Professional Documents
Culture Documents
NIST Cybersecurity Framework 2.0. Implementation Guide
NIST Cybersecurity Framework 2.0. Implementation Guide
0
Implementation Guide
Contents
1 Toolkit support ........................................................................................................... 4
1.1 Email support .............................................................................................................. 4
1.2 Toolkit updates ............................................................................................................ 4
1.3 Review of completed documents.................................................................................. 4
1.4 Exclusive access to customer discussion group .............................................................. 4
2 Copyright acknowledgement ...................................................................................... 5
3 Introduction ............................................................................................................... 6
3.1 Introducing the NIST Cybersecurity Framework ............................................................ 6
3.2 What’s New in Version 2.0 ........................................................................................... 7
3.3 The Main Principles of the NIST Cybersecurity Framework ............................................ 8
3.3.1 Functions ..................................................................................................................................... 8
3.3.2 Categories ................................................................................................................................... 8
3.3.3 Subcategories .............................................................................................................................. 9
3.3.4 Implementation examples ......................................................................................................... 10
3.3.5 Informative references .............................................................................................................. 11
3.3.6 Tiers .......................................................................................................................................... 11
3.3.7 Profiles ...................................................................................................................................... 12
3.4 Guidance available from NIST ..................................................................................... 12
4 The CertiKit NIST CSF2 Toolkit .................................................................................. 14
4.1 How the documents work .......................................................................................... 14
4.2 Last words before you begin ...................................................................................... 15
5 Implementing the NIST Cybersecurity Framework 2.0 .............................................. 16
5.1 Step 1: Prioritize and Scope ........................................................................................ 16
5.2 Step 2: Orient ............................................................................................................ 16
5.3 Step 3: Create a Current Profile .................................................................................. 17
5.4 Step 4: Conduct a Risk Assessment ............................................................................. 17
5.5 Step 5: Create a Target Profile .................................................................................... 17
5.6 Step 6: Determine, Analyze, and Prioritize Gaps .......................................................... 17
5.7 Step 7: Implement Action Plan ................................................................................... 18
6 The Functions and Categories of the Cybersecurity Framework ................................ 19
6.1 Govern (GV) ............................................................................................................... 19
6.1.1 Organizational Context (GV.OC)................................................................................................. 19
6.1.2 Risk Management Strategy (GV.RM) .......................................................................................... 19
6.1.3 Cybersecurity Supply Chain Risk Management (GV.SC) .............................................................. 20
6.1.4 Roles, Responsibilities, and Authorities (GV.RR) ........................................................................ 20
6.1.5 Policies, Processes, and Procedures (GV.PO) ............................................................................. 21
6.1.6 Oversight (GV.OV) ..................................................................................................................... 21
6.2 Identify (ID) ............................................................................................................... 22
www.certikit.com Page 2 of 30
NIST CSF 2.0 Implementation Guide
7 Conclusion................................................................................................................ 30
Tables
Table 1 - CSF 2.0 Functions and Categories .................................................................................... 9
Table 2 - Example Category and Sub-categories .......................................................................... 10
Table 3 - Implementation Examples ............................................................................................ 11
Figures
Figure 1 - CSF 2.0 Structure ........................................................................................................... 7
www.certikit.com Page 3 of 30
NIST CSF 2.0 Implementation Guide
1 Toolkit support
The CertiKit NIST CSF2 Toolkit includes a wealth of templates and guides to allow your
organization to implement the Cybersecurity Framework and comes with the following
support.
www.certikit.com Page 4 of 30
NIST CSF 2.0 Implementation Guide
2 Copyright acknowledgement
Where relevant, information about the NIST Cybersecurity Framework 2.0 is reproduced
from the following source:
National Institute of Standards and Technology (2023) The NIST Cybersecurity Framework
2.0. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Cybersecurity
White Paper (CSWP) NIST CSWP 29 ipd. https://doi.org/10.6028/NIST.CSWP.29.ipd
And from the NIST website at https://www.nist.gov/cyberframework.
