NIST Cybersecurity Framework 2.

0:
Quick-Start Guide for Creating and Using
Organizational Profiles

U.S. Department of Commerce NIST Special Publication

Gina M. Raimondo, Secretary NIST SP 1301
National Institute of Standards and Technology https://doi.org/10.6028/NIST.SP.1301
Laurie E. Locascio, NIST Director and Under Secretary of Commerce for Standards and Technology February 2024
 NIST CSF 2.0: CREATING AND USING ORGANIZATIONAL PROFILES
A QUICK START GUIDE
INTRODUCTION

Drive Progress Over Time with Organizational Profiles Drive Progress Over Time
An Organizational Profile describes an organization’s current and/or target cybersecurity
posture in terms of cybersecurity outcomes from the Cybersecurity Framework (CSF) Core.
Organizational Profiles are used to understand, tailor, assess, and prioritize cybersecurity
outcomes based on an organization’s mission objectives, stakeholder expectations, threat
landscape, and requirements. The organization can then act strategically to achieve those
outcomes. These Profiles can also be used to assess progress toward targeted outcomes
and to communicate pertinent information to stakeholders.
Organizational Profiles can be categorized as:
• A Current Profile that specifies the CSF outcomes an organization is currently
achieving and characterizes how or to what extent each outcome is being achieved.
• A Target Profile that specifies the desired CSF outcomes an organization has selected
and prioritized for achieving its cybersecurity risk management objectives. A Target
Profile considers anticipated changes to the organization’s cybersecurity posture, such Create and Use Organizational Profiles
as new requirements, new technology adoption, and trends in threat intelligence.

Create and Use Organizational Profiles with the CSF Five-Step Process
CSF 2.0 describes a five-step process for creating and using Organizational Profiles. More
specifically, the process compares an aspirational Target Profile to an assessed Current
Profile. Then, a gap analysis is performed, and an action plan is developed and
implemented. This process naturally leads to refinements in the Target Profile to be used
during the next assessment.
 NIST CSF 2.0: CREATING AND USING ORGANIZATIONAL PROFILES
A QUICK START GUIDE
S C O P E T H E O R G A N I Z AT I O N A L P R O F I L E

The scope defines the high-level facts and assumptions on which the Profiles will be
based. You can have as many Organizational Profiles as desired, each with a different scope. Questions to
answer as you scope your Profile include:
• What’s the reason for creating the Organizational Profile?
• Will the Profile cover the entire organization? If not, which of the organization’s divisions, data assets,
technology assets, products and services, and/or partners and suppliers will be included?
• Will the Profile address all types of cybersecurity threats, vulnerabilities, attacks, and defenses? If not,
which types will be included? Organizational Profile Facts
• Which individuals or teams will be responsible for developing, reviewing, and operationalizing the Profile? Ways to Think about Profiles
• Who will be responsible for setting expectations for actions to achieve the target outcomes? A given organization may wish to use
several Profiles.
Each Profile can have a distinct scope
based on factors like:
Human
End User Manufacturing • technology category (IT, OT)
Resources
IT Systems Floor OT Systems
IT Systems • data types (PII, PHI, PCI)
• users (employees, third-parties)
The scope of a Profile determines the
Third-Party Systems Using Systems with applicability of a given CSF outcome.
IT Systems Artificial Design It may be helpful to combine two or more
Intelligence Information Profiles when scopes overlap.
 NIST CSF 2.0: CREATING AND USING ORGANIZATIONAL PROFILES
A QUICK START GUIDE
G AT H E R N E E D E D I N F O R M AT I O N

Examples of information may include organizational policies, risk management

priorities and resources, cybersecurity requirements and standards... The sources of
information needed will depend on the use case, the elements that the Profiles will capture, and the level of
detail desired. Common sources of information include:

1. Community Profiles
A Community Profile is a baseline of CSF outcomes created and published to address shared interests and goals
among a number of organizations. A Community Profile is typically intended for a particular sector or subsector,
Prioritization
technology, threat type, or other use case. The Defining Feature of a Profile
An organization can use a Community Profile as the basis for its own Target Profile by copying the Community The central notion of a Target Profile is to
Profile into an Organizational Profile. A Community Profile can be adapted by: determine differing priorities for applicable
CSF outcomes. Priorities help you determine
• Adjusting the priorities of particular CSF outcomes parts of your cybersecurity program that
• Adding organization-specific Subcategories, Informative References, or implementation guidance should be resourced more, or less.
See A Guide to Creating CSF 2.0 Community Profiles for more information on creating and using Community Cybersecurity priorities are driven by
Profiles. strategic objectives, laws, regulations, and
risk responses. To learn more, see SP 800-37
2. NIST Organizational Profile Template about organization-wide risk management
NIST provides a CSF Organizational Profile template as a Microsoft Excel spreadsheet. You can download it and tasks in the Prepare Step. IR 8286B
fill it in to create Current and Target Profiles for your organization. The template facilitates side-by-side offers information about how the CSF Core
comparison of Current and Target Profiles to identify and analyze gaps. You can find the template on the CSF 2.0 supports risk response decisions.
website.
 NIST CSF 2.0: CREATING AND USING ORGANIZATIONAL PROFILES
A QUICK START GUIDE
CREATE THE ORGANIZATIONAL PROFILE – PART 1

Determine what types of supporting information each Profile should include for the
selected CSF outcomes... Steps for creating an Organizational Profile are:
3a: Download the latest CSF Organizational Profile template spreadsheet and customize as desired.
3b: Include cybersecurity outcomes that apply to your use case, and document rationales as needed.
3c: Document current cybersecurity Practices in the Current Profile columns. More detailed entries may
provide better insights for later steps.
3d: Document cybersecurity Goals and the plans for achieving them in the Target Profile columns. Entries may
be based on CSF Informative References, new cybersecurity requirements, new technologies, and trends in
cyber threat intelligence.
3e: Note the importance of each Goal using the Priority field.

CSF Outcomes Current Profile Target Profile

Identifier Description Practices Status Rating Priority Goals
The identifiers and descriptions from the CSF Policies, processes, The current state or An assessment or evaluation of The relative importance Such as:
Core – Functions, Categories, Subcategories. procedures and condition of an current practices using scales of an outcome using • Policies, Processes, and
You can also add your own outcomes to other activities outcome, such as such as: scales such as: Procedures
address your organization’s unique risks and related to an whether it is being • high/medium/low • Low/Medium/High • Roles and Responsibilities
requirements. outcome. May achieved and to what • 1-5 • 1/2/3/4/5
include artifacts that degree. • 0-100%, • rankings (1, 2, 3…) Selected from:
contain evidence of • red/yellow/green • Informative References -
achieving an standards, guidance, and
outcome. best practices
 NIST CSF 2.0: CREATING AND USING ORGANIZATIONAL PROFILES
A QUICK START GUIDE
CREATE THE ORGANIZATIONAL PROFILE – PART 2
The table below shows a notional example of a single row from an Organizational
Profile. This is meant for illustrative purposes only. Here are some tips drawn from the example:
• Add and remove columns from the Organizational Profile template to suite your needs. The CSF
encourages users to record whatever information is significant and to use whatever format they prefer.
• The columns do not have to be the same for the Current Profile and the Target Profile.
• Include Informative References to understand differences between Practices and Goals. This example
shows SP 800-53 controls in the square brackets.

CSF Outcomes Current Profile Target Profile

Identifier Description Practices Status Rating Priority Goals
PR.PS-01 Configuration Policy: Configuration Management Configuration 3 High Policy: The Configuration Management policy requires
management policy version 1.4, last updated management is partially out of 5 configuration baselines to be specified, used, enforced, and
practices are 10/14/22. Defines the configuration implemented within the maintained for all commodity technologies used by the
established and change control policy [CM-1]. organization. Some organization. The policy requires change control processes to be
applied Procedures: System owners and systems do not follow followed for all technologies within the organization [CM-1].
technology managers informally available baselines and Procedures: Each division of the organization has a configuration
implement configuration management other systems do not have management plan [CM-9], as well as maintains, implements, and
practices. Change control processes baselines, so they may enforces configuration baselines [CM-2] and settings [CM-6] for
are not consistently followed. The CIO have weak configurations their systems. Baselines are applied to all systems before
specifies configuration baselines that make them more production release. All systems are continuously monitored for
[CM-2] for the IT platforms and susceptible to misuse and unexpected configuration changes, and tickets are automatically
applications most widely used within compromise. Unauthorized generated when deviations from baselines occur. Designated
the organization, but baseline use is changes may go parties review change requests and corresponding impact
not monitored or enforced undetected. Some changes analyses [CM-4] and approve or deny each [CM-3].
consistently across the organization. are not tested or tracked.
 NIST CSF 2.0: CREATING AND USING ORGANIZATIONAL PROFILES
A QUICK START GUIDE
ANALYZE GAPS AND CREATE AN ACTION PLAN – PART 1

Identifying and analyzing the differences between the Current and Target
Profiles enables an organization to find gaps and develop a prioritized action
plan for addressing those gaps. Using Profiles in this manner helps your organization make
better-informed decisions about how to improve cybersecurity risk management in a prioritized and
cost-effective manner.

