This chapter covers the NIST Cybersecurity Framework (CSF) and other key security frameworks required for Security+ SY0-701 objective 5.1 (Security Program Management). Understanding these frameworks is critical because they provide structured approaches to managing cybersecurity risk, and exam questions often ask you to map activities to specific framework functions or compare frameworks. You will learn the five core functions of the CSF, how to implement them, and how they differ from other frameworks like ISO 27001, COBIT, and NIST SP 800-53.
Jump to a section
Imagine you're building a house. You don't just lock the front door and hope for the best. Instead, you hire an architect who creates a comprehensive blueprint. The NIST Cybersecurity Framework (CSF) is that blueprint for an organization's security program. The five functions—Identify, Protect, Detect, Respond, Recover—are like the major systems of the house. Identify is like surveying the property and listing all valuables (assets). Protect is installing locks, alarms, and reinforced doors (safeguards). Detect is putting in motion sensors and cameras (monitoring). Respond is having a fire extinguisher and emergency plan (incident response). Recover is having insurance and a restoration plan (business continuity). Just as a blueprint guides every contractor to work together, the CSF guides different teams—IT, legal, HR—to coordinate. Without it, you might have a strong firewall but no log monitoring, like a house with a steel door but no alarm. The CSF ensures balanced protection across all five pillars, not just one. It's not a checklist; it's a strategic framework that adapts to your specific house size, location, and risks.
What is the NIST Cybersecurity Framework (CSF)?
The NIST CSF is a voluntary framework developed by the National Institute of Standards and Technology to help organizations manage cybersecurity risk. It was created in response to Executive Order 13636 (2013) and updated to version 2.0 in 2024. The framework consists of three main components: the Core, Implementation Tiers, and Profiles.
Core: The Core is a set of cybersecurity activities, outcomes, and references organized around five functions: Identify, Protect, Detect, Respond, Recover. Each function is broken into categories and subcategories. For example, the Identify function includes categories like Asset Management, Risk Assessment, and Governance.
Implementation Tiers: Tiers describe how an organization views cybersecurity risk and the processes in place to manage it. There are four tiers:
Tier 1: Partial (ad hoc, reactive)
Tier 2: Risk Informed (risk-aware but not organization-wide)
Tier 3: Repeatable (consistent, risk-informed, and formally managed)
Tier 4: Adaptive (adaptive, proactive, and continuous improvement)
Profiles: A Profile is a snapshot of an organization's current cybersecurity posture (Current Profile) and its desired goals (Target Profile). The gap between them guides prioritization.
How the CSF Works Mechanically
Organizations use the CSF as a risk management tool. The process is: 1. Scope: Determine which systems, assets, and business processes are in scope. 2. Prioritize: Identify business objectives and high-value assets. 3. Create a Current Profile: Assess current cybersecurity activities against the Core subcategories. 4. Conduct a Risk Assessment: Identify threats, vulnerabilities, and likelihood/impact. 5. Create a Target Profile: Define desired outcomes based on risk appetite. 6. Identify Gaps: Compare Current and Target Profiles. 7. Action Plan: Prioritize and implement actions to close gaps. 8. Monitor and Improve: Continuously assess and update profiles.
Key Components and Variants
NIST CSF v2.0 (2024) added a sixth function: Govern. This emphasizes that cybersecurity governance is a separate, overarching function. The six functions now are: Govern, Identify, Protect, Detect, Respond, Recover.
Other Key Frameworks for SY0-701: - ISO/IEC 27001: International standard for Information Security Management Systems (ISMS). It is prescriptive (requires specific controls) and certifiable. The controls are in Annex A. - COBIT (Control Objectives for Information and Related Technologies): Focuses on IT governance and management. It aligns IT goals with business goals. - NIST SP 800-53: Security and Privacy Controls for Federal Information Systems. It is mandatory for U.S. federal agencies. Contains over 1,000 controls organized into families (e.g., AC – Access Control, AU – Audit and Accountability). - NIST SP 800-171: Protecting Controlled Unclassified Information (CUI) in nonfederal systems. Used by defense contractors. - CIS Controls: A prioritized set of actions (20 controls) to defend against common attacks. They are more tactical and specific than the CSF. - PCI DSS: Payment Card Industry Data Security Standard – required for organizations handling credit card data.
