How the NIST Cybersecurity Framework Works?

Eva Simpson

Eva Simpson


May 30, 2022


6 min read

Jump to section

NIST (the National Institute of Standards and Technology) is one of the oldest physical laboratories in the world. With its founding in 1901, you can imagine their roles have changed in the 21st century. NIST has directed some of its efforts to tech issues. One of their crowning achievements is the NIST Cybersecurity Framework.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework provides steps necessary for organizations to manage security issues successfully. Both organizations and governments use this system to update risk management programs.

The NIST Cybersecurity Framework (NIST CSF) was made by collaborating with the private sector. Its resulting success led to its translation into multiple languages and use by some world governments.

The original release of the framework was in 2013. Executive Order 13636 spurred its release in response to the growing concern of cybersecurity risks.

The framework was incredibly detailed, including these features:

  • Identifying cyber risk areas

  • Providing a repeatable and doable approach to cybersecurity

  • Identifying security standards across multiple sectors

  • Measuring the performance of the framework

  • Providing potential for guidance and improvement based on varying needs

To quickly identify the risk to systems, you need a defined process. The NIST CSF does this through five elements.

What are the five elements of the NIST Cybersecurity Framework?

These elements (sometimes called the five functions) are the framework of the CSF system. The functions are these five areas:

  • Identify and develop an understanding of cybersecurity threats and practices

  • Protect by developing and implementing safeguards

  • Detect threats by developing strategies to find cybersecurity threats

  • Respond to problems as they come

  • Recover by responding appropriately to cybersecurity threats

Detection might make more sense first, but the NIXT CSF sticks to this order. Below are more details on what each step requires.


To spot cybersecurity incidents, businesses need to understand them. The identification phase involves a review of your process. By finding the problems, you can fix them.

Supply chain risk management is one example of this. By setting priorities and risk tolerances, employees will know what to do in the event of a cyberattack.

For example, having keycards control where people go in the work building reduces the chances of exposing unnecessary information. By understanding this risk, you allow yourself to prevent it. So the identification phase involves knowing where the issues are before you can start the next step.


Identifying the potential impact enables companies to respond better. That response helps limit or prevent cybersecurity attacks.

This is where the protection phase comes into play. It takes action using information from the identification step. Our keycard example from above is where you might see this.

The protection phase also deals with educating employees on the latest security protocols. Cybersecurity best practices are established on a company-wide scale from this.


The detection step provides steps to organizations on how to find problems. Focusing on early detection enables better results for the identify function.

While this step has a strong crossover with “identity,” it differs in this way:

  • Identify focuses on the problem

  • Detect focuses on how to find it

For example, when you detect something, it would be if an employee isn’t in their assigned position. In this case, a company needs defined steps to locate the problem. Identification happens before a risk occurs. Detection happens as a situation is about to happen.


The response step details what to do in the event of a cybersecurity incident. If detection is successful, your response can be more effective. An analysis of how you respond is essential.

A proper risk response includes these elements:

  • Who do you talk to

  • How quickly do you react

  • When do you seek external support (law enforcement)

  • What do you do to eliminate or mitigate the incident?

The respond element deals heavily with how past incidents are handled. For example, you wouldn’t rely on the same security protocols in the event of a data breach

In an ideal scenario, your IT team will take steps on early detection (function three) and fix file vulnerabilities (function two). The less time you spend in the response function, the better off you are.

Even the most stringent cybersecurity experts can fail. No IT professional is perfect, so backdoors are not uncommon, even in high-level security situations. Knowing what to do in the case of a breach mitigates damage, showing its importance.


The aftermath of a cybersecurity breach isn’t fun. However, returning to working order is essential for governments and businesses. This is where the recovery function comes in.

The recovery function includes the steps you take to return to regular operations. This phase is specific to restoring and re-coordinating systems. So consider it a business continuity plan.

For example, you might have a customer relationship management tool to handle a sales pipeline. But if that tool goes down, you don’t have access to your customers.

Having regular Excel Spreadsheet backups can prevent this total shutdown. This enables sales agents to commence with some duties, even during system outages.

The Recover step does not deal with the security side. These are handled during other functions on this list. However, knowledge enables businesses to restore systems and normal processes quicker.