Step 4a Target Step 4b

How to Analyze Gaps
Compare and contrast your
current practices, across
people, process, and
technology, to the best
practices described in CSF
outcome descriptions,
Informative References, and
Implementation Examples.
With those goals in mind,
make observations about
differences and document
those items as candidate
improvements.
• Core outcome description How to Create Action Plans
Goals • Informative References
• Implementation Examples The action plan is a list of
Current pending improvements for
• action your cybersecurity program.
• priority In addition to the
Improvements • owner Organizational Profile gap
• deadline analysis, the action plan
• resources should consider mission
Current drivers, benefits, risks, and
• people necessary resources (e.g.,
Practices • process staffing, funding). Action
• technology plans should have all the
essential items in the graphic
(left).
 NIST CSF 2.0: CREATING AND USING ORGANIZATIONAL PROFILES
A QUICK START GUIDE
ANALYZE GAPS AND CREATE AN ACTION PLAN – PART 2

Identifying and analyzing the differences between the Current and

Target Profiles enables an organization to find gaps and develop a
prioritized action plan for addressing those gaps. The CSF provides links to
tools, controls, and implementation resources that will help you with analyzing gaps [Step 4a]
and creating action plans [Step 4b]. A recommended approach for developing action plans is
to use the NIST CSF 2.0 Reference Tool to follow the references from your Target Profile’s
pertinent Subcategories to the associated NIST SP 800-53 controls.
Example of an Implementation Example
What Best Practices to Use How to Implement Best Practices An Excerpt from the NIST CSF 2.0 Reference Tool

Informative References: relationships Implementation Examples: notional

between the Core and various best
practices, including standards, guidelines,
regulations, and other resources.
References help inform how an
organization may achieve the CSF
outcomes. They also help connect desired
outcomes to other common cybersecurity
documents, such as ISO/IEC 27001 and
SP 800-53 which provides a catalog of
security and privacy controls.
descriptions of ways CSF outcomes can be
fulfilled. The examples are not a
comprehensive list of all actions that could
be taken by an organization, nor are they a
baseline of required actions; they are
helpful ideas to get organizations thinking
about concrete steps. The NIST CSF 2.0
Reference Tool allows users to explore
the full CSF 2.0 Core and download in Excel
and JSON formats.
Implementation Examples
Ex1: Establish, test, deploy, and maintain hardened
baselines that enforce the organization's cybersecurity
policies and provide only essential capabilities (i.e.,
principle of least functionality)
Ex2: Review all default configuration settings that may
potentially impact cybersecurity when installing or
upgrading software
 NIST CSF 2.0: CREATING AND USING ORGANIZATIONAL PROFILES
A QUICK START GUIDE
IMPLEMENT ACTION PLAN AND UPDATE PROFILE

Step 5a
Implementing Action Plans fulfilled
The Action Plan is fulfilled through any with
combination of management, programmatic,
and technical controls. As those controls are
implemented, the Organizational Profile can
be used to track implementation status. Step 5b
Subsequently, controls and associated risks Updating Your Profile
can be monitored through Key Performance
Implement activities that follow your Action Plan
Indicators (KPI) and Key Risk Indicators (KRI).
are a part of an ongoing cyber risk management
Cyber risks that fall beyond Risk Tolerance
program (feedback loops and lines of
are observed through Risk Assessments.
communication more nuanced than shown). Risk
Risks beyond Risk Tolerance may prompt
Assessments, as described in SP 800-30 can
updates to the Action Plan, Organizational
leverage Risk Tolerance statements when
Profile, and/or Risk Tolerance statements.
identifying risks, as well as determining likelihood
Gap Analysis may also result in the creation
and impact of those risks. The changing likelihood
of POA&M for gaps that will take a longer
and impact are a measure of the effectiveness of
remediation timeline. More information
the Action Plan and the discrete controls. Risk
about KPI, KRI, Risk Tolerance, and POA&Ms causes
update
monitoring is also performed using KPI and KRI.
can be discovered in IR 8286B and
of Changes in risks, likelihoods, and/or impacts may
SP 800-37 . all result in updates to the Organizational Profile.
* Risk Assessment can occur at any time and can inform any step
 NIST CSF 2.0: CREATING AND USING ORGANIZATIONAL PROFILES
A QUICK START GUIDE
NEXT STEPS

What We Learned. This QSG explained the following terms:

Organizational Profile – CSF Core outcomes relevant for a specific organization
Community Profile – CSF Core outcomes that apply to multiple organizations
Current Profile – the cybersecurity outcomes that an organization is currently achieving
Target Profile – the desired outcomes an organization wants to achieve
Learning More
Gap Analysis – determining the differences between the Current and Target Profiles
Informative References – best practices that implement various CSF Core outcomes Reading
Implementation Examples – notional ways organizations can achieve CSF Subcategories IR 8286B NIST IR 8286B, Prioritizing Cybersecurity Risk for
Action Plan – address gaps and move toward the Target Profile Enterprise Risk Management

SP 800-37
NIST SP 800-37 Revision 2, Risk Management Framework
for Information Systems & Organizations
What’s Next. Here’s a list of things you can do to move this QSG into practice:
• Familiarize yourself with the NIST CSF Organizational Profile template SP 800-53 NIST SP 800-53 Revision 5, Security and Privacy Controls
for Information Systems & Organizations
• See if there is a Community Profile relevant for you at the NIST Community Profiles
site SP 800-30 NIST SP 800-30 Revision 1, Guide for Conducting Risk
Assessments
• Determine how many CSF Organizational Profiles you need [Step 1]
• Inventory your cybersecurity requirements Resources
• Prioritize CSF outcomes in your Organizational Profiles [Step 2] Organizational Profile Template NIST CSF 2.0 Reference Tool
• Assess your Current Profile [Step 3] Informative References Implementation Examples
• Read more about Informative References A Guide to Creating CSF 2.0 Community Profiles
Quick-Start Guide for Using the CSF Tiers
• Improve your cybersecurity program over time [Steps 4 & 5]
 NIST Cybersecurity Framework 2.0:
Small Business Quick-Start Guide

U.S. Department of Commerce

NIST Special Publication
Gina M. Raimondo, Secretary
NIST SP 1300
National Institute of Standards and Technology https://doi.org/10.6028/NIST.SP.1300
Laurie E. Locascio, NIST Director and Under Secretary of Commerce for Standards and Technology February 2024
 NIST Cybersecurity Framework 2.0:
Small Business Quick-Start Guide Overview
Purpose
This guide provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans EXPLORE MORE CSF
in place, with considerations to kick-start their cybersecurity risk management strategy by using the NIST Cybersecurity
Framework (CSF) 2.0. The guide also can assist other relatively small organizations, such as non-profits, government
2.0 RESOURCES
agencies, and schools. It is a supplement to the NIST CSF and is not intended to replace it.

What is the NIST Cybersecurity Framework? nist.gov/cyberframework

The NIST Cybersecurity Framework is voluntary guidance that helps organizations
—regardless of size, sector, or maturity— better understand, assess, prioritize, and
communicate their cybersecurity efforts. The Framework is not a one-size-fits-all Quickly find what you
approach to managing cybersecurity risks. This supplement and the full CSF 2.0 can help need, including:
organizations to consider and record their own risk tolerances, priorities, threats,
vulnerabilities, requirements, etc.
A suite of NEW Quick
Getting Started with the Cybersecurity Framework Start Guides
The CSF organizes cybersecurity outcomes into six high-level Functions: Govern, Identify, Protect, Detect, Respond, and Implementation
Recover. These Functions, when considered together, provide a comprehensive view of managing cybersecurity risk. The Examples
activities listed for each Function within this guide may offer a good starting point for your business. For specific, action-
oriented examples of how to achieve the listed activities, reference the CSF 2.0 Implementation Examples. If there are Search tools
activities contained within this guide that you do not understand or do not feel comfortable addressing yourself, this guide FAQs
can serve as a discussion prompt with whomever you have chosen to help you reduce your cybersecurity risks, such as a
managed security service provider (MSSP). And much more!
 GOVERN
The Govern Function helps you establish and monitor your business’s cybersecurity risk management strategy, expectations, and policy.