Please see https://www.nist.gov/nist-research-library/nist-publications for more
information about NIST copyright in Technical Series Publications.
www.certikit.com Page 5 of 30
NIST CSF 2.0 Implementation Guide
3 Introduction
This concise guide takes you through the process of implementing the NIST Cybersecurity
Framework 2.0 using the CertiKit NIST CSF2 Toolkit. This version of the toolkit uses as its
reference the draft of CSF 2.0 published by NIST on August 8 th and it will be updated shortly
after the final version of CSF 2.0 is made available by NIST. It provides a recommended route
to framework implementation starting from a position where very little is in place. Of
course, every organization is different and there are many valid ways to embed the
disciplines of information security. The best way for you may well depend upon factors
including:
www.certikit.com Page 6 of 30
NIST CSF 2.0 Implementation Guide
www.certikit.com Page 7 of 30
NIST CSF 2.0 Implementation Guide
• Oversight (GV.OV)
Many of the subcategories covered within the above list have been taken from the Identify
(ID) function, with a few also being extracted from other functions within the CSF V1.1.
Other significant changes include:
• Informative references will now be provided online, to provide for easier and more
frequent updating
• Implementation examples will be provided to help with interpretation of the sub-
categories
• The use of tiers has been clarified
• Revised guidance on how to create and use framework profiles
• Clearer emphasis on improvement, with the creation of an Improvement category
within the Identify function
3.3.1 Functions
Functions provide an overall structure for the framework and group together related
categories as shown in Table 1. In many respects, it may help to view the first three
functions as “proactive”, as they deal with the process of assessing and treating risk ahead
of time, and the latter three functions as “reactive”, as they cover the more real-time
process of detecting and dealing with cybersecurity incidents.
However, NIST is clear that this is not intended to be a process model, so activities may be
taking place within all of the functions at the same time.
The functions are usually color-coded to provide a degree of familiarity when working with
the framework.
3.3.2 Categories
Categories provide the next level of detail below functions, as shown in Table 1. Again, they
are not necessarily intended to be done in the order in which they appear but are a way of
grouping together the sub-categories below them which give more detail about specific
activities that can be done to improve cybersecurity.
www.certikit.com Page 8 of 30
NIST CSF 2.0 Implementation Guide
CATEGORY
FUNCTION CATEGORY
IDENTIFIER
Govern (GV) GV.OC Organizational Context
GV.RM Risk Management Strategy
GV.SC Cybersecurity Supply Chain Risk Management
GV.RR Roles, Responsibilities, and Authorities
GV.PO Policies, Processes, and Procedures
GV.OV Oversight
Identify (ID) ID.AM Asset Management
ID.RA Risk Assessment
ID.IM Improvement
Protect (PR) PR.AA Identity Management, Authentication, and Access Control
PR.AT Awareness and Training
PR.DS Data Security
PR.PS Platform Security
PR.IR Technology Infrastructure Resilience
Detect (DE) DE.CM Continuous Monitoring
DE.AE Adverse Event Analysis
Respond (RS) RS.MA Incident Management
RS.AN Incident Analysis
RS.CO Incident Response Reporting and Communication
RS.MI Incident Mitigation
Recover (RC) RC.RP Incident Recovery Plan Execution
RC.CO Incident Recovery Communication
3.3.3 Subcategories
Subcategories are where we get into the detail of the outcomes that we are looking to
achieve. Table 2 shows the subcategories for the Organizational Context (GV.OC) category,
which is within the Govern (GV) function.
Each subcategory has a reference (for example GV.OC-01) which allows it to be uniquely
identified within the framework.
The subcategories are written as statements of fact (for example “ The organizational mission
is understood…”) and the aim of the organization in implementing the framework is to be able to
agree with each relevant statement.
www.certikit.com Page 9 of 30
NIST CSF 2.0 Implementation Guide
CATEGORY SUBCATEGORY
www.certikit.com Page 10 of 30
NIST CSF 2.0 Implementation Guide
GV.OC-01: The organizational mission Ex1: Share the organization’s mission (e.g., through vision
is understood and informs and mission statements, marketing, and service
cybersecurity risk management strategies) to provide a basis for identifying risks that
(formerly ID.BE-02, ID.BE-03) may impede that mission.