How Attackers Exploit Lack of Framework
Without a framework, organizations often have gaps. For example, an attacker might exploit a lack of asset management (Identify) by targeting an unpatched legacy server not on the inventory. Without detection capabilities (Detect), the attacker can move laterally undetected. Without a response plan (Respond), the organization fumbles containment. The CSF helps close these gaps by forcing holistic coverage.
Real Command/Tool Examples
While the CSF itself is not a tool, you can map CSF subcategories to specific tools and commands. For example:
- Asset Management (ID.AM): Use nmap -sV 192.168.1.0/24 to discover devices.
- Risk Assessment (ID.RA): Use vulnerability scanners like OpenVAS or Nessus.
- Protect (PR.AC – Access Control): Configure iptables rules or use sudo logs.
- Detect (DE.CM – Continuous Monitoring): Set up auditd on Linux or Windows Event Forwarding.
- Respond (RS.CO – Communication): Use SIEM like Splunk or ELK stack.
- Recover (RC.RP – Recovery Planning): Test backups with restic or Veeam.
Summary
The NIST CSF is a risk-based framework, not a compliance checklist. It helps organizations communicate about cybersecurity in a common language. For the exam, know the five (or six) functions, the tiers, and how the CSF differs from ISO 27001 and NIST SP 800-53.
Identify: Know Your Assets
The first step is to identify all assets, including hardware, software, data, and personnel. Create an asset inventory using tools like CMDB or network scanners. Categorize assets by criticality and value. For example, a database containing PII is high-value. Also, identify threats and vulnerabilities through risk assessments. Document business processes and dependencies. The output is a Current Profile that shows what you have and what risks exist. Without this step, you cannot protect what you don't know exists.
Protect: Implement Safeguards
Based on the identified assets and risks, implement safeguards to limit or contain the impact of a potential cybersecurity event. This includes access controls (least privilege, MFA), data security (encryption at rest and in transit), awareness training, and maintenance (patching, vulnerability management). For example, deploy a PAM solution to manage privileged accounts. Use tools like `OpenSCAP` for compliance checking. Document policies and procedures. The goal is to ensure resilience and protect critical services.
Detect: Identify Incidents Quickly
Implement monitoring and detection capabilities to identify cybersecurity events in a timely manner. This includes continuous monitoring (SIEM, IDS/IPS), anomaly detection, and logging. For example, configure `auditd` to log all `sudo` commands. Set up alerts for suspicious behavior, like multiple failed logins. Use tools like `Wazuh` or `Splunk` to correlate logs. The Detect function ensures you can identify incidents early, reducing dwell time.
Respond: Take Action
When an incident is detected, execute the incident response plan. This includes containment (isolating affected systems), eradication (removing malware), and recovery (restoring from backups). Communication is critical: notify stakeholders, law enforcement if required, and customers if data is breached. Use playbooks like those from NIST SP 800-61. For example, if ransomware is detected, immediately disconnect the infected host from the network. Document all actions for post-incident review.
Recover: Restore Operations
After containing and eradicating the threat, restore normal operations. This includes restoring data from backups, rebuilding systems, and verifying integrity. Implement improvements based on lessons learned. Update the Target Profile to reflect new security measures. For example, after a phishing attack that led to credential theft, deploy MFA and conduct training. The goal is to return to business as usual while strengthening defenses against future attacks.
Scenario 1: Ransomware Attack at a Hospital
A hospital's IT team uses the NIST CSF to guide their security program. One day, the SIEM (Splunk) detects unusual encryption activity on a file server. The analyst sees thousands of 'file rename' events with a .encrypted extension. Following the Detect function, they escalate to the incident response team. The Respond team isolates the server by disabling the network port (via switch CLI command interface gig0/1 shutdown). They then use EDR tools to identify the ransomware variant (e.g., Ryuk). They restore the server from backups (Recover) and update the antivirus signatures. A common mistake is to immediately power off the server, losing forensic data. Instead, they properly image the drive for analysis. Post-incident, they update their asset inventory (Identify) and implement additional logging (Detect).