Actions to Consider Getting Started with Cybersecurity Governance

You can use these tables to begin thinking about your cybersecurity governance strategy.
Understand Setting Organizational Context Documenting Cybersecurity Requirements
• Understand how cybersecurity risks can disrupt achievement of your business’s mission. Our business mission List your legal
(GV.OC-01) statement: requirements:
• Understand your legal, regulatory, and contractual cybersecurity requirements. (GV.OC-03)
List your regulatory
• Understand who within your business will be responsible for developing and executing the What cybersecurity risks
requirements:
cybersecurity strategy. (GV.RR-02) may prevent us from
achieving this mission? List your contractual
Assess requirements:

• Assess the potential impact of a total or partial loss of critical business assets and
operations. (GV.0C-04)
• Assess whether cybersecurity insurance is appropriate for your business. (GV.RM-04)
• Assess cybersecurity risks posed by suppliers and other third parties before entering into
formal relationships. (GV.SC-06)
Prioritize
• Prioritize managing cybersecurity risks alongside other business risks. (GV.RM-03)
Communicate
Technical Deep Dive: Staging Cybersecurity Risks for Enterprise Risk Management and
Governance Oversight
Questions to Consider
• As our business grows, how often are we reviewing our cybersecurity strategy?
• Do we need to upskill our existing staff, hire talent, or engage an external partner
to help us establish and manage our cybersecurity plan?
• Do we have acceptable use policies in place for business and for employee-owned
devices accessing business resources? Have employees been educated on these
policies?

• Communicate leadership’s support of a risk-aware, ethical, and continually improving Related Resources
culture. (GV.RR-01)
• Communicate, enforce, and maintain policies for managing cybersecurity risks. (GV.PO-01) • Securing Small and Medium-Sized Supply Chains Resource Handbook
• Choosing A Vendor/Service Provider

View all NIST CSF 2.0 Resources Here

 IDENTIFY
The Identify Function helps you determine the current cybersecurity risk to the business.

Getting Started with Identifying Current Cybersecurity Risk to Your Business

Actions to Consider
Understand
• Understand what assets your business relies upon by creating and maintaining an
inventory of hardware, software, systems, and services. (ID.AM-01/02/04)
Before you can protect your assets, you need to identify them. Then you can determine the
appropriate level of protection for each asset based upon its sensitivity and criticality to your
business mission. You can use this sample table to get started on your information technology (IT)
asset inventory. As your business matures, you might consider using an automated asset inventory
solution or a managed security service provider to help you manage all your business assets.

Assess Software/ Asset's Asset Identify Is multi-factor Risk to

hardware/ official administrator sensitive data authentication business if
• Assess your assets (IT and physical) for potential vulnerabilities. (ID.RA-01) system/ use: or owner: the asset has required to we lose
• Assess the effectiveness of the business's cybersecurity program to identify areas service access to: access this access to this
that need improvement. (ID.IM-01) asset? asset

Prioritize
• Prioritize inventorying and classifying your business data. (ID.AM-07)
• Prioritize documenting internal and external cybersecurity threats and associated
responses using a risk register. (ID.RA)
Communicate
• Communicate cybersecurity plans, policies, and best practices to all staff and
relevant third parties. (ID.IM-04)
• Communicate to staff the importance of identifying needed improvements to
cybersecurity risk management processes, procedures, and activities. (ID.IM)
Technical Deep Dive: Integrating Cybersecurity and Enterprise Risk Management
Questions to Consider
• What are our most critical business assets (data, hardware, software, systems, facilities,
services, people, etc.) we need to protect?
• What are the cybersecurity and privacy risks associated with each asset?
• What technologies or services are personnel using to accomplish their work? Are these
services or technologies secure and approved for use?
Related Resources
• NIST Risk Register Template
• Take Stock. Know What Sensitive Information You Have
• Evaluating Your Operational Resilience and Cybersecurity Practices

View all NIST CSF 2.0 Resources Here

 PROTECT
The Protect Function supports your ability to use safeguards to prevent or reduce cybersecurity risks.

Actions to Consider Getting Started with Protecting Your Business

Enabling multi-factor authentication (MFA) is one of the fastest, cheapest ways you can protect
Understand your data. Start with accounts that can access the most sensitive information. Use this checklist to
• Understand what information employees should or do have access to. Restrict give you a head start, but remember your own list will be longer than this:
sensitive information access to only those employees who need it to do their Account MFA Enabled (Y/N)
jobs. (PR.AA-05) Banking Account(s)
Accounting and Tax Account(s)
Assess Merchant Account(s)
• Assess the timeliness, quality, and frequency of your company’s cybersecurity Google, Microsoft, and/or Apple ID Account(s)
training for employees. (PR.AT-01/02) Email Account(s)
Password Manager(s)
Prioritize Website Account(s)
• Prioritize requiring multi-factor authentication on all accounts that offer it and Technical Deep Dive: NIST Digital Identity Guidelines
consider using password managers to help you and your staff generate and
protect strong passwords. (PR.AA-03) Questions to Consider
• Prioritize changing default manufacturer passwords. (PR.AA-01) • Are we restricting access and privileges only to those who need it? Are we removing access
• Prioritize regularly updating and patching software and operating systems. when they no longer need it?
Enable automatic updates to help you remember. (PR.PS-02) • How are we securely sanitizing and destroying data and data storage devices when they’re
• Prioritize regularly backing up your data and testing your backups. (PR.DS-11) no longer needed?
• Prioritize configuring your tablets and laptops to enable full-disk encryption to • Do employees possess the knowledge and skills to perform their jobs with security in mind?
protect data. (PR.DS-01)
Related Resources
Communicate
• Cybersecurity Training Resources
• Communicate to your staff how to recognize common attacks, report attacks or • Multi-Factor Authentication
suspicious activity, and perform basic cyber hygiene tasks. (PR.AT-01/02) • Protecting Your Business from Phishing

View all NIST CSF 2.0 Resources Here

 DETECT
The Detect Function provides outcomes that help you find and analyze possible cybersecurity attacks and compromises.

Actions to Consider Getting Started with Detecting Incidents

Understand
• Understand how to identify common indicators of a cybersecurity incident.
(DE.CM)
Assess
• Assess your computing technologies and external services for deviations from
expected or typical behavior. (DE.CM-06/09)
• Assess your physical environment for signs of tampering or suspicious activity.
(DE.CM-02)
Prioritize
• Prioritize installing and maintaining antivirus and anti-malware software on all
business devices—including servers, desktops and laptops. (DE.CM-09)
• Prioritize engaging a service provider to monitor computers and networks for
suspicious activity if you don't have the resources to do it internally.
(DE.CM)
Communicate
• Communicate with your authorized incident responder, such as an MSSP, about
the relevant details from the incident to help them analyze and mitigate
it. (DE.AE-06/07)
Some common indicators of a cybersecurity incident are:
• Loss of usual access to data, applications, or services
• Unusually sluggish network
• Antivirus software alerts when it detects that a host is infected with malware
• Multiple failed login attempts
• An email administrator sees many bounced emails with suspicious content
• A network administrator notices an unusual deviation from typical network traffic flows
Technical Deep Dive: NIST Computer Security Incident Handling Guide
Questions to Consider
• Do devices that are used for our business, whether business-owned or employee-owned,
have antivirus software installed?
• Do employees know how to detect possible cybersecurity attacks and how to report them?
• How is our business monitoring its logs and alerts to detect potential cyber incidents?
Related Resources
• Ransomware Protection and Response
• Detecting a Potential Intrusion
• Cybersecurity Training Resources

View all NIST CSF 2.0 Resources Here

 RESPOND
The Respond Function supports your ability to take action regarding a detected cybersecurity incident.