GV.OC-02: Internal and external Ex1: Identify relevant internal stakeholders and their
stakeholders are determined, and cybersecurity-related expectations (e.g., performance
their needs and expectations and risk expectations of officers, directors, and advisors;
regarding cybersecurity risk cultural expectations of employees)
management are understood Ex2: Identify relevant external stakeholders and their
cybersecurity-related expectations (e.g., privacy
expectations of customers, business expectations of
partnerships, compliance expectations of regulators,
ethics expectations of society).
Whereas these were listed directly in the main CSF document previously, the intention with
2.0 is to maintain these separately in a tool accessible via the NIST website.
3.3.6 Tiers
Four levels of rigor are defined within the CSF to judge an organization’s practices within
three areas:
www.certikit.com Page 11 of 30
NIST CSF 2.0 Implementation Guide
• Tier 1 – Partial
• Tier 2 – Risk informed
• Tier 3 – Repeatable
• Tier 4 – Adaptive
In effect, the tiers are similar to levels of maturity used in other frameworks, but NIST is
keen to point out that not every organization needs to be at Tier 4 for each of the three
areas. The additional effort required to reach a higher tier needs to be cost-justified.
Tiers are an optional part of the framework and they are intended to be used at a number of
different levels as appropriate, from a high level aspiration of “becoming a Tier 3
organization” to a more specific goal of “improving the Cybersecurity Supply Chain Risk
Management category from Tier 2 to Tier 3”.
3.3.7 Profiles
Within the context of the CSF, a profile is a description of parts of the framework that are
either in place already (a current profile) or that the organization aspires to meet (a target
profile). In common terms this comparison between current state and desired state is often
called a gap assessment, although this is not a term used by NIST. There is no standard way
to create a profile, and it may be done at a number of different levels; for example at the
highest level by function and at the lowest by subcategory. A further level of granularity can
be introduced by the use of tiers (as described above).
The key output of the use of profiles is an action plan to move the organization’s
cybersecurity from where it is now to where it is desired to be.
www.certikit.com Page 12 of 30
NIST CSF 2.0 Implementation Guide
We recommend you make use of these resources in addition to the CertiKit toolkit to
smooth your journey to implementing the Cybersecurity Framework 2.0.
www.certikit.com Page 13 of 30
NIST CSF 2.0 Implementation Guide
The CertiKit NIST CSF2 Toolkit (referred to within this document simply as “the Toolkit”)
provides an array of useful documents which provide a starting point for the different
functions, categories and subcategories of the framework. The documents are in Microsoft
Office 2010® format and consist of Word documents, Excel workbooks, PowerPoint
presentations and Project plans.
To open and edit the documents you will need to use the relevant Microsoft application at
version 2010 or later.
Each document starts with an “Implementation Guidance” section which describes its
purpose, the specific subcategories of the CSF it is relevant to, general guidance about
completing and reviewing it and some legal wording about licensing etc. Once read, this
section, together with the CertiKit cover page, may be removed from the final version of the
document.
The layout and headings of each document have been designed to guide you carefully
towards implementing the principles of the framework and example content has been
provided to illustrate the type of information that should be given in the relevant place. This
content is based upon an understanding of what a “typical” organization might want to say
but it is very likely that your organization will vary from this profile in some ways, so you will
need to think carefully about what content to keep and what to change. The key to using
the Toolkit successfully is to review and update each document in the context of your
specific organization. Do not accept the contents without reading them and thinking about
whether they meet your needs – does the document say what you want it to say, or do you
need to change various aspects to make it match the way you do things? This is particularly
www.certikit.com Page 14 of 30
NIST CSF 2.0 Implementation Guide
relevant for policies and procedures where there is no “right” answer. The function of the
document content is help you to assess what’s right for you so use due care when
considering it. Where the content is very likely to need to be amended, we have highlighted
these sections but please be aware that other non-highlighted sections may also make
sense for you to update for your organization.