Scenario 2: Insider Threat at a Financial Firm An employee at a financial firm downloads customer data to a personal USB drive. The DLP (Data Loss Prevention) tool detects the transfer and alerts the SOC. The analyst reviews the user's activity logs (Windows Event ID 4663 – attempt to access an object) and sees the user copied files from a restricted share. The firm's CSF Profile includes a Target for 'Data Security' (PR.DS). They have a policy that requires USB ports to be disabled via Group Policy, but this user's laptop was an exception. The analyst initiates the response: revokes access, interviews the employee, and reports to HR. The mistake would be to ignore the alert because it came from a trusted employee. The firm updates its Profile to close the exception gap.
Scenario 3: Phishing Campaign Targeting a University A university receives multiple phishing emails claiming to be from IT support. The email gateway (Proofpoint) marks them as suspicious but delivers them (low confidence). A student clicks the link and enters credentials. The SIEM detects a login from an unusual IP (geolocated in Russia) within minutes. The analyst checks the user's recent logon events (Event ID 4624) and sees a successful logon from the attacker IP. The Respond team forces a password reset and enables MFA for the student. They also block the IP at the firewall. The mistake would be to only reset the password without enabling MFA, leaving the account vulnerable if the attacker had already set up a mailbox rule. The university updates its awareness training (Protect) to include phishing simulations.
What SY0-701 Tests on This Objective Objective 5.1: Summarize the importance of security policies, frameworks, and procedures. The exam expects you to:
Identify the five (or six) functions of the NIST CSF and what each entails.
Differentiate between the CSF, ISO 27001, NIST SP 800-53, and COBIT.
Understand the purpose of Implementation Tiers and Profiles.
Recognize that the CSF is voluntary and risk-based, not prescriptive.
Common Wrong Answers and Why 1. Choosing 'ISO 27001' when the question asks for a framework that is risk-based and voluntary. Candidates pick ISO 27001 because it's a well-known standard, but it is certifiable and prescriptive (requires specific controls). The CSF is voluntary and focuses on outcomes. 2. Mixing up NIST SP 800-53 with the CSF. Both are from NIST, but 800-53 is a catalog of controls, not a framework. The CSF is higher-level and uses 800-53 as a reference. 3. Thinking the CSF is only for U.S. federal agencies. While it was created for critical infrastructure, it is used globally by private sector organizations. 4. Selecting 'COBIT' for a question about aligning IT with business goals. COBIT is correct for that, but candidates might confuse it with ISO 27001.
Specific Terms and Acronyms - NIST CSF: Cybersecurity Framework - Functions: Identify, Protect, Detect, Respond, Recover, and now Govern (v2.0) - Tiers: Partial, Risk Informed, Repeatable, Adaptive - Profiles: Current vs. Target - ISO/IEC 27001: ISMS standard, Annex A controls - NIST SP 800-53: Security and Privacy Controls - COBIT: Control Objectives for Information and Related Technologies
Common Trick Questions - A question describes creating a 'Current Profile' and 'Target Profile' – the answer is NIST CSF. - A question lists specific controls like 'AC-1 Access Control Policy' – that's NIST SP 800-53. - A question asks for a framework that is internationally recognized and certifiable – ISO 27001.
Decision Rule for Eliminating Wrong Answers If the question mentions 'risk-based', 'voluntary', or 'five functions', choose NIST CSF. If it mentions 'certification', 'international standard', or 'Annex A', choose ISO 27001. If it mentions 'federal', 'controls catalog', or 'SP 800-53', choose that. If it mentions 'IT governance' or 'align IT with business', choose COBIT.
NIST CSF has five core functions: Identify, Protect, Detect, Respond, Recover (plus Govern in v2.0).
Implementation Tiers: Partial, Risk Informed, Repeatable, Adaptive.
CSF Profiles compare current state vs. target state.
ISO 27001 is certifiable and prescriptive; NIST CSF is voluntary and risk-based.
NIST SP 800-53 is a control catalog for federal systems, not a framework.
COBIT focuses on IT governance and aligning IT with business goals.
The CSF is not a checklist; it is outcome-driven.
CSF v2.0 added the Govern function to emphasize cybersecurity governance.
These come up on the exam all the time. Here's how to tell them apart.
