Professional Documents
Culture Documents
0:
Quick-Start Guide for Creating and Using
Organizational Profiles
Drive Progress Over Time with Organizational Profiles Drive Progress Over Time
An Organizational Profile describes an organization’s current and/or target cybersecurity
posture in terms of cybersecurity outcomes from the Cybersecurity Framework (CSF) Core.
Organizational Profiles are used to understand, tailor, assess, and prioritize cybersecurity
outcomes based on an organization’s mission objectives, stakeholder expectations, threat
landscape, and requirements. The organization can then act strategically to achieve those
outcomes. These Profiles can also be used to assess progress toward targeted outcomes
and to communicate pertinent information to stakeholders.
Organizational Profiles can be categorized as:
• A Current Profile that specifies the CSF outcomes an organization is currently
achieving and characterizes how or to what extent each outcome is being achieved.
• A Target Profile that specifies the desired CSF outcomes an organization has selected
and prioritized for achieving its cybersecurity risk management objectives. A Target
Profile considers anticipated changes to the organization’s cybersecurity posture, such Create and Use Organizational Profiles
as new requirements, new technology adoption, and trends in threat intelligence.
Create and Use Organizational Profiles with the CSF Five-Step Process
CSF 2.0 describes a five-step process for creating and using Organizational Profiles. More
specifically, the process compares an aspirational Target Profile to an assessed Current
Profile. Then, a gap analysis is performed, and an action plan is developed and
implemented. This process naturally leads to refinements in the Target Profile to be used
during the next assessment.
NIST CSF 2.0: CREATING AND USING ORGANIZATIONAL PROFILES
A QUICK START GUIDE
S C O P E T H E O R G A N I Z AT I O N A L P R O F I L E
The scope defines the high-level facts and assumptions on which the Profiles will be
based. You can have as many Organizational Profiles as desired, each with a different scope. Questions to
answer as you scope your Profile include:
• What’s the reason for creating the Organizational Profile?
• Will the Profile cover the entire organization? If not, which of the organization’s divisions, data assets,
technology assets, products and services, and/or partners and suppliers will be included?
• Will the Profile address all types of cybersecurity threats, vulnerabilities, attacks, and defenses? If not,
which types will be included? Organizational Profile Facts
• Which individuals or teams will be responsible for developing, reviewing, and operationalizing the Profile? Ways to Think about Profiles
• Who will be responsible for setting expectations for actions to achieve the target outcomes? A given organization may wish to use
several Profiles.
Each Profile can have a distinct scope
based on factors like:
Human
End User Manufacturing • technology category (IT, OT)
Resources
IT Systems Floor OT Systems
IT Systems • data types (PII, PHI, PCI)
• users (employees, third-parties)
The scope of a Profile determines the
Third-Party Systems Using Systems with applicability of a given CSF outcome.
IT Systems Artificial Design It may be helpful to combine two or more
Intelligence Information Profiles when scopes overlap.
NIST CSF 2.0: CREATING AND USING ORGANIZATIONAL PROFILES
A QUICK START GUIDE
G AT H E R N E E D E D I N F O R M AT I O N
1. Community Profiles
A Community Profile is a baseline of CSF outcomes created and published to address shared interests and goals
among a number of organizations. A Community Profile is typically intended for a particular sector or subsector,
Prioritization
technology, threat type, or other use case. The Defining Feature of a Profile
An organization can use a Community Profile as the basis for its own Target Profile by copying the Community The central notion of a Target Profile is to
Profile into an Organizational Profile. A Community Profile can be adapted by: determine differing priorities for applicable
CSF outcomes. Priorities help you determine
• Adjusting the priorities of particular CSF outcomes parts of your cybersecurity program that
• Adding organization-specific