Mastering Cyber Resilience Chapter 4: NIST Cybersecurity Framework

A/CCRF Domain 1: Framework Concepts (25%)

Author

Steve McMichael
November 02, 2025

Finally we’re getting into NIST! 🎉 

Table of Contents

Exam Objectives 📚️ 

AKYLADE_CRF-002_Objectives_v1-1.pdf1.11 MB • PDF File

Candidates must be able to understand the key concepts related to the NIST Cybersecurity Framework. Students will be able to:

  • Cybersecurity

  • Information security

  • Information systems security

  • Information assurance

  • Cyber resilience 

  • Cybersecurity incident

  • Stakeholder

  • Supplier

  • Critical infrastructure

  • Threats

  • Vulnerabilities

  • Confidentiality

  • Integrity

  • Availability

  • Non-repudiation

  • Authentication

1.3 Summarize how the NIST Cybersecurity Framework is different than other frameworks and certifications

Applicable Sectors and Industries

  • Government

  • Healthcare

  • Financial Services

  • Energy

  • Manufacturing

  • Retail

  • Transportation

  • Critical Infrastructure

Characteristics of the Framework

  • Voluntary Set of Guidelines

  • Flexibility and Adaptability

  • Focus on Risk Instead of Technical Controls

  • Focus on Risk Instead of Compliance Requirements

  • Facilitate Communication and Collaboration

  • Continually Improved and Evolving

1.4 Explain the benefits of achieving cyber resilience to key stakeholders

  • Development of the NIST Cybersecurity Framework

  • History of the NIST Cybersecurity Framework

    • Executive Order 13636

    • Executive Order 13800

    • Executive 14028

    • Cybersecurity Enhancement Act of 2014

    • Federal Information Security Modernization Act (FISMA) of 2014

    • Cybersecurity Information Sharing Act (CISA) of 2015

    • Relevance of NIST Cybersecurity Framework to Contemporary Cyber Risks

NIST Cybersecurity Framework 📃 

The set of guidelines, best practices, and standards developed by the United States government to help organizations manage and improve their cybersecurity risk management processes.

Top three things to know at this stage:

  1. Designed to help businesses and organizations of all sizes to better understand, manage, and reduce their cybersecurity risk and protect their information systems and the data they contain

  2. Helps provide a common language and systematic methodology for managing cybersecurity risk and enhancing cyber resilience

  3. Based upon input by experts in private industry

Cybersecurity Framework

Helping organizations to better understand and improve their management of cybersecurity risk

www.nist.gov/cyberframework

Development of the NIST Cybersecurity Framework 🛠️ 

From the Federal Government to Critical Infrastructure to a quick start guide for Small and Medium Businesses with modest or no cybersecurity plans in place:

NIST's CSF 2.0 SMB Quick Start Guide

Provides SMBs, specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy

www.nist.gov/quick-start-guideshttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf

NIST CSF Development

February 2013 Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”

Executive Order -- Improving Critical Infrastructure Cybersecurity

EXECUTIVE ORDER - - - - - - - IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY  

obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.

  • Recognized the growing threats to critical infrastructure and called for the development of a framework to enhance the cybersecurity posture of the United States.

  • It aimed to foster collaboration between the government and private sector, to improve the protection and resilience of critical infrastructure.

  • Established the requirements for NIST CSF

February 2014 Framework for Improving Critical Infrastructure Cybersecurity v1.0

  • NIST was responsible for getting the framework created and published

  • The primary authors were cybersecurity practitioners from multiple organizations and industries across the US

  • They identified existing cybersecurity standards, guidelines, frameworks, and best practices

  • Also high-priority gaps and action plans for which new or revised standards were needed

  • Adoption was rapid inside the critical infrastructure sector, and beyond

April 2018 NIST CSF v1.1

NIST Releases Version 1.1 of its Popular Cybersecurity Framework

“Cybersecurity is critical for national and economic security,” said Secretary of Commerce Wilbur Ross. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEO's.”

www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework

  • Backward compatible with version 1.0

  • Helpful additions, included a new self-assessment section

  • There was a greater focus on supply chain risk management

February 2024 NIST Cybersecurity Framework version 2.0

  • Removes the critical infrastructure focus, making it applicable to all organizations

    • Name change from "Framework for Improving Critical Infrastructure Cybersecurity" to the more widely accepted and commonly used nomenclature of ”Cybersecurity Framework" with an official abbreviation as the CSF

    • Changed scope to apply to all organizations, regardless of their associated sector, type or size

  • Added a sixth function called Govern to highlight the importance of governance

    • Elevated from previously being a subset of Identify

  • There was a re-categorization of many categories and subcategories

  • Increases the focus on cybersecurity supply chain risks

  • Improves language to facilitate better communication between technical and non-technical stakeholders.

