If you believe that the NIST Cybersecurity Framework (CSF) contains controls, it’s time to rethink that assumption. While the framework is incredibly useful, it’s often misunderstood. Let’s break it down.
About the NIST CSF Core
The NIST Cybersecurity Framework (CSF) organizes cybersecurity outcomes into six key Functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each Function is further divided into Categories and Subcategories, which further specify desirable cybersecurity outcomes—but not the actions to achieve them.
Let’s break this down further with an example:
We begin at the function level and select the Identify function, which describes the following outcome.
Identify (ID): The organisation’s current cybersecurity risks are understood.
Underneath this Function, we find several Categories. One of them is Asset Management (ID.AM).
Asset Management (ID.AM): Assets that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organisational objectives and the organisation’s risk strategy.
This category describes the desired outcome as maintaining an overview of assets, such as hardware, software, systems, facilities, services, and people. This is critical because, without a comprehensive understanding of your assets, identifying and assessing risks becomes nearly impossible.
To make things even clearer, subcategories further divide the Asset Management (ID.AM) category into more specific outcomes of technical and management activities. For example, there are eight Subcategories under ID.AM, each with a unique identifier like ID.AM-01, ID.AM-02, and so on. These Subcategories specify outcomes such as maintaining inventories of hardware and software, mapping data flows, and prioritizing assets based on their criticality.
Here are two of the subcategories that contribute the ID.AM category.
ID.AM-01: Inventories of hardware managed by the organization are maintained
ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained
These outcomes collectively support the Asset Management (ID.AM) category, which in turn contributes to the broader goal of the Identify (ID) Function: understanding and managing an organization’s cybersecurity risks.
What Are Controls, Then?
Controls, according to the ISO, are measures that modify or maintain risk. NIST describes them as descriptions of the safeguards that help you achieve specific objectives or outcomes. Controls answer the “how” question.
For instance, under the Identify function, a relevant control might be:
CM-08 | SYSTEM COMPONENT INVENTORY
a. Develop and document an inventory of system components that:
1. Accurately reflects the system;
2. Includes all components within the system;
3. Includes all components within the system;
4. Does not include duplicate accounting of components or components assigned to any other system;
4. Is at the level of granularity deemed necessary for tracking and reporting; and
5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and
b. Review and update the system component inventory [Assignment: organization-defined frequency].
Notice how the function, categories and subcategories are expressed in a way that reflects a future desired state, whereas controls are articulated in a directive manner.
Where to go from here?
If you want a deeper dive into how categories and subcategories in the CSF contribute to these six functions, check out my latest video. It’s packed with insights to help you better understand how the NIST CSF can help you in securing your organization.