Actions to Consider Getting Started with an Incident Response Plan Contact Phone
Before an incident occurs, you want to be ready with a basic response Business
plan. This will be customized based on the business but should include: Leader:
Understand
 A business champion: Someone who is responsible for developing Technical
• Understand what your incident response plan is and who has authority and Contact:
responsibility for implementing various aspects of the plan. (RS.MA-01) and maintaining your incident response plan.
 Who to call: List all the individuals who may be part of your State
Assess incident response efforts. Include their contact information, Police:
• Assess your ability to respond to a cybersecurity incident. (RS.MA-01) responsibilities, and authority.
Legal:
• Assess the incident to determine its severity, what happened, and its root cause.  What/when/how to report: List your business's
(RS.AN-03, RS.MA-03) communications/reporting responsibilities as required by laws, Bank:
regulations, contracts, or policies.
Insurance:
Prioritize Technical Deep Dive: NIST Computer Security Incident Handling Guide

• Prioritize taking steps to contain and eradicate the incident to prevent further
damage. (RS.MI)
Communicate
• Communicate a confirmed cybersecurity incident with all internal and external
stakeholders (e.g., customers, business partners, law enforcement agencies,
regulatory bodies) as required by laws, regulations, contracts, or policies.
(RS.CO-02/03)
Questions to Consider
• Do we have a cybersecurity incident response plan? If so, have we practiced it to see if it is
feasible?
• Do we know who the key internal and external stakeholders and decision-makers are who
will assist if we have a confirmed cybersecurity incident?
Related Resources
• Incident Response Plan Basics
• FBI’s Internet Crime Complaint Center
• Data Breach Response: A Guide for Business
• Best Practices for Victim Response and Reporting of Cyber Incidents

View all NIST CSF 2.0 Resources Here

 RECOVER
The Recover Function involves activities to restore assets and operations that were impacted by a cybersecurity incident.

Actions to Consider Getting Started with a Recovery Playbook

A playbook typically includes the following critical elements:

Understand  A set of formal recovery processes

• Understand who within and outside your business has recovery responsibilities.
(RC.RP-01)
Assess
• Assess what happened by preparing an after-action report—on your own or in
consultation with a vendor/partner—that documents the incident, the response
and recovery actions taken, and lessons learned. (RC.RP-06)
• Assess the integrity of your backed-up data and assets before using them for
restoration. (RC.RP-03)
Prioritize
• Prioritize your recovery actions based on organizational needs, resources, and
assets impacted. (RC.RP-02)
Communicate
• Communicate regularly and securely with internal and external stakeholders.
(RC.CO)
• Communicate and document completion of the incident and resumption of
normal activities. (RC.RP-06)
 Documentation of the criticality of organizational resources (e.g., people, facilities,
technical components, external services)
 Documentation of systems that process and store organizational information, particularly
key assets. This will help inform the order of restoration priority
 A list of personnel who will be responsible for defining and implementing recovery plans
 A comprehensive recovery communications plan
Technical Deep Dive: NIST Guide for Cybersecurity Event Recovery
Questions to Consider
• What are our lessons learned? How can we minimize the chances of a cybersecurity
incident happening in the future?
• What are our legal, regulatory, and contractual obligations for communicating to internal
and external stakeholders about a cybersecurity incident?
• How do we ensure that the recovery steps we are taking are not introducing new
vulnerabilities to our business?
Related Resources
• Cybersecurity Training Resources
• Creating an IT Disaster Recovery Plan
• Backup and Recover Resources

View all NIST CSF 2.0 Resources Here

 Profiles and Additional Resources
Using Organizational Profiles to Implement the Cybersecurity Framework
A CSF Organizational Profile describes an organization’s current and/or target cybersecurity posture in terms of the CSF Core’s cybersecurity outcomes. Every Organizational Profile includes
one or both of the following:
1. A Current Profile specifies the desired outcomes an organization is currently achieving (or attempting to achieve) and characterizes how or to what extent each outcome is being
achieved.
2. A Target Profile specifies the outcomes an organization has selected and prioritized for achieving its cybersecurity risk management objectives.
• You can also use a Community Profile as the basis for your Target Profile. A Community Profile is a baseline of targeted outcomes for a particular sector, technology, threat
type, or other use case.
• You can also choose to use the CSF Tiers to inform your Profile creation. Tiers characterize the current or targeted rigor of an organization’s practices by CSF Function or
Category. See the Quick-Start Guide for Using the CSF Tiers for more information on Tiers and their use.

View the Quick-Start Guide for Creating and Using Organizational Profiles for more detailed information on how to get started creating Current and Target Profiles for your organization.

Additional Resources
The NIST Cybersecurity Framework Reference Tool allows users to explore the full CSF 2.0 Core in human and machine-readable versions (in JSON and Excel), while also maintaining
resources with information to help you achieve your desired outcomes, such as:
• Mapping: Informative references are mappings indicating relationships between the CSF 2.0 and various standards, guidelines, regulations, and other content. They help inform
how an organization may achieve the Core’s outcomes.
• Implementation examples provide illustrations of concise, action-oriented steps to guide organizations in achieving the CSF outcomes. The examples are not a comprehensive
list of all actions that could be taken by an organization, nor are they a baseline of required actions; they are a set of helpful examples to get organizations thinking about
concrete steps.
NIST Cybersecurity and Privacy Reference Tool (CPRT) provides a simple way to access reference data from various NIST cybersecurity and privacy standards, guidelines, and Frameworks–
downloadable in common formats (XLSX and JSON).
NIST SP 800-53 provides a catalog of security and privacy controls you can choose from. The controls are flexible, customizable, and implemented as part of an organization-wide process to
manage risk. View and export from the Cybersecurity and Privacy Reference Tool (CPRT).
The Workforce Framework for Cybersecurity (NICE Framework) helps employers achieve the outcomes in the CSF 2.0 by assisting them to identify critical gaps in cybersecurity staffing and
capabilities; determine and communicate position responsibilities and job descriptions; and provide staff training and career pathways.
 NIST Cybersecurity Framework 2.0:
Quick-Start Guide for Cybersecurity Supply
Chain Risk Management (C-SCRM)

NIST Special Publication

U.S. Department of Commerce NIST SP 1305 ipd (Initial Public Draft)
Gina M. Raimondo, Secretary https://doi.org/10.6028/NIST.SP.1305.ipd
National Institute of Standards and Technology The public comment period for this draft ends May 3, 2024.
Laurie E. Locascio, NIST Director and Under Secretary of Commerce for Standards and Please send your comments to cyberframework@nist.gov.
Technology February 2024
 NIST CSF 2.0: CYBERSECURITY SUPPLY CHAIN RISK MANAGEMENT (C-SCRM)
A QUICK START GUIDE
INTRODUCTION TO C-SCRM

C-SCRM Overview Use the CSF to Improve Your C-SCRM Processes

The CSF can help an organization become a smart acquirer and supplier of technology
All types of technology rely on a complex, globally distributed, extensive, and
products and services. This guide focuses on two ways the CSF can help you:
interconnected supply chain ecosystem. Cybersecurity Supply Chain Risk
Management (C-SCRM) is a systematic process for managing exposure to 1. Use the CSF’s GV.SC Category to establish and operate a C-SCRM capability.
cybersecurity risk throughout supply chains and developing appropriate
2. Define and communicate supplier requirements using the CSF.
response strategies, policies, processes, and procedures.