As we have said earlier, regard this guide as helpful advice rather than as a detailed set of
instructions to be followed without thought; every organization is different, and the idea of
the Toolkit is that it molds itself over time to fit your specific needs and priorities.
We also appreciate that you may be limited for time and so we have kept the guidance short
and to the point, covering only what we think you might need to know to achieve the
intended end result. There are many great books available about information security and
we recommend that, if you have time, you invest in a few and supplement your knowledge
as much as possible.
But perhaps our single most important piece of advice would be to study the main
components of the CSF itself. There is really no replacement for going straight to the source
documents if you want to understand what it’s all about. So, by all means, listen to what
other people tell you about it, but try to take some time out to go to a coffee shop or
somewhere equally comfortable, and read the published materials from beginning to end.
We believe you will not regret it. Enough said.
www.certikit.com Page 15 of 30
NIST CSF 2.0 Implementation Guide
However, this is not the only valid approach; you could decide to split the project into two
parts covering the proactive functions (GV, ID and PR) and the reactive functions (DE, RS and
RC) and then address them one after the other or, if resources allow, in parallel. Equally, you
could start at GV and address each function in turn, as each one to some extent builds on
the outcomes of previous functions. Where the seven-step approach helps is in focusing
your efforts on those areas of greatest need by prioritizing the risk assessment and creating
a before (current profile) and after (target profile) definition.
www.certikit.com Page 16 of 30
NIST CSF 2.0 Implementation Guide
Part of the current profile may also cover an assessment of which of the four levels of
implementation tier the organization’s risk governance, risk management and third-party
cybersecurity risk management practices currently fall into.
The risk assessment will consider the likelihood of a wide variety of potential threats coming
to pass, and the impact on the organization if they were to happen. Those that score highly
will be prime candidates for further action.
Thought should also be put into which of the four implementation tiers your organization
will aspire to meeting longer term (your target tiers).
www.certikit.com Page 17 of 30
NIST CSF 2.0 Implementation Guide
Discussions of costs and timescales are appropriate at this stage to produce an agreed plan
that is achievable.
Once the desired functions, categories and subcategories of the CSF are in place, the
organization will benefit from an increased level of proactivity and move into a continuous
improvement mode of operation that will adjust the controls in place in line with risks and
needs.
www.certikit.com Page 18 of 30
NIST CSF 2.0 Implementation Guide
Before we can manage our cybersecurity, we have to have a clear understanding of what it
is we’re trying to achieve. At the highest level, this comes down to the core mission of the
organization; its very reason for existence in its present form. We then need to establish
who has a stake in the organization’s success (interested parties, or stakeholders) and what
they need our cybersecurity program to deliver. This will help us later to identify risks that
relate to any inabilities to meet those important requirements.
No organization operates in a vacuum, and there will be requirements and constraints put
upon it in the form of legal obligations, possibly the needs of a regulatory body, and from
contractual arrangements with third parties. All of these dictate what it is we need to
achieve from our cybersecurity framework. To inform this thought process, we also need to
understand the processes of the organization and their relative importance in ensuring its
success. This is achieved by conducting a business impact assessment which models what
would happen if each of the business processes were partially or completely disabled.
www.certikit.com Page 19 of 30
NIST CSF 2.0 Implementation Guide
There are various decisions that need to be made before we can start conducting risk
assessments, including how will we know if risk management is working appropriately, how
much risk is acceptable to us, how cybersecurity risk management fits in with risk
management in other areas, and which of the many available methods we’re going to use to
assess risk.
Not all risk is bad, and we need to ensure we consider how we would capitalize on events
going our way, that is, on opportunities.
Cybersecurity supply chain risk management is a whole subject in itself, driven partly by
recent breaches at major suppliers that have had dire consequences for their customers. A
comprehensive program is called for, that dovetails with related risk management efforts
within the organization. As well as ensuring that due diligence is carried out when suppliers
are selected, there needs to be an ongoing approach that manages the risks from suppliers
and encourages their adoption of effective controls.
www.certikit.com Page 20 of 30
NIST CSF 2.0 Implementation Guide
• Leavers Letter
As well as the leadership of the organization showing that they are serious about
cybersecurity (partly by allocating resources to it), there needs to be clear definition of
relevant roles and their associated responsibilities and authorities, so that no-one is in any
doubt about the part they play in protecting the organization.