The four NIST CSF implementation tiers

The core framework seen above is a generalist view of how you should fix things. The NIST CSF uses four implementation tiers to determine how far an organization has come.

Implementation tiers come in four different levels:

  • Partial

  • Risk informed

  • Repeatable

  • Adaptive

These tiers provide a quick way to find an organization’s ability to handle cybersecurity problems. Here’s a more detailed review.


A tier one business includes organizations with the weakest capabilities to respond to cybersecurity threats. These businesses often have not started the NIST CSF. Others might be in the beginning phases.

Partial-tier groups do not understand their role toward stakeholders. They have no risk management system in place for how to respond. Security plans don’t go beyond winging it in response to incidents.

Awareness of this issue enables organizations to proceed through the four tiers. But steps must be taken for any chance of getting to later levels.

Risk informed

The risk-informed tier is where many businesses fall. Organizations in this group know there is a problem; they just don’t have the means to fix it.

A business in this tier might know about risk management practices. However, those practices are not implemented throughout the company.

These businesses also have no organization-wide approach to managing risk. In this case, knowing is the first step to reaching the next tier.

Some groups lack the skillsets needed to handle security issues. One example solution, NordLocker, provides password management for everyone. Organizations lacking IT skills might not know how to recover lost passwords. NordLocker requires no technical skills, meaning it is a form of outsourcing.


Tier three is repeatable, meaning that the cybersecurity tips are found throughout the organization. In this way, the company does have organization-wide risk management steps.

This tier is for those businesses that manage well. The company has a defined risk practice and understands stakeholder impacts.

However, tier-three organizations have little experience. The result is that their ability to change is weakened, needing more improvements.


Tier four is adaptive, indicating a business with solid awareness on all fronts. These organizations use knowledge from previous experiences to change their company policy.

Adaptive organizations always worry about the potential of cybersecurity threats. These organizations’ understanding of cybersecurity often benefits the surrounding communities.

These organizations can predict cyber-attacks based on known factors. So they take the knowledge learned and act on it. Businesses in this tier are adept at disaster recovery.

What are NIST Cybersecurity Framework Profiles?

Conceptually, the NIST CSF is rigid and defined. But to prove whether it works in real life, you need to look at framework profiles.

The NIST Cybersecurity framework profiles are specific functions and tiers combined. Often, these apply to situations (ransomware attacks) or industries (manufacturing).

One of the best examples of this in action is the Cybersecurity Framework Manufacturing Profile. This profile is readily available to the public and provides specific cybersecurity problems for most manufacturing companies.

The document is 57 pages long, specifying these elements:

  • The target audience

  • Goals

  • How the framework core applies (the five functions)

  • Mission objectives necessary to improve the business

  • Categorization of potential incidents (to determine risk levels of losing a business function)

  • Specific steps to take in each given situation

The last pages of the document include appendix terms, definitions, and abbreviations. Given the thick technical content behind it, you can understand the entirety of their process with enough reading.

The point of having rigid, defined structures is to prevent errors. Security experts will know and reference this document regularly. Ideally, this document should also be made available to an entire workforce.

How does the NIST Cybersecurity Framework protect me?

Depending on your exposure to the framework, you will benefit in one of these ways:

  • Services you use will follow proven security practices

  • The organization you work for will provide steps to help you follow best security practices

The risk of putting yourself out there as an individual is great. In June 2021, the number of cybersecurity attacks nearly reached 78 million (source Knowing what to do to prevent and respond to a situation can prevent most risks.

Conclusion - Why use the NIST Cybersecurity Framework?

The NIST CSF is a defined process for organizations and businesses to protect themselves. While they provide the steps, the tools are up to the individual. So to protect yourself, you can start by covering the information you leave online.

NordLocker’s end-to-end encryption and automatic backup feature combine two of the most critical functions of the NIST CSF: recovery and protection. By implementing it today, you can keep your data safe.

If you’re a part of an organization that could benefit from NordLocker, contact us for a demo.

Eva Simpson

Eva Simpson

Verified author

Eva is usually the quiet one in the gang. But don’t let that silent demeanor fool you. She’s a brown belt in Brazilian Jiu-Jitsu. And when she’s not kicking butts, Eva loves to dissect complex tech topics in a way even 5-year olds would understand.