C-SCRM practitioners identify, assess, and mitigate cybersecurity risks

throughout the supply chain at all levels of their organizations associated with
information and communications technology (ICT) products and services.
Potential risks include malicious functionality, counterfeit devices, or
vulnerabilities derived from poor manufacturing and development practices
within the supply chain.
Effective C-SCRM requires stakeholders across the enterprise to actively
collaborate, communicate, and take actions to secure favorable C-SCRM
outcomes.
This Quick-Start Guide provides an overview of C-SCRM and
how it relates to the Cybersecurity Framework (CSF).
Organizations implementing C-SCRM capabilities should not
rely solely on this QSG and should consult the additional
documents referenced within.
What is the supply chain ecosystem?
The supply chain ecosystem is composed of public and private sector entities —
including acquirers, suppliers, developers, system integrators, external system service
providers, and other technology-related service providers — that interact to research,
develop, design, manufacture, acquire, deliver, integrate, operate, maintain, dispose of,
and otherwise utilize or manage technology products and services.
Consider a laptop with hardware subcomponents (like the graphics processor, random-
access memory, or network interface card) sourced from different countries and third-
party manufacturers, and subject to distinct supply chain interactions. That laptop also
contains software (and firmware) developed by different companies and people. How do
we manage risk for complex ICT devices with multiple components?
In today's interconnected world, the supply chain ecosystem includes other third parties
such as business partners and various data and digital service providers. Practices in this
QSG can be applied to manage cybersecurity risks from such relationships as well.
 NIST CSF 2.0: CYBERSECURITY SUPPLY CHAIN RISK MANAGEMENT (C-SCRM)
A QUICK START GUIDE
HOW TO USE THE CSF TO ESTABLISH AND OPERATE A C-SCRM CAPABILITY
Establishing a C-SCRM Capability
The CSF has a Category within its Govern Function dedicated to C-SCRM: the Cybersecurity
Supply Chain Risk Management (GV.SC) Category. GV.SC contains the key outcomes that every
organization should achieve through its C-SCRM capability. Additionally, many of the
subcategories within the remainder of the CSF can be used to identify and communicate C-
SCRM-related requirements internally for organizations and for their vendors.
Perform these activities to establish your organization’s C-SCRM capability:
Activity 1: Create a C-SCRM strategy, objectives, policies, and processes. [GV.SC-01]
Activity 2: Identify your organization’s technology suppliers and determine how critical each
one is to your organization. [GV.SC-04]
Activity 3: Establish C-SCRM roles and requirements and communicate them within and
outside your organization. This includes identifying C-SCRM roles and responsibilities [GV.SC-
02] and C-SCRM requirements [GV.SC-05].
It is also important to coordinate and harmonize activities between your C-SCRM capability
and other internal capabilities. Here are a few examples:
• Integrate C-SCRM into cybersecurity and enterprise risk management, risk assessment, and
improvement processes, and monitor the performance of C-SCRM practices throughout the
technology lifecycle. [GV.SC-03, GV.SC-09] See the Enterprise Risk Management Quick-Start
Guide for more information on C-SCRM integration.
• Include your relevant suppliers in cybersecurity incident planning, response, and recovery
activities. [GV.SC-08] See NIST’s Computer Security Incident Handling Guide for more
information on key practices for cybersecurity incidents.
Checklist of actions for Activity 1: Create a C-SCRM strategy, objectives,
policies, and processes.
☐ Establish a C-SCRM strategy that lays out the objectives of the capability.
☐ Develop a C-SCRM plan (with milestones) and C-SCRM policies and procedures
that guide implementation and improvement of the plan and the capability;
socialize those policies and procedures with organizational stakeholders.
☐ Develop and implement C-SCRM processes based on the strategy, objectives,
policies, and procedures that are agreed upon and performed by the
organizational stakeholders.
☐ Establish a cross-organizational mechanism that ensures alignment between
functions that contribute to C-SCRM management, such as cybersecurity, IT,
legal, human resources, engineering, etc.
Checklist of actions for Activity 2: Identify your organization’s
technology suppliers and determine how critical each one is to your
organization.
☐ Develop criteria for supplier criticality based on, for example, the importance of
the supplier’s products or services to the organization’s business, sensitivity of
data processed or stored by the supplier, and degree of access to the
organization’s systems.
☐ Prioritize suppliers into criticality levels based on the criteria. See NIST IR 8179,
Criticality Analysis Process Model: Prioritizing Systems and Components for more
information on a structured method for prioritization.
☐ Keep a record of all suppliers, prioritized based on the criticality criteria.
 NIST CSF 2.0: CYBERSECURITY SUPPLY CHAIN RISK MANAGEMENT (C-SCRM)
A QUICK START GUIDE
HOW TO USE THE CSF TO ESTABLISH AND OPERATE A C-SCRM CAPABILITY
Checklist of actions for Activity 3: Establish C-SCRM roles and
requirements and communicate them within and outside your
organization.
C-SCRM roles and responsibilities:
☐ Identify one or more specific roles or positions that will be responsible and
accountable for planning, resourcing, and executing C-SCRM activities.
☐ Document C-SCRM roles and responsibilities in policy.
☐ Create responsibility matrixes (e.g., RACI charts) to document who will be
responsible, accountable, consulted, and informed for C-SCRM activities and how
those teams and individuals will be consulted and informed.
☐ Include C-SCRM responsibilities and performance requirements in personnel
descriptions to ensure clarity and improve accountability.
☐ Document performance goals for personnel with C-SCRM responsibilities, and
periodically measure them to demonstrate and improve performance.
☐ Develop roles and responsibilities for suppliers, customers, and business partners
to address shared responsibilities for applicable cybersecurity risks and integrate
them into organizational policies and applicable third-party agreements.
☐ Internally communicate C-SCRM roles and responsibilities for suppliers.
☐ Establish rules and protocols for information sharing and reporting processes
between the organization and its suppliers.
C-SCRM requirements:
☐ Establish security requirements for suppliers, products, and services commensurate
with their criticality and potential impact if compromised.
☐ Include all cybersecurity and supply chain requirements that suppliers must follow and
how compliance with the requirements may be verified in default contractual language.
☐ Define the rules and protocols for information sharing between the organization and its
suppliers and sub-tier suppliers in contracts.
☐ Include security requirements in contracts based on their criticality and potential
impact if compromised.
☐ Define security requirements in service level agreements (SLAs) for monitoring
suppliers for acceptable security performance throughout the supplier relationship
lifecycle.
☐ Specify in contracts the rights and responsibilities of the organization, its suppliers, and
their supply chains with respect to potential cybersecurity risks. Contractually require
suppliers to do the following:
☐ disclose cybersecurity features, functions, and vulnerabilities of their products and
services for the life of the product or the term of service
☐ provide and maintain a current component inventory (e.g., software or hardware
bill of materials) for critical products
☐ vet their employees and guard against insider threats
☐ provide evidence of performing acceptable security practices through, for example,
self-attestation, conformance to known standards, certifications, or inspections
 NIST CSF 2.0: CYBERSECURITY SUPPLY CHAIN RISK MANAGEMENT (C-SCRM)
HOW TO USE THE CSF TO DEFINE AND COMMUNICATE SUPPLIER REQUIREMENTS
Developing Supplier Requirements
An organization should specify requirements for
technology suppliers. Robustness of these
requirements should correspond to supplier criticality.
Organizations can use two different methods for
specifying supplier requirements:
1. Use CSF Categories and Subcategories. Not all
Categories and Subcategories will apply to all
suppliers. You can pick and choose requirements that
fit your mission or business supplier criticality level.
Select requirements for suppliers based on their
criticality and your mission or business. To do that,
review the list of CSF Categories and Subcategories,
and determine which ones will be applicable to
suppliers within each of the criticality levels, based on
the risk appetite for each supplier criticality level.
When considering individual supplier agreements,
determine if additional supplier requirements are
needed based on existing criticality criteria, such as
your mission or business, data type being processed,
or digital product or service being provided.
2. Create CSF Target Profiles for Each Supplier
Criticality Level. The next page explains how to
express supplier requirements for each supplier
criticality level.
A QUICK START GUIDE
Examples of CSF Categories and Subcategories that are likely to include requirements for suppliers
Govern:
• Organizational Context: Legal, regulatory, and
contractual requirements regarding cybersecurity —
including privacy and civil liberties obligations — are
understood and managed [GV.OC-03]
• Roles, Responsibilities, and Authorities: Roles,
responsibilities, and authorities related to
cybersecurity risk management are established,
communicated, understood, and enforced [GV.RR-
02]
• Cybersecurity Supply Chain Risk Management:
Cyber supply chain risk management processes are
identified, established, managed, monitored, and
improved by organizational stakeholders [GV.SC]
Identify:
• Risk Assessment: The authenticity and integrity of
hardware and software are assessed prior to
acquisition and use [ID.RA-09]; Critical suppliers are Recover:
assessed prior to acquisition [ID.RA-10]
• Improvement: Improvements are identified from
security tests and exercises, including those done in
coordination with suppliers and relevant third
parties [ID.IM-02]
Protect:
• Identity Management, Authentication, and Access Control:
Identities and credentials for authorized users, services, and
hardware are managed by the organization [PR.AA-01]
• Awareness and Training: Individuals in specialized roles are provided
with awareness and training so that they possess the knowledge and
skills to perform relevant tasks with cybersecurity risks in mind
[PR.AT-02]
Detect:
• Continuous Monitoring: Personnel activity and technology usage are
monitored to find potentially adverse events [DE.CM-03]
Respond:
• Incident Management: Incidents are escalated or elevated as needed
[RS.MA-04]
• Incident Response Reporting and Communication: Internal and
external stakeholders are notified of incidents [RS.CO-02]
• Incident Recovery Plan Execution: The integrity of backups and other
restoration assets is verified before using them for restoration
[RC.RP-03]
• Incident Recovery Communication: Recovery activities and progress
in restoring operational capabilities are communicated to designated
internal and external stakeholders [RC.CO-03]
 NIST CSF 2.0: CYBERSECURITY SUPPLY CHAIN RISK MANAGEMENT (C-SCRM)
A QUICK START GUIDE
HOW TO USE THE CSF TO DEFINE AND COMMUNICATE SUPPLIER REQUIREMENTS