Relevant Executive Orders and Regulations 📜

Cybersecurity Enhancement Act of 2014

CSRC Topics - Cybersecurity Enhancement Act | CSRC

Use these CSRC Topics to identify and learn more about NIST's cybersecurity Projects, Publications, News, Events and Presentations.

csrc.nist.gov/Topics/Laws-and-Regulations/laws/Cybersecurity-Enhancement-Act

  • Aimed to strengthen and advance cybersecurity research and development efforts in the United States.

  • CSF played a significant role in this act, providing the foundational framework

Federal Information Security Modernization Act (FISMA) of 2014


Federal Information Security Modernization Act | CISA

www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act

  • Updated and modernized the approach to federal information security management to update and amend the older Federal Information Security Management Act of 2002.

  • Emphasized the adoption of risk-based approaches and the use of industry standards, including the NIST Cybersecurity Framework, to enhance the security posture of federal agencies and improve the protection of federal information systems.

Cybersecurity Information Sharing Act (CISA) of 2015

Federal efforts on modernizing Federal information technology infrastructure for a more fully secure critical infrastructure.

www.cisa.gov/sites/default/files/publications/Cybersecurity%2520Information%2520Sharing%2520Act%2520of%25202015.pdf

  • Facilitates the sharing of cybersecurity threat information between the government and the private sector.

  • CSF played a complementary role in this act, serving as a guide for enhancing cybersecurity practices and establishing effective information sharing mechanisms.

Executive Order 13800 - May 2017

Executive Order on Improving the Nation's Cybersecurity | The White House

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows: Section 1.  Policy.  The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.  The Federal Government…

www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity

  • Emphasized the need for executive branch agencies to implement the CSF and encouraged the private sector to adopt it.

  • Recognized the framework’s value in improving risk management and prioritizing cybersecurity investments across various sectors to aid in improving the United States’ overall national defence posture.

May 2021 Executive Order 14028

Executive Order on Improving the Nation's Cybersecurity | The White House

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:Section 1.

www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity

  • Mandated that the federal government adopt best practices and operate more securely and efficiently by modernizing federal cybersecurity, enhancing software supply chain security, establishing a cybersecurity safety review board, and creating a standard playbook for responding to cyber incidents.

  • Doesn’t directly mention CSF by name but its practices and standards align closely.

Applicability of the Cybersecurity Framework 🌎️ 

Bottom line:

  1. Cybersecurity risk continues to increase, with no signs of slowing down

  2. Costs of cybersecurity risks continue to grow

Why? 🤔 

The greatest threat that faces any of us today is the threat of complexity: Trillions of lines of code in billions of devices, with ubiquitous connectivity across the globe.

Dr. Ron Ross, Distinguished Fellow of NIST

Why Cybersecurity is Hard

#1. Technology is Everywhere, #2. Technology is Inherently Flawed, #3. Technology is Rarely Secure by Default, #4. Technology is Complicated, #5. Cyber is a Dynamic Threat, Not Static, #6. Cyber is a Silent Killer, #7. Economics Drive More Actors and Capability, #8. Early Innings: The Science Isn’t Settled, #9. There is a Skills Shortage, #10. What Did I Miss?

https://www.cpatocybersecurity.com/p/why-cybersecurity-is-hard

Characteristics of the Framework 📏

Voluntary Framework

The CSF is a foundational resource that may be adopted voluntarily and through governmental policies and mandates.

Flexible, Adaptive

The CSF describes desired outcomes that are intended to be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise. Because these outcomes are sector-, country-, and technology-neutral, they provide an organization with the flexibility needed to address their unique risks, technologies, and mission considerations.

The CSF describes desired outcomes that are intended to be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise. Because these outcomes are sector-, country-, and technology-neutral, they provide an organization with the flexibility needed to address their unique risks, technologies, and mission considerations.

Focus on Risk Instead of Controls

Organizations will continue to have unique risks — including different threats and vulnerabilities — and risk tolerances, as well as unique mission objectives and requirements. Thus, organizations’ approaches to managing risks and their implementations of the CSF will vary.

Focus on Risk Instead of Compliance

  • While compliance with regulations and standards is important, an organization’s goal is first to reduce risk, and to foster a risk-based mindset

  • Next, from that point compliance will naturally follow

Facilitates Communication and Collaboration

When implementing the CSF, managers will focus on how to achieve risk targets through common services, controls, and collaboration, as expressed in the Target Profile and improved through the actions being tracked in the action plan (e.g., risk register, risk detail report, POA&M)

Preparing to create and use Organizational Profiles involves gathering information about organizational priorities, resources, and risk direction from executives. Managers then collaborate with practitioners to communicate business needs and create risk-informed Organizational Profiles.

  • Common language and structure for discussing cybersecurity risks, enabling different teams and departments to communicate effectively and align their efforts.

  • This characteristic fosters a culture of collaboration, ensuring that cybersecurity considerations are integrated into various aspects of the organization’s operations.

Continually Improving and Evolving

Cyber Resilience 💪

Term

Definition

So What?

