5 Steps to Greater Security Maturity with NIST CSF

NIST released Version 2.0 of the NIST Cyber Security Framework (CSF) in 2024. The original NIST CSF gained significant traction since its release in early 2014, while Version 1.1 added important new elements to help companies continue to advance their cybersecurity practices. 

Version 2.0 takes it a step further and focuses on measuring the effectiveness of cybersecurity activities. This version incorporates the following updates:

• Govern function to emphasize risk management governance outcomes
• Guidance on supply chain risk management and measuring cybersecurity outcomes 
• New templates for creating organized profiles 
• Integration improvements with broader organizational risk management  

This guide will provide you with a roadmap to using NIST CSF to drive greater cybersecurity maturity in control systems.

NIST CSF Framework 2.0 Functions

The NIST CSF 2.0 update incorporates an additional measure that those within the operational risk management space must consider. Here are the latest NIST CSF functions.

Govern

The Govern function within the NIST CSF framework involves monitoring, communicating, and establishing the cybersecurity risk management strategy, expectations, and policies. 

• What it does: Helps organizations decide which cybersecurity actions to prioritize based on their goals and stakeholder needs.
• Why it matters: It’s critical to incorporate cybersecurity into an organization’s broader enterprise risk management (ERM) strategy.

Identify

The Identify function highlights the current cybersecurity risks.

• What it does: Helps organizations understand their vulnerabilities and opportunities for improvement across policies, plans, and procedures that affect the remaining functions.
• Why it matters: Knowledge of the organization’s assets, suppliers, and cybersecurity risks helps prioritize efforts identified under the Govern function.  

Protect

The Protect function uses safety measures to manage cybersecurity risks.

• What it does: Focuses on the outcomes of security, identity management, access control, and authentication for critical infrastructure.
• Why it matters: Securing identified and prioritized assets prevents or lowers the chance and impact of cybersecurity attacks.

Detect

The Detect function finds and analyzes possible cybersecurity attacks.

• What it does: Identifies and examines compromise indicators, adverse events, and anomalies that can indicate an ongoing cyberattack.
• Why it matters: It supports an organization’s successful response and recovery efforts and can lessen the adverse effects of a cyberattack.

Respond

The Respond function takes action against the detected cybersecurity incident.

• What it does: Provides incident management, analysis, mitigation, reporting, and communication outcomes.
• Why it matters: It supports the ability to contain the effects of the cybersecurity incident.

Recover

The Recover function restores affected operations and assets.

• What it does: Repairs damages, Identifies learnings from the cybersecurity incidents, and changes the plan to reduce future incidents.
• Why it matters: It helps organizations minimize the impact of a cybersecurity incident, get back to normal more quickly, and meet compliance requirements.

Profiles and Tiers

NIST CSF 2.0 also integrates profiles and tiers for organizations to understand and improve their cybersecurity POV.  Profiles document the organization’s desired cybersecurity state and highlight what the organization wants to achieve. These are classified into the seven functions: Govern, Identify, Protect, Detect, Respond, and Recover. It also incorporates the organization’s mission, risks, and stakeholder expectations. 

Tiers describe the maturity of an organization’s cybersecurity risk management practices, note how the organization is doing, and identify opportunities for improvement. They range from Tier 1 (Partial) to Tier 4 (Adaptive). Tiers can inform profile development by

• Providing context for how an organization manages risk 
• Helping prioritize actions to achieve target outcomes within the functions

Common NIST CSF Implementation Challenges

Integrating NIST CSF in your organization may come with several challenges during the implementation phase, including:

• Resource limitations such as qualified personnel, finances, and time
• Lack of existing cybersecurity infrastructure or expertise
• Staff pushing back on the changes
• Keeping up with the latest cyber threats
• Finding time to continuously monitor and update the practices

Read the five steps below to help your organization succeed and achieve NIST CSF maturity.

5 Steps to Greater Security Maturity with NIST CSF

Step 1: Rapid Assessment

The first step in following the NIST CSF is to establish a robust—but rapid—assessment of your current status. “Assessment” is a vague term, however. Many customers get stuck before the journey begins under the weight of an assessment process that turns into a months-long exercise in surveys, network diagram reviews, penetration tests, etc. 

The key to gaining momentum is to conduct a rapid assessment within 60–90 days across the organization. This rapid assessment process provides enough detail to build an initial maturity roadmap and to enable the company to begin to make progress. It is not intended to diagnose every threat pathway or end-point vulnerability.

The rapid assessment should provide input on the cybersecurity baseline on people, processes, policies, and technology. It typically encompasses the following:

• Agreement on the “Profiles” or levels that your company will establish for different stages of maturity. (An example is provided above).
• Brief surveys (less than 50 questions) to key personnel in the organization and targeted interviews to round out the quantitative survey results.
• Supply chain risk management (SCRM) assessment to identify critical suppliers, access levels, and their security practices. You can complete this through a brief questionnaire or supplier certifications.
• Gather endpoint and network info directly from systems to assess patch, configuration, user, network, and other vulnerabilities.
• Create prioritized risks against a standard framework such as Defense-in-Depth or CIS Top 18 Controls.

Step 2: Target Maturity Roadmap

The assessment provides the baseline starting point, but the critical step is to then lay out your company’s cybersecurity maturity aspiration based on your specific business needs, regulatory requirements, etc., and build a robust roadmap based on a portfolio of initiatives across process development, technology deployment, and training, and awareness.