Create Target Profiles to Communicate Supplier Requirements by Supplier Criticality Level

Follow these steps to create Target Profiles for communicating C-SCRM requirements to your suppliers.
1. Scope the Target Profile. Decide which of your supplier criticality levels it will apply to, and determine any other
restrictions to be placed on the Profile’s scope, such as suppliers of a particular type of product or service only. You
can create as many Target Profiles as you need to specify the requirements for all of your suppliers.
2. Select the CSF Categories to include. Identify which CSF Categories and Subcategories correspond to your
Additional resources for creating Target Profiles
requirements, and only include those Categories and Subcategories in the Target Profile. • Quick-Start Guide for Creating and Using Organizational
3. Determine what types of information to include in your Target Profile. Target Profiles are flexible and can contain Profiles (including Target Profiles)
whatever types of information you want to communicate to your suppliers. The notional Profile excerpt below • A Guide to Creating CSF 2.0 Community Profiles
captures each selected Category’s and Subcategory's relative priority, the internal practices that the supplier must (Community Profiles have much in common with
follow, and references to additional sources of information on achieving the Category and Subcategory. creating Target Profiles for numerous suppliers to
follow)
4. Fill in the columns, and share the Target Profile. Once the contents of the Target Profile have been internally
reviewed and finalized, it can be shared with your suppliers as your set of C-SCRM requirements for them. • Quick-Start Guide for Using the CSF Tiers (to help inform
creation of Target Profiles)
Target Selected Informative
Selected CSF Outcomes
Priority
Target Internal Practices
References • Enterprise Risk Management Quick-Start Guide
PR.PS, The hardware, software (e.g., High 1. Configure platforms to allow the installation • NIST SP 800-161r1, • Informative Reference Mapping Quick-Start Guide (for
firmware, operating systems, of organization-approved software only. control SI-3 accessing and using existing Informative References for
applications), and services of physical 2. Verify the source of new software and the • ISO 27002:2022, a Target Profile)
and virtual platforms are managed software’s integrity before installing it. control 8.7
consistent with the organization’s risk 3. Configure platforms to use only approved • …
strategy to protect their confidentiality, DNS services that block access to known
integrity, and availability malicious domains.
4. ...
…
 NIST CSF 2.0: CYBERSECURITY SUPPLY CHAIN RISK MANAGEMENT (C-SCRM)
A QUICK START GUIDE
NEXT STEPS
What We Learned. This QSG explained the following:
What Is C-SCRM – a systematic process for managing exposure to cybersecurity risk throughout
supply chains
What Is a Supply Chain Ecosystem – public- and private-sector entities that interact to create,
deliver, operate, and manage technology products and services
How to Establish and Implement a C-SCRM Capability – by using the CSF 2.0 C-SCRM Category
(GV.SC)
How to Develop Supplier Requirements – by using the CSF Categories and Subcategories or by
creating Target Profiles
What’s Next. Here’s a list of things you can do to move this QSG into practice:
• Review all NIST CSF 2.0 Categories and Subcategories
• Develop C-SCRM strategy, objectives, policies, and processes [Activity 1]
• Identify your organization’s technology suppliers [Activity 2]
• Determine how critical each technology supplier is to your organization and prioritize your
suppliers [Activity 2]
• Establish C-SCRM roles and requirements [Activity 3]
• Communicate C-SCRM roles and requirements within and outside your organization,
including to technology suppliers [Activity 3]
This QSG provides an overview of C-SCRM and how it relates to the CSF.
Organizations implementing C-SCRM capabilities should not rely solely on
this QSG and should consult the additional documents referenced within.
New to C-SCRM?
Here are some NIST resources that can help you get up to speed on the basics
of C-SCRM and support you in establishing and operating your C-SCRM
capability:
• Key Practices in Cyber Supply Chain Risk Management: Observations from
Industry (NIST IR 8276) summarizes practices foundational to an effective C-
SCRM capability.
• Cybersecurity Supply Chain Risk Management Practices for Systems and
Organizations (NIST SP 800-161 Revision 1) guides organizations in
identifying, assessing, and responding to supply chain risks at all levels. It is
flexible and builds on an organization’s existing cybersecurity practices.
Also, Appendix A identifies the C-SCRM-related controls from NIST SP 800-
53r5 and augments those controls with additional supplemental guidance,
as well as providing new controls as appropriate.
• Criticality Analysis Process Model: Prioritizing Systems and Components
(NIST IR 8179) provides information on prioritizing suppliers by criticality
levels.
• The Software and Supply Chain Assurance Forum provides a venue for
government, industry, and academic participants from around the world to
share their knowledge and expertise regarding C-SCRM, supply chain risks,
effective practices and response strategies, tools and technologies, and any
gaps related to the people, processes, or technologies involved.
• NIST’s C-SCRM Program website contains links to additional resources.
 NIST Cybersecurity Framework 2.0:
Quick-Start Guide for
Using the CSF Tiers

NIST Special Publication

U.S. Department of Commerce NIST SP 1302 ipd (Initial Public Draft)
Gina M. Raimondo, Secretary The public comment period for this draft ends May 3, 2024.
Please send your comments to cyberframework@nist.gov.
National Institute of Standards and Technology
https://doi.org/10.6028/NIST.SP.1302.ipd
Laurie E. Locascio, NIST Director and Under Secretary of Commerce for Standards and Technology February 2024
 NIST CSF 2.0: USING THE CSF TIERS
A QUICK START GUIDE
CSF Tiers Selecting Tiers
CSF Tiers can be applied to CSF Organizational Profiles to characterize the rigor of an Selecting the CSF Tiers that your organization should be meeting in its cybersecurity risk
organization’s cybersecurity risk governance and management outcomes. This can help governance and management activities is generally performed by organization
provide context on how an organization views cybersecurity risks and the processes in leadership.
place to manage those risks.​ The Tiers can also be valuable when reviewing processes Here are tips for selecting Tiers:
and practices to determine needed improvements and monitor progress made through
• Selecting Tiers overall or at the Function or Category level will provide a better sense
those improvements.
of the organization’s current cybersecurity risk management practices than selecting
Appendix B of the CSF contains a notional illustration of the CSF Tiers. ​In that illustration, Tiers at the Subcategory level.
each Tier has separate descriptions for Cybersecurity Risk Governance (corresponding to
• You can use one of the two Tier components (governance or management
the Govern Function) and Cybersecurity Risk Management (for the other five CSF
descriptions) if you want to focus on a subset of the CSF Functions​. For example, if
Functions: Identity, Protect, Detect, Respond, and Recover).
your scope is governance only, you can omit the Cybersecurity Risk Management
The Tiers capture an organization’s outcomes over a range: Partial (Tier 1), Risk Informed descriptions.
(Tier 2), Repeatable (Tier 3), and Adaptive (Tier 4). They reflect a progression from • When selecting Tiers, consider the following aspects of the organization:​
informal, ad hoc responses to approaches that are agile, risk-informed, and continuously
• current risk management practices​
improving.​
• threat environment​
• legal and regulatory requirements​
An organization wanting
to use the CSF Tiers can • information sharing practices​
reuse the notional • business and mission objectives​
descriptions from • supply chain requirements ​
Appendix B of the CSF, or • organizational constraints, including resources​
they can customize those
descriptions, create new • Ensure that the Tiers being selected help to meet organizational goals, are feasible to
ones, or use a set of implement, and reduce cybersecurity risks to critical assets and resources to levels
descriptions they already that are acceptable to the organization.​
have in place. • Progression to higher Tiers is encouraged when needed to address risks or mandates.​
 NIST CSF 2.0: USING THE CSF TIERS
A QUICK START GUIDE
APPLYING TIERS TO PROFILES

