase scanning |
RS.MI - Mitigation
| Subcategory | Description | CyberOrigen Feature |
|---|---|---|
| RS.MI-1 | Incidents contained | Remediation workflow |
| RS.MI-2 | Incidents mitigated | Ansible automation |
| RS.MI-3 | New vulnerabilities mitigated | Finding management |
Control Mapping
NIST CSF maps to other frameworks:
| NIST CSF | SOC 2 | ISO 27001 | PCI-DSS |
|---|---|---|---|
| PR.AC-1 | CC6.1 | A.9.1.1 | 7.1 |
| PR.DS-1 | CC6.7 | A.10.1.1 | 3.4 |
| DE.CM-8 | CC7.1 | A.12.6.1 | 11.2 |
| RS.MI-2 | CC7.4 | A.16.1.5 | 12.10 |
Informative References
NIST CSF links to other standards:
| Reference | Coverage |
|---|---|
| NIST SP 800-53 | Detailed controls |
| ISO 27001 | ISMS requirements |
| CIS Controls | Technical controls |
| COBIT | IT governance |
Profile Development
Industry Profiles
Pre-built profiles for:
- Financial services
- Healthcare
- Energy/utilities
- Manufacturing
- Technology
Custom Profiles
Build your own:
- Select applicable categories
- Set implementation tiers
- Add organization-specific controls
- Document rationale
Maturity Assessment
Self-Assessment
Rate each subcategory:
| Level | Description |
|---|---|
| 0 | Not implemented |
| 1 | Initial/ad hoc |
| 2 | Developing |
| 3 | Defined |
| 4 | Managed |
| 5 | Optimizing |
Gap Analysis
CyberOrigen shows:
- Current vs target levels
- Priority gaps
- Remediation recommendations
- Progress tracking
Evidence Collection
Automated Evidence
- Vulnerability scan results
- Access configuration reports
- Security monitoring logs
- Incident response records
Manual Evidence
- Policies and procedures
- Training records
- Risk assessments
- Business continuity plans
Continuous Improvement
Metrics
Track cybersecurity metrics:
- Vulnerability closure rate
- Incident response time
- Control implementation %
- Risk reduction over time
Review Cycle
- Monthly: Metrics review
- Quarterly: Profile assessment
- Annually: Full framework review
Common Gaps
| Category | Gap | Solution |
|---|---|---|
| ID.RA | No vulnerability scanning | Implement scanning |
| PR.AT | No security training | Training program |
| DE.CM | No monitoring | SIEM/monitoring |
| RS.RP | No incident plan | IR playbook |