It’s important that management’s intentions with regard to cybersecurity are clearly stated
and communicated, and this often means creating an appropriate set of policies, processes
and procedures for people to work from. Once in place, these need to be managed so that
they stay up to date and that changes to them are properly reflected and recommunicated
to all those that need to know about them.
www.certikit.com Page 21 of 30
NIST CSF 2.0 Implementation Guide
There needs to be a clear method for checking that your cybersecurity framework is working
as intended and this will likely involve a combination of key performance indicators and
regular reviews by management to identify and tweak any areas that are not delivering. This
is done with varying frequencies at each of the strategic, operational and tactical levels.
This category is about understanding the assets your organization has that need to be
protected, including hardware, software, internal services, external services and data. It is
likely that much of this information will be held within configuration management-related
systems that automatically collect inventories of the hardware you have, the software that
is installed on it, and their configuration, so making a manual list of these things is unlikely
to be the best approach. It will more likely be a case of finding out where this information
already exists. Services and information can be more difficult to define, so you may need to
put some effort into identifying the services (internal and external) you operate and how
data flows within and outside of your organization’s boundaries. Some will be more
important than others, so having an idea of criticality will be useful, informed by the
business impact assessment you did in the Organizational Context (GV.OC) category.
www.certikit.com Page 22 of 30
NIST CSF 2.0 Implementation Guide
Based on the asset information you collected in the previous category, we now need to
understand the vulnerabilities associated with those assets (particularly software) and the
threats that are out there before starting our risk assessment. This will result in a risk
treatment plan which will be one of your main tools in driving risk reduction and general
improvement within your organization. Addressing issues such as the effective management
of change is also covered within this category.
Improvement is a cross-cutting category that applies to most of the other functions and
categories within the CSF. Encouraging the identification and communication of
improvements from all areas is key, so you’ll need to be clear who should be notified and
how they will be logged and actioned, so that improvement becomes a relentless machine
for the benefit of the organization.
Having an internal audit program is a useful way to keep everyone on their toes and check
that everything is being done as it should.
www.certikit.com Page 23 of 30
NIST CSF 2.0 Implementation Guide
This category is about ensuring that only authorized users get access to our assets, both
electronic and physical. This involves having clear policies, procedures and controls for
identifying users correctly and controlling what they have access to, with additional
attention given to issues such as password strength and multifactor authentication.
It’s important that users are aware of their information security responsibilities, and that
they are educated in the methods that might be used to try to trick them into allowing
someone else access (such as phishing and social engineering). As well as the wider user
population, there will be a need for more specialized training for people with larger roles to
play in the cybersecurity framework of the organization, such as system administrators,
auditors and managers.
www.certikit.com Page 24 of 30
NIST CSF 2.0 Implementation Guide
• Cryptographic Policy
• Records Retention and Protection Policy
• Information Classification Procedure
• Information Labelling Procedure
• Clear Desk and Clear Screen Policy
• Procedure for the Disposal of Media
• Backup Policy
• Privileged Utility Program Register
The Data Security category concerns itself with the lifecycle of the organization’s data,
ensuring that it is encrypted where possible, backed up appropriately and destroyed
effectively when no longer needed. It is useful to adopt a classification scheme so that
resources may be focused on the most sensitive data, and to only retain them for as long as
necessary. Obviously applicable data protection legislation will be relevant in this area, and
the measures used must ensure compliance with these laws.
Having dealt with the security of the data in the previous category, Platform Security covers
the hardware and software that hosts that data, ensuring that it is configured and
maintained correctly, that it’s monitored for suspicious events, and that bespoke code is
written and implemented in a secure way. The specifics of this category will depend a lot on
the platforms used (for example Microsoft, Google, AWS) and, if applicable, the
development approach taken for bespoke code. Software tools will play a significant part in
this area, including log management and monitoring, anti-malware and integrated
development environments.
www.certikit.com Page 25 of 30
NIST CSF 2.0 Implementation Guide
Further to the data and the platforms, the technology infrastructure supporting them also
needs to be managed, particularly in terms of its availability. As well as designing the various
components for resilience, there needs to be a documented approach to reacting to
unforeseen events such as fire, flood and other environmental threats. Consideration of the
current and future capacity of the infrastructure also needs to be made so that problems
are not encountered due to lack of resources.