Applying Tiers to Profiles

Once your organization’s Tier selections have been made, you can use them to help inform your Current and Target Profiles. ​
For example, if leadership has determined that your organization should be at Tier 2 (Risk Informed) for the Identify and Protect Functions,
then your Current Profile would reflect how well the Tier 2 Cybersecurity Risk Management characteristics are currently being achieved for
each CSF Category within those two Functions. Similarly, the Target Profile would reflect any improvements to Identity and Protect outcomes Additional Resources
needed to fully achieve the Tier 2 description. ​The table excerpt below shows the relevant part of the Tier 2 description.
• Quick-Start Guide for
Tiers should be used to guide and inform an organization’s cybersecurity risk governance and management methodologies rather than take Creating and Using
their place. Organizational Profiles
(includes taking CSF Tiers
Cybersecurity Cybersecurity into account in Current and
Tier Target Profiles)
Risk Governance Risk Management
Tier 1: Partial ... … • Organizational Profile
Tier 2: Risk … There is an awareness of cybersecurity risks at the organizational level, but an organization-wide notional template
Informed approach to managing cybersecurity risks has not been established. • A Guide to Creating CSF 2.0
Consideration of cybersecurity in organizational objectives and programs may occur at some but Community Profiles
not all levels of the organization. Cyber risk assessment of organizational and external assets (includes using CSF Tiers to
occurs but is not typically repeatable or reoccurring. inform the development of
Cybersecurity information is shared within the organization on an informal basis. Community Profiles)
The organization is aware of the cybersecurity risks associated with its suppliers and the products
and services it acquires and uses, but does not act consistently or formally in response to those
risks.
Tier 3: Repeatable … …
Tier 4: Adaptive … …
 NIST Cybersecurity Framework 2.0:
Enterprise Risk Management
Quick-Start Guide

NIST Special Publication

NIST SP 1303 ipd (Initial Public Draft)
U.S. Department of Commerce https://doi.org/10.6028/NIST.SP.1303.ipd
Gina M. Raimondo, Secretary The public comment period for this draft ends May 3, 2024.
National Institute of Standards and Technology Please send your comments to cyberframework@nist.gov.
Laurie E. Locascio, NIST Director and Under Secretary of Commerce for Standards and Technology February 2024
 NIST Cybersecurity Framework 2.0: Enterprise Risk Management Quick-Start Guide
This guide provides an introduction to using the NIST Cybersecurity Framework (CSF) 2.0 for planning and integrating an enterprise-wide process for integrating cybersecurity
risk management information, as a subset of information and communications technology risk management, into enterprise risk management. The use of CSF
common language and outcomes supports the integration of risk monitoring, evaluation, and adjustment across various organizational units and programs.

Enterprise Risk Management (ERM)

When we use the word enterprise in an organizational context, we mean all aspects of that organization, spanning the entire breadth and depth of that org chart. ERM exists at the top level
of the organizational hierarchy and spans risk considerations such as mission, financial, reputation, and technical risks thereof. ERM calls for understanding the core risks that an enterprise
faces, determining how best to address those risks, and ensuring that the necessary actions are taken. An ERM program allows enterprises to aggregate, prioritize, and analyze risks from
across the enterprise in a common risk register format. Risk appetite expressed by the ERM program helps inform risk identification.

Information and Communications Technology (ICT) Risk Management

The information and communications technology (ICT) on which an enterprise relies is managed through a broad set of risk disciplines that
ERM
include privacy, supply chain, and cybersecurity. ICT extends beyond traditional information technology (IT) considerations. Many entities
rely on operational technology (OT) and Internet of Things (IoT) devices’ sensors or actuators for bridging physical and digital environments.
Increasingly, artificial intelligence (AI) factors into enterprise risk. NIST SPs 800-221 and 800-221A provide more information. ICT RM
Cybersecurity Risk Management (CSRM)
Cybersecurity risks are a fundamental type of risk for all organizations to manage. Potential negative impacts to organizations from
cybersecurity risks include higher costs, lower revenue, reputational damage, and the impairment of innovation. Cybersecurity risks CSRM
also threaten individuals’ privacy and access to essential services and can result in life-or-death consequences. Risk appetite expressed
at other levels of risk management gets translated into more specific CSRM risk tolerance, such that cyber risks can be more easily identified.

CSF 2.0 provides guidance for reducing cybersecurity risks by helping organizations discuss, organize, and address gaps in their cybersecurity program in a standard way. The cybersecurity
outcomes described in CSF affect cybersecurity, ICT, and enterprise risks. Understanding these dependencies is an essential activity in CSRM, ICT RM, and ERM. The Cybersecurity Risk
Register (CSRR) described in the NIST IR 8286 series of publications enables organizations to identify, manage, and monitor the relationships between discrete risks and aspects of a CSF-
based cybersecurity program that address those risks. The CSRR allows organizations to identify, organize, analyze, and report on cybersecurity risks at the system level. CSF Organizational
Profiles are a natural byproduct of a comprehensive CSRR, because the relative priority of CSF outcomes becomes apparent based on how significant the impacts of identified cybersecurity
risks might be to the organization’s priorities, such as its strategic objectives, products and services, or customers.
NIST Cybersecurity Framework 2.0: Enterprise Risk Management Quick-Start Guide
Illustration of enterprise risk management integration and coordination
from NIST SP 800-221
CSF 2.0, as part of a holistic ERM approach,
helps ensure that leaders continually have the
information they need for making informed
business/agency decisions.
CSF 2.0 Supports Six Activity Points For Informing,
Implementing, and Monitoring ERM
CSF 2.0 is a valuable guide for helping to review and improve security and privacy considerations as
part of a holistic enterprise risk approach. CSF is most helpful when it is paired with other ERM
elements. For example, as agency officials and corporate boards provide oversight of all relevant
risks, the CSF process helps ensure that cybersecurity strategy is well-executed. Managers plan and
implement risk treatment based on that strategy, record and report progress, and provide agency/
business leaders with information needed for effective operations and mission success.
The Activity Points, which are further described in subsequent pages, include:
• 1 – Leaders define and record enterprise mission, priorities, and risk appetite. Accountability is
assigned for managing both positive and negative types of risk. (GV.OC, GV.RM, GV.SC)
• 2 – Organization-level managers interpret risk appetite into specific guidance regarding security
and privacy requirements, and associated risk tolerance. (GV.RR, GV.PO, ID.RA)
• 3 – Risk strategy and requirements aid implementation of shared security solutions and system-
level controls to achieve an acceptable level of risk. (PROTECT, DETECT, RESPOND, and RECOVER)
• 4 – Risk response outcomes are reflected as residual risk in system-level risk registers as part of
ongoing assessment and continuous monitoring activities. (ID.RA, ID.IM, GV.OV)
• 5 – Risk registers are normalized and aggregated at the organizational unit level, supporting
reporting, analysis, and organization-level adjustment. (ID.IM, GV.OV)
• 6 – Combined risk results from the enterprise are used to maintain an enterprise-level risk
register and risk profile, supporting enterprise business decisions and any adjustments needed
for the risk strategy. (GV.PO, GV.OV)
Supporting Resources:
• SP 800-221, Enterprise Impact of Information and Communications Technology Risk: Governing and
Managing ICT Risk Programs Within an Enterprise Risk Portfolio
• SP 800-221A, Information and Communications Technology (ICT) Risk Outcomes: Integrating ICT Risk
Management Programs with the Enterprise Risk Portfolio
NIST Cybersecurity Framework 2.0: Enterprise Risk Management Quick-Start Guide
Aligning enterprise priorities with strategic activity
As senior leaders and organizational managers observe and
discuss risk management strategy (to take advantage of
opportunities and to avoid known threats), they develop a
plan for managing risk to the optimal level.
The outcomes in the CSF Govern Function (GV) specifically
drive actionable planning about how to best manage
various enterprise risks to ICT, including privacy, supply
chain, AI, IoT, and OT on which the entity depends.
Beginning with an understanding of what information and
technology are most important to the enterprise mission,
leaders define acceptable levels of risk for those assets and
describe how personnel in various work roles will be
accountable for risk management success. (ID.AM, ID.RA)
This actionable and proactive strategizing also makes clear
to customers and other stakeholders that effective risk
management is a priority, that clear and accountable plans
are in place to achieve that management, and that
monitoring processes are continually identifying
opportunities for improvement. These plans specifically
apply the outcomes described in the CSF Organizational
Profile(s), in particular the PROTECT, DETECT, RESPOND, and
RECOVER functions.
Based on internal and external organizational context, leaders
use governance systems to set risk priorities, risk appetite,
and risk strategy. This understanding sets the tone for how the
enterprise conducts, measures, and reports risk management activities and
performance. Actions include processes for aligning priorities and risk direction for
business partners and other members of the organization’s cybersecurity supply chain.
Understanding of objectives and risk appetite enables managers to interpret how to
apply those for their organizational units (OUs). Managers create risk tolerance
statements and metrics, defining a “target state” that will achieve stakeholder
objectives such as through secure shared infrastructure (e.g., organizationally-tailored
control baselines, common controls, and monitoring strategy).
The direction from leadership and OU management is applied in an operational
context, supporting system-level risk assessment, requirements definition, and
allocation. These enable effective categorization, control selection/implementation,
and ongoing system-level authorization/monitoring.
Questions to Consider
Activity Point 1: Where do you draw the mission and strategic priorities of the organization from?
Do you have a process for defining and expressing Risk Appetite?
Activity Point 2: How is Risk Appetite translated into Risk Tolerance?
Are cybersecurity risk management strategy outcomes reviewed to inform and adjust strategy and direction?
Activity Point 3: How are organizational priorities, definition of acceptable risk, and performance requirements
embedded in your system-level risk activities?
Are these translated into control selection, system constraints, reporting requirements, and anomaly detection?
Related Resources
• NIST Risk Management Framework (RMF) for Information System and Organizations - a comprehensive, flexible,
repeatable, and measurable process to manage information security and privacy risk
• NIST IR 8286 series – specifically NIST IR 8286A - Identifying and Estimating Cybersecurity Risk for ERM
• NIST SP 800-30 Rev. 1 – Guide for Conducting Risk Assessments
NIST Cybersecurity Framework 2.0: Enterprise Risk Management Quick-Start Guide
Risk Assessment, Risk Treatment, and Information Sharing Ensure Value and Risk Optimization
Select Risk Response
After selecting and implementing controls and other methods of risk treatment, system-level personnel assess the effectiveness and efficiency of
that treatment (e.g., through the Assess step of the NIST Risk Management Framework). Risk managers evaluate threats and opportunities, in
alignment with risk strategy and direction from enterprise- and organization-level guidance. They determine the benefits of the following
responses: Mitigate, Accept, Avoid, and Transfer for negative risks; Realize, Share, Enhance, and Accept for positive risks.
Analyze and Prioritize Risks
There are benefits to both qualitative and quantitative risk analysis methodologies and even the use of multiple methodologies, based on
enterprise strategy, organization preference, and data availability (ID.RA). The relative priority of various types of risk must be decided upon by
those with appropriate authority, usually through guidance provided through the risk management strategy (GV.RM).
Communicate Risk Findings and Decisions
The cybersecurity risk register (CSRR) provides a location to record and communicate the known system-level threats and vulnerabilities, their
impact on business objectives, and actions taken or planned. Risk managers share information about residual risk, including metrics that support
ongoing assessment and authorization, and plans of actions & milestones for maintaining the appropriate level of risk based on stakeholders’
expectations (as expressed in the target state of the Organizational Profiles, especially the Govern and Identify functions).

