A company might conduct a NIST CSF Gap & Risk Assessment because it provides a structured and flexible approach to managing cybersecurity risk. The framework is based on industry standards and best practices and can be customized to fit an organization’s unique needs. Additionally, the NIST CSF is widely recognized and adopted by organizations in both the public and private sectors, making it easier for a company to demonstrate compliance with regulatory requirements and industry standards.

Our assessment methodology will educate, inform, and guide your information security program using an industry-standard framework for securing data and systems. According to the framework’s published documentation, the NIST Cybersecurity Framework (CSF) applies to all organizations “regardless of size, degree of cybersecurity risk, or sophistication. ” The NIST CSF takes the most impactful components of many global standards and incorporates them into a single, targeted framework. In cybersecurity circles, NIST is most well known for developing this CSF and other frameworks for protecting controlled unclassified government contractor and military supply chain data (800-171) and the government’s classified data (800-53). 

NIST CSF Overview

The current NIST CSF Version 1.1 is tuned to assess these five core functions:

  1. Identify (ID)
  2. Protect (PR)
  3. Detect (DE)
  4. Respond (RS)
  5. Recover (RC)

NIST CSF Functions, Categories, & Subcategories

The NIST Cybersecurity Framework (CSF) has five core functions:

  1. Identify (ID): Establish the context of the organization’s cybersecurity risk management and establish the foundation for an effective cybersecurity program.

  2. Protect (PR): Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services.

  3. Detect (DE): Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

  4. Respond (RS): Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

  5. Recover (RC): Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

The five functions are further broken down into 23 categories and 108 sub-categories. The categories include:
  1. ID.AM Asset Management
  2. ID.BE Business Environment
  3. ID.GV Governance
  4. ID.RA Risk Assessment
  5. ID.RM Risk Management Strategy
  6. ID.SC Supply Chain Risk Management
  7. PR.AC Identity Management and Access Control
  8. PR.AT Awareness and Training
  9. PR.DS Data Security
  10. PR.IP Information Protection Processes and Procedures
  11. PR.MA Maintenance
  12. PR.PT Protective Technology
  13. DE.AE Anomalies and Events
  14. DE.CM Security Continuous Monitoring
  15. DE.DP Detection Processes
  16. RS.RP Response Planning
  17. RS.CO Communications
  18. RS.AN Analysis
  19. RS.MI Mitigation
  20. RS.IM Improvements
  21. RC.RP Recovery Planning
  22. RC.IM Improvements
  23. RC.CO Communications


NIST CSF Controls For Risk Assessments

Performing a NIST Gap & Risk Assessment is important because it can help meet several of the NIST CSF controls in and of itself, which include:

  1. Identifying the organization’s assets, including information and systems, and the associated risks to those assets.

  2. Identifying the threats and vulnerabilities that could potentially exploit those risks.

  3. Assessing the likelihood and impact of those threats and vulnerabilities on the organization’s assets.

  4. Prioritizing risks based on their likelihood and impact and determining the appropriate level of risk management.

  5. Communicating risk information to relevant stakeholders, including management, employees, and other stakeholders.

  6. Keeping the risk assessment up-to-date by regularly reviewing and updating the risk assessment to reflect changes in the organization, its assets, and the threat landscape.

  7. Regularly repeating the risk assessment process to ensure that risks are identified, analyzed, and managed on a continuous basis.

  8. Considering the interdependencies of different systems and assets to identify potential cascading effects in case of a breach.

A valuable security assessment of your overall information security program

Assess 108 security sub-categories
Analyze security gaps, risks, and maturity levels
Report of findings and recommendations

Security Is About The Journey, Not A Destination