• Monitoring Policy
• Anti-Malware Policy
• Web Filtering Policy
• CCTV Policy
In general, the activities of this category will largely be carried out by software, ideally aided
by artificial intelligence, to recognize what a normal situation looks like, and raise a flag
when this normality appears to be deviated from. Services such as intrusion detection (and
prevention) systems, anti-malware, log analyzers and file integrity monitors can be used to
keep a close eye on the IT environment and raise a possible incident according to set rules.
www.certikit.com Page 26 of 30
NIST CSF 2.0 Implementation Guide
That is not to say that humans don’t play a part too; monitoring of the physical environment
is likely to involve a combination of technology, for example CCTV, and people, such as
security guards and security-aware employees.
One of the challenges with continuous monitoring is to avoid false positives, where the
alarm is being raised too often for events that are actually normal. Each alarm needs to be
evaluated to assess whether it represents a genuine incident that must be reacted to, or
whether it is simply noise. Again, software helps in this, with a security information and
event management (SIEM) system now being a common addition to an organization’s
toolset. A SIEM system can allow various events across the infrastructure to be correlated to
establish whether the set of individual clues represents an incident, or whether an event is
an isolated anomaly. Cyber threat intelligence can play a part in this too, if known indicators
of compromise (IoCs), which are the signature of a specific type of attack, are found at the
same time.
If all the signs point to an incident, then the next function of the CSF is triggered; Respond.
It’s important to have a well-defined plan available that everyone is familiar with, and
systems and procedures that can cope with more than one ongoing incident at a time. Third
parties, including your cyber-insurance provider and the additional resources they can give
access to, should be involved where appropriate.
www.certikit.com Page 27 of 30
NIST CSF 2.0 Implementation Guide
This category is about working out what’s happened, when and in what order. A balance
needs to be struck between the urgency of reaching conclusions about points of entry and
other vulnerabilities, and the need to preserve evidence for later analysis and possibly use in
a prosecution.
How you keep stakeholders informed about incidents is key to how it is perceived and
limiting the resulting reputational damage. For breaches involving personally identifiable
information (PII), there may be timescales for notification laid out in relevant legislation.
Communication is a two-way process, where others may be able to provide you with details
such as indicators of compromise to look for.
This category is where an incident is firstly contained and then eradicated. This may be
automated via software, or it may be a manual process involving isolation of affected
infrastructure, followed by further investigation and restoration from backups.
www.certikit.com Page 28 of 30
NIST CSF 2.0 Implementation Guide
Once the cause of the incident has been eradicated, the required actions must be
undertaken to bring the situation back to a business as usual footing. This may involve the
restoration of full or partial backups, re-initialization of hardware and software and user
participation in confirming the correct operation of the systems affected. This is normally
done in a prioritized order, with the most business-critical resources being addressed first.
Care must also be taken that the backups used have not been compromised, as is
sometimes the case with an attack such as ransomware.
Keeping internal and external stakeholders, such as management, customers, users and in
some cases the general public, informed of what is happening is key to the post-incident
perception that will exist after the situation has been resolved – that is, whether the
incident was handled well, or poorly. Communication needs to be handled carefully so that
it is both timely and accurate and sets expectations appropriately.
www.certikit.com Page 29 of 30
NIST CSF 2.0 Implementation Guide
7 Conclusion
This implementation guide has taken you through the process of positioning your
organization to adopt the NIST Cybersecurity Framework, supported by the CertiKit NIST
CSF2 Toolkit. Hopefully, you will have seen that most of what is involved is applied common
sense.
We wish you good luck in your work and, as always, we welcome any feedback you wish to
give us via feedback@certikit.com.
www.certikit.com Page 30 of 30