NIST Cybersecurity Framework Explained
This guide is part of the documentation available in SecBoard. It explains what the NIST Cybersecurity Framework (CSF) is, its five core functions, and how the SecBoard Framework Compliance module helps you manage NIST CSF (and other frameworks) with controls, evidence, and progress tracking in one place.
What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework (CSF) is a voluntary framework published by the National Institute of Standards and Technology (NIST) in the United States. It gives organisations a common language and structure to manage and reduce cybersecurity risk. The CSF is used worldwide by many industries and sizes of organisation. It does not replace laws or other standards but can be used alongside them (e.g. with ISO 27001 or sector-specific regulations).
The framework is organised around five high-level core functions: Identify, Protect, Detect, Respond, and Recover. Under each function are categories and subcategories that map to specific outcomes and controls. Organisations choose which subcategories apply, implement controls, and use Implementation Tiers and Profiles to describe their current and target maturity. In SecBoard, you can create a compliance framework with type NIST and map your control categories and controls to the CSF structure so that progress and evidence are tracked in one place.
The five core functions
The CSF is built on five functions that represent the main pillars of a cybersecurity programme:
Functions and example categories
Each function is broken down into categories (and subcategories) that describe more concrete outcomes. A simplified overview:
| Function | Example categories (summary) |
|---|---|
| Identify (ID) | Asset Management; Business Environment; Governance; Risk Assessment; Risk Management Strategy; Supply Chain Risk Management. |
| Protect (PR) | Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; Protective Technology. |
| Detect (DE) | Anomalies and Events; Security Continuous Monitoring; Detection Processes. |
| Respond (RS) | Response Planning; Communications; Analysis; Mitigation; Improvements. |
| Recover (RC) | Recovery Planning; Improvements; Communications. |
In SecBoard Framework Compliance, when you create a NIST framework you can define control categories that align with these functions and categories (e.g. one category per CSF category or per function). Controls then map to subcategories or your own control set, and you track implementation and evidence.
Implementation Tiers and Profiles
Two concepts help organisations use the CSF in practice:
- Implementation Tiers (Tier 1–4) describe how well the organisation views risk and manages it in the context of the CSF. Tier 1 is partial and ad hoc; Tier 4 is adaptive and fully integrated with the organisation’s risk and supply chain practices. Tiers are not maturity levels for each subcategory but an overall characterisation of the programme.
- Profiles are selections of outcomes (subcategories) and priorities that reflect the organisation’s needs, risk tolerance, and resources. A "Current Profile" shows where you are today; a "Target Profile" shows where you want to be. The gap between them drives improvement plans.
SecBoard does not enforce tier or profile definitions; you document them in policies and plans. SecBoard helps you track which controls (aligned to CSF categories/subcategories) are in place, with evidence and owners, so that your Current Profile and progress toward your Target Profile are visible in the Framework Compliance dashboard.
Why use the NIST CSF?
Organisations adopt the NIST CSF to:
- Align security activities with business objectives and risk.
- Communicate with leadership, boards, and partners using a recognised structure.
- Prioritise investment and improvements using functions and categories.
- Support regulatory or contractual expectations (many references cite or align with the CSF).
- Benchmark and improve over time using tiers and profiles.
Using SecBoard Framework Compliance with a NIST-type framework lets you centralise control and evidence tracking so that CSF-based reporting and audits are easier to maintain.
How SecBoard supports the NIST CSF
The Framework Compliance module in SecBoard supports multiple framework types, including NIST. You use the same workflow as for ISO 27001 or other frameworks:
| Feature | Role for NIST CSF |
|---|---|
| Framework type NIST | Create a framework and set its type to NIST. You can use a template (e.g. pre-mapped to CSF categories) and create instances per company, or build your own structure that mirrors the five functions and categories. |
| Control categories | Define categories that match CSF functions or categories (e.g. Identify – Asset Management, Protect – Access Control). Order and code them so reports and dashboards reflect the CSF layout. |
| Controls | Add controls under each category, with codes and names that reference CSF subcategories or your internal controls. Link controls to domains if you use them for filtering. |
| Evidence and assignments | Attach evidence to controls and assign owners. This supports internal and external reviews and shows how you meet each CSF outcome you have committed to. |
| Dashboard and review | Use the Framework Compliance dashboard to see completion and gaps. Set review frequency and next review date at framework level to keep the NIST programme up to date. |
Access to Framework Compliance is controlled by SecBoard permissions and company assignment, so only authorised users see and edit NIST (and other) frameworks.