Questions to Consider
How do CSF Target Profile outcomes (organizational agreement on how to best protect,
detect, respond, and recover) inform system-specific risk assessment and treatment?
How can we estimate likelihood and impact of those risks given the planned outcomes and
knowledge from previous results?
Is our risk response proportionate to the exposure?
Related Resources
• SP 800-221, Enterprise Impact of Information and Communications Technology Risk: Governing
and Managing ICT Risk Programs Within an Enterprise Risk Portfolio
• NIST IR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management
• Risk Detail Schema Risk Detail CSRR Schema
NIST Cybersecurity Framework 2.0: Enterprise Risk Management Quick-Start Guide

CSF outcomes (planned and current) support a

Monitor-Evaluate-Adjust cycle for achieving ERM objectives.
As risk management is applied through various controls (as described above), the results are
continually evaluated for effectiveness. CSF provides examples of how to do this through CSF
Informative References, described at the Online Informative References (OLIR) web site.
At the organization level, the results of various system-level activities and results (as reflected in
CSRRs) are aggregated and normalized. Managers monitor how well the cyber risk strategy is
being implemented, evaluate indicators to confirm performance goals and highlight potential
changes in the risk landscape, and then make any adjustments necessary to accentuate
achievement of opportunities (positive risk) and reduce impactful threat conditions to an
acceptable level.
This cycle enables creation and maintenance of an organization-level CSRR, and updates to the
Organizational Profiles to reflect refined current state and adjusted Target State.
MONITOR
• Measure whether controls are still implemented and effective
Monitor-Evaluate-Adjust Cycle
• Measure the extent to which controls are implemented without impairing organizational (from NIST SP 800-221)
operations and efficiency
EVALUATE
• Assess if organizational controls are achieving the desired risk results Risk registers are aggregated, normalized, and shared based on enterprise-
• Assess if risk management activities are keeping risk within tolerance defined risk categories and measurement criteria. Risk tolerance statements
(e.g., evaluating key risks and key performance indicators) are refined, if needed, to ensure balance among ICT value, organizational
• Compare current outcomes to the target state described in Organizational Profiles
resources, and optimal risk.
ADJUST
• Implement additional controls and enhancement as needed Supporting Resources
• Implement alternative controls to enhance opportunity • NIST IR 8286C, Staging Cybersecurity Risks for ERM and Governance Oversight
NIST Cybersecurity Framework 2.0: Enterprise Risk Management Quick-Start Guide

Feedback from CSF Informative References and the MEA cycle help
monitor and adjust risk response, appetite/tolerance, and policy.
As risk management controls are operated, performance is evaluated and adjusted
to improve effectiveness and efficiency. Feedback from the MEA cycle sometimes
results in more than just adjustments to controls and other Informative References.
Feedback may lead to adjustments in:
• CSF Profile • Risk Tolerance
• Risk Detail Record • Risk Appetite
• Risk Response Description • Policy
• Risk Response • Strategy
This helps report results back to management and enterprise leadership. Results that
particularly reflect operational achievement (key performance indicators, or KPIs)
confirm conformance with the strategy (GV.RM, GV.SC). This also supports personnel
performance monitoring and reporting (GV.RR, GV.PO).
Managers integrate data from normalized and harmonized risk registers and from
organization-level reports, compliance and audit reports. These are considered in
light of non-technology risk management activities (e.g., credit risk, market risk, labor
Questions to Consider
risk). Considering composite outcomes of positive and negative risk management
enables effective balance among investments in and results of risk management How are top cybersecurity risks identified for leadership and recorded in the enterprise risk
activity. Results are reflected in an enterprise risk register (ERR) and an enterprise register?
risk profile (ERP) that provides a prioritized ERR. Are escalation criteria defined to ensure accountability and information sharing? (NIST IR
8286C)
In this way, CSF helps to guide the selection, implementation, and monitoring of Are processes in place to marry system/organization-level risk to enterprise-level
specific controls (such as those in the informative references), and the results ensure considerations?
an effective and ongoing holistic ERM solution for all types of risk. How are enterprise security and privacy risks (including opportunities) aligned with other risk
types?
NIST Cybersecurity Framework 2.0: Enterprise Risk Management Quick-Start Guide
What We Learned* EXPLORE MORE CSF
Risk Appetite – statements expressing a general way of defining risk you can accept
2.0 RESOURCES
Risk Tolerance – statements expressing a specific way of defining risk you cannot accept • CSF 2.0 website
Risk Identification – the process of understanding your risks • CSF 2.0 Organizational
Enterprise Risk Management – the process of managing general high-level risk Profiles
Information and Communications Technology Risk Management – the process of managing various ICT risks • Informative References
• SP 800-53 – security and
Cybersecurity Risk Management – the process of managing specific cybersecurity risks
privacy controls
CSF Govern – one of six high-level outcomes expressed in CSF; oversight to ensure cybersecurity is managed
• SP 800-221 – Integrating ICT
Negative Risks – things that are weaknesses or threats risk management and ERM
Positive Risks – things that are strengths or opportunities • SP 800-221A – Outcome
Framework for Integrating
Cybersecurity Risk Register – a list of your high-priority risks
ICT RM and ERM
Risk Response Description – the place in the CSRR where you note CSF outcomes and Informative Reference implementations
• IR 8286 – Overview of
Cybersecurity Framework Outcome – what cybersecurity you are trying to achieve integrating CSRM and ERM
Informative Reference Implementation – how you implement cybersecurity • IR 8286A – Deep dive on
risk registers
Online Informative References – a catalog of Informative References hosted at a NIST website
• IR 8286B – Prioritizing and
SP 800-53 Control – a security or privacy control from the NIST Special Publication 800-53 controls catalog treating risk responses
Monitor, Evaluate, Adjust – how you actualize cybersecurity; in a Deming Cycle, this is the do, check, act • IR 8286C – Integrating the
Feedback Loop – how you make adjustments and improvements CSF with ERM
*Descriptions provided are intended as plain language. Please see the NIST Glossary for official NIST definitions. • IR 8286D – BIA’s role in ERM