NIST CSF
Voluntary, risk-based framework
Focuses on outcomes, not specific controls
Not certifiable
U.S. origin but global use
Five (or six) high-level functions
ISO 27001
Certifiable international standard
Prescriptive controls (Annex A)
Organizations can be audited and certified
International (ISO)
Detailed control categories (14 domains)
Mistake
The NIST CSF is a compliance standard that organizations must follow.
Correct
The CSF is voluntary and not a compliance standard. It is a risk-based framework that organizations can adopt to improve cybersecurity posture. Compliance is not the goal; risk management is.
Mistake
ISO 27001 and NIST CSF are interchangeable and serve the same purpose.
Correct
ISO 27001 is a certifiable international standard with prescriptive controls, while the NIST CSF is a voluntary, risk-based framework that focuses on outcomes. They can be used together, but they are not the same.
Mistake
The NIST CSF only applies to U.S. federal agencies.
Correct
The CSF was originally developed for critical infrastructure but is now used by organizations worldwide, including private companies, nonprofits, and state/local governments.
Mistake
Implementation Tiers are like maturity levels that indicate how 'good' an organization is.
Correct
Tiers reflect the organization's risk management practices, not maturity. A Tier 2 organization may be perfectly adequate for its risk appetite. The goal is to reach the target tier, not necessarily Tier 4.
Mistake
The NIST CSF is a checklist of controls to implement.
Correct
The CSF is outcome-driven, not prescriptive. It defines what outcomes should be achieved (e.g., 'asset inventory is maintained'), but does not specify how. Organizations choose their own controls.
The five functions are Identify, Protect, Detect, Respond, and Recover. In version 2.0, a sixth function, Govern, was added. The functions provide a high-level, strategic view of an organization's cybersecurity risk management lifecycle. Identify focuses on understanding assets and risks. Protect implements safeguards. Detect identifies incidents. Respond contains and mitigates incidents. Recover restores capabilities. Govern (v2.0) addresses cybersecurity governance and oversight.
The NIST CSF is a voluntary risk-based framework that defines outcomes (what to achieve), while NIST SP 800-53 is a catalog of security controls (how to achieve them). The CSF is higher-level and can be used by any organization. SP 800-53 is mandatory for U.S. federal agencies and contains over 1,000 specific controls organized into families like AC (Access Control) and AU (Audit and Accountability). Many organizations use SP 800-53 as a reference to implement the CSF.
Implementation Tiers describe how an organization views cybersecurity risk and the processes in place to manage it. There are four tiers: Tier 1 (Partial) – ad hoc and reactive; Tier 2 (Risk Informed) – risk-aware but not organization-wide; Tier 3 (Repeatable) – consistent and formally managed; Tier 4 (Adaptive) – adaptive and proactive. Tiers are not maturity levels; they help organizations set a target that aligns with their risk appetite.
No, the NIST CSF is voluntary. It was developed to help critical infrastructure organizations improve cybersecurity, but it is not a regulatory requirement. However, some regulators may reference the CSF as a best practice. For example, the SEC has cited the CSF in cybersecurity disclosure rules. In contrast, NIST SP 800-53 is mandatory for federal agencies, and PCI DSS is mandatory for companies handling credit card data.
A Current Profile describes an organization's current cybersecurity posture by mapping its activities to the CSF Core subcategories. A Target Profile describes the desired outcomes based on business needs and risk appetite. The gap between the two profiles helps prioritize actions and investments. Profiles are dynamic and should be updated as risks and business objectives change.
The NIST CSF is a high-level, outcome-based framework, while the CIS Controls are a prioritized set of 20 specific, actionable controls. They are complementary: you can use the CIS Controls to implement the Protect function of the CSF. For example, CSF subcategory PR.AC (Access Control) can be addressed by CIS Control 4 (Controlled Use of Administrative Privileges).
The Govern function addresses cybersecurity governance, including establishing and monitoring cybersecurity policies, roles, and responsibilities. It ensures that cybersecurity is integrated into the organization's overall risk management strategy. This function was added to emphasize that cybersecurity is not just a technical issue but a business risk that requires executive oversight.
You've just covered NIST CSF and Security Frameworks — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?