Cyber Resilience

An organization’s ability to withstand and adapt to cyber threats by implementing proactive measures, effectively responding to and recovering from cyber attacks or disruptions, and maintaining essential functions while minimizing damage.

This encompasses a range of strategies, including robust security controls, regular vulnerability assessments, employee education on cybersecurity best practices, and the establishment of incident response plans.

Probably a better name than “Cybersecurity,” where secure seems narrowly PROTECT focused

Think both left and right of boom

“It’s not if, but when”

“There’s two types of organizations”

Be proactive to prevent or minimize impact of cyber incidents

Also be able to quickly detect, isolate, restore and recover systems if when a cyber incident occurs

Critical Infrastructure ⚙️ 

Term

Definition

So What

Critical Infrastructure

“Any physical or virtual infrastructure that is considered so vital to the United States that its incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of these” - DHS

The Department of Homeland Security (DHS) lists 16 Critical Infrastructure sectors

  1. Chemical - Organizations and companies that manufacture, store, use, and transport potentially dangerous chemicals used by other critical infrastructure sectors

  2. Commercial Facilities - Buildings, facilities, and spaces used for commercial purposes, including retail, entertainment, and hospitality

  3. Communications - Networks, systems, and assets involved in providing communication services, including broadcasting, telecommunications, and internet service providers

  4. Critical Manufacturing - Facilities and processes involved in the production of essential goods, such as metals, machinery, transportation equipment, and pharmaceuticals

  5. Dams - Structures, systems, and resources related to dam operations and water control, including hydroelectric power generation .

  6. Defense Industrial Base - Companies and assets involved in the research, development, production, and maintenance of defense-related equipment, systems, and services

  7. Emergency Services - Agencies, organizations, and personnel responsible for emergency management, firefighting, medical services, and public safety

  8. Energy - Resources, systems, and infrastructure involved in the production, transmission, and distribution of energy, including electricity, oil, and natural gas

  9. Financial Services - Institutions and systems providing financial services, including banking, insurance, investment, and payment systems

  10. Food and Agriculture Sector - Facilities, systems, and resources related to the production, processing, and distribution of food, beverages, and agricultural products

  11. Government Facilities - Buildings, offices, and structures used by federal, state, local, tribal, and territorial governments for administrative and public services

  12. Healthcare and Public Health - Facilities, personnel, and networks involved in providing healthcare services, medical research, and public health support

  13. Information Technology - Systems, networks, and infrastructure used for information processing, storage, and communication, including software development and cybersecurity

  14. Nuclear Reactors, Materials, and Waste - Facilities, processes, and materials associated with nuclear power generation, research, and waste management

  15. Transportation Systems - Infrastructure, networks, and assets involved in the movement of people and goods, including aviation, maritime, rail, and road transportation

  16. Water and Wastewater Systems - Facilities, systems, and resources responsible for providing drinking water and managing wastewater treatment and disposal

Intended Audience & Purpose of CSF 👥

Valuable beyond Critical Infrastructure

Non-Critical Verticals

CSF Benefits

Retail

Protect their customer’s data, secure the company’s online transactions, and manage their supply chain vulnerabilities

Manufacturing

Address industrial control system security and intellectual property protection and to help secure product development

  • CSF is a series of best practices and guidelines and not a compliance standard that must be strictly adhered to

    • It can be scaled up or down

  • Only 32 pages long in version 2.0!

    • Concise and relatively quick to implement

  • BUT – official NIST documents tell you what to do, without telling you how to do it

    • That is why A/CCRF and A/CCRP are important to your career growth and progression!

Purpose

CSF helps organizations:

  • Describe current cybersecurity posture

  • Describe target state for cybersecurity

  • Identify and prioritize opportunities for improvement

  • Assess progress toward the target state

  • Communicate among internal and external stakeholders

Conclusion and Touchpoints ✅ 

In this lesson, we covered the background and overview of the NIST Cybersecurity Framework. We’re going to build on these fundamentals throughout the rest of this course, so we want the foundation to be strong.

Key takeaways:

  • CSF is a comprehensive set of guidelines and best practices developed by the National Institute of Standards and Technology (NIST) to assist organizations in managing cybersecurity risks and safeguarding their information systems.

  • It has gained widespread adoption across industries and sectors since its creation in response to Executive Order 13636, signed by President Barack Obama in 2013.

  • The framework is flexible, scalable, and applicable to organizations of all sizes, enabling them to assess their cybersecurity posture, set target states, identify areas for improvement, measure progress, and communicate risks effectively.

  • CSF is used to emphasize resilience and to help organizations prepare for, and respond to, cyber risks while facilitating quick recovery from incidents.

  • With the increasing frequency and cost of cyber threats, CSF offers a systematic approach to cybersecurity management and aligns with relevant executive orders and regulations, supporting an organization’s risk-based approaches and information-sharing initiatives.

  • We saw that CSF is highly regarded for its practicality and effectiveness in enhancing cybersecurity practices and mitigating risks.