To develop a successful roadmap, the following should be considered:

• Alignment with risk management strategy: The roadmap must directly support your organization’s overall risk management strategy and clearly articulate how each initiative aligns with reducing your risk profile.
• Sequence of initiatives/foundational elements: Certain initiatives are prerequisites of others. For instance, having a complete and detailed hardware and software (OS, firmware, application software, configurations, ports, services, etc.) inventory is a requirement to harden configurations and many other CSF categories.
• Prioritization based on business needs, risk, and budgets: Based on the assessment, specific initiatives will rise in priority because they pose the greatest threat to business operations. The assessment should provide the core information necessary to prioritize the greatest risk to the organization. Obviously, this needs to be balanced against overall budgetary constraints.
• Measurement and tracking: In parallel to any defensive or detective initiatives, the organization should be able to track and measure progress. 
• Integrating technology, people, and process: Implementing technology without the people or processes to support it will lead to wasted investments. Similarly, without technology, the procedures the company may develop may be too onerous to provide much insight into the cybersecurity situation. 
• Integrating platform (or “glue”): Over time, the number of initiatives, technology, and procedures will grow. Without careful consideration of investment in the overarching platform or glue that ties these pieces together, the program may become overwhelming.

Taken another way, the need to build on the portfolio of initiatives is usually executed in a cyclical fashion over multiple discrete projects and budgets. The objective is to move from the basic level of protection through higher levels of sophistication and an eventual shift from reactive to proactive monitoring and detection, as depicted in the maturity cycle below.

Maturity Cycle

It is important to note that the above cycle is just a general intended pattern toward a more robust security program. The specific tasks, the order they are executed and the time frame across which they are deployed have to be tied to the specific risks and objectives of the individual organization.

Step 3: Execute Foundational Initiatives 

As highlighted above, every program should have a set of foundational initiatives necessary to enable the broader program. These initiatives should provide some rapid impact on security while also providing baseline capabilities. 

This first “wave” of initiatives should be items that can be achieved within 90 days to demonstrate progress as well as allow for rapid movement to additional elements. These initiatives will include both “informational” or “baselining” initiatives as well as the first wave of “remediation” or “hardening” activities. The baselining-type of activities would include hardware and software inventory, configuration baselines, firewall rule maps, etc. The remediation-type activities would likely include software removal, hardening of baselines, or initial segmentation.

These initiatives normally have “corporate” and “site-level” components. In geographically dispersed organizations, they will focus on approximately 3-5 pilot sites representing a range of locations for the “site-level” components. The foundational initiatives will be rolled out at these sites and they will act as “lead dogs” to be ahead of the pack in implementing greater levels of maturity over time.

This first phase of execution will likely include several key elements:

• Central components such as policies on sensitive data or password standards, procedures such as management of change or patching, and technology such as a central reporting functionality.
• Site-level components such as asset inventory, configuration baselines, and network design/ segmentation reviews.
• Establishing key decision points such as which controls will not apply to certain assets, decision-making on risk-reward or cost-benefit trade-offs, and rules for “technical feasibility exceptions” where devices such as PLCs or older HMIs may not be able to meet control standards and will require some form of compensating controls.

Foundational initiatives can strengthen supply chain risk management efforts (SCRM) through:

• Secure software development practices, like vulnerability scanning and code reviews, to reduce the risk of introducing vulnerabilities into your system from third parties.
• Requiring software bill of materials generation (SBOM) from your vendors to provide visibility of the components within your software. This enables you to identify and address vulnerabilities from third parties quickly. 
• Configuration baselines for your organization and vendor systems to ensure third-party systems meet your security requirements. 
• Regular scanning and patching to improve your overall security and reduce entryways for attackers. 
• Integrating supply chain into your incident response plan to address cyber incidents that extend from third-party vendors.

Step 4: Build on Foundation

With version 1.1, most organizations rolled out proven tool sets to additional sites, embarked on second or third-phases of security tool and procedure design, testing, and deployment to pursue a rich, multi-layered security program. 

Organizations that implement NIST CSF 2.0 are more than likely in the refining, building depth, and maturing phases. Keep the following in mind as you continue to scale your security program with additional processes and technologies:

• Automate routine tasks where possible. 
• Continue to reiterate and optimize for process improvement.
• Maintain a thorough integration framework for new infrastructure.
• Ensure your employees are up to speed on the latest training.
• Update priorities based on risks and business needs regularly. 

Step 5: Monitor, Measure, and Improve

A robust monitoring and measurement program is critical to a successful NIST CSF 2.0 implementation. Like all things in management, inspection and tracking of progress is critical to improvement. 

Companies often forget about these measurement and tracking components until they complete steps 1-4. The resources, tools, and budgets for ongoing monitoring and measurement should be considered upfront. The measurement provides a status report and enables course correction as the initiatives are executed. The roadmap will certainly evolve over time, and measuring progress and issues as it proceeds is critical to intelligent evolution. 

Metrics and dashboards make it easy to provide a visual representation of a program’s status and how it performs against key objectives. Every metric should align with outcomes in the roadmap and be tied to each NIST CSF 2.0 function. Your dashboards should be digestible and high-level enough for key stakeholders.

Measurement efforts tie back into the Governance function because it’s all about aligning with your organization’s goals and embracing data-driven decision-making. Based on your measurements, you can celebrate progress, identify areas of improvement, and monitor prioritized risks.

Conclusion

Bottom line: Cybersecurity maturity is a journey, not a destination. The key to a successful program will be its ability to continually improve the maturity level over time as new risks are identified and new solutions are developed. The roadmap described above should be a living document. The foundational elements and “glue” that integrate the information and tools together should enable the maturity levels to grow over time.