NIST CSF and other SecBoard modules
The CSF fits into the broader SecBoard picture:
- Risk management — The Identify function includes risk assessment and risk management strategy. SecBoard’s risk module can hold risks and treatments; NIST framework controls in SecBoard represent the safeguards you have chosen to implement.
- Incident register — Respond and Recover map to incident management and business continuity. Use the SecBoard Incident Register to record incidents and link response to your NIST Respond/Recover controls and evidence.
- Assets and access — Identify (asset management) and Protect (access control) align with asset and access management. Where SecBoard has asset or access modules, they complement the control and evidence tracked in Framework Compliance.
- Other frameworks — You can run several frameworks in SecBoard (e.g. NIST and ISO 27001). Control mapping helps you avoid duplicate work and show alignment between NIST CSF and other standards.
Getting started with NIST CSF in SecBoard
- Obtain the official NIST CSF publication (e.g. from NIST’s website) and decide scope, tier, and target profile.
- In SecBoard, create a Framework Compliance framework with type NIST. Use a template if available (e.g. with categories aligned to the five functions), or add categories and controls that match your chosen subcategories.
- For each relevant control, set status, assign an owner, and attach evidence. Use the dashboard to track progress and plan reviews.
- Review and update your profile and tier periodically; use SecBoard to keep evidence and notes in one place for internal and external discussions.
NIST CSF and SecBoard Framework Compliance
This guide is part of the documentation available in SecBoard. The SecBoard Framework Compliance module lets you manage the NIST Cybersecurity Framework and other frameworks (e.g. ISO 27001, PCI DSS, CIS): create frameworks, define control categories and controls, attach evidence, assign owners, and track review dates. Use the "Guide" button on the Framework Compliance dashboard to open this text. For the official framework structure and subcategories, refer to the NIST CSF publication.
Combining Framework Compliance with risk management, incident register, and other SecBoard modules helps you maintain a cybersecurity programme that is aligned with the NIST CSF and auditable.
Frequently asked questions
What is the NIST Cybersecurity Framework? — The NIST CSF is a voluntary framework that provides a structure and common language for managing cybersecurity risk. It is built around five core functions: Identify, Protect, Detect, Respond, and Recover. Organisations use it to align security with business, prioritise actions, and communicate with stakeholders.
Is the NIST CSF mandatory? — The CSF itself is voluntary. Some laws or contracts may reference or require alignment with the CSF (e.g. in certain US sectors). Check your regulatory and contractual obligations; SecBoard helps you track controls and evidence regardless of whether adoption is voluntary or required.
How does SecBoard support the NIST CSF? — SecBoard’s Framework Compliance module supports framework type NIST. You create frameworks (templates or company instances), add control categories aligned to the five functions and CSF categories, add controls, attach evidence, and assign owners. The dashboard and control views help you track progress and demonstrate implementation.
What are Implementation Tiers and Profiles? — Tiers (1–4) describe how integrated and repeatable your organisation’s risk management is in the context of the CSF. Profiles are selections of CSF outcomes (subcategories) that describe your current and target state. SecBoard tracks controls and evidence; you document tier and profile in your own policies and plans.
Can I use NIST and other frameworks together in SecBoard? — Yes. SecBoard Framework Compliance supports multiple framework types (NIST, ISO 27001, PCI DSS, CIS, custom, etc.). You can manage several frameworks and use control mapping to show alignment between NIST CSF and other standards, reducing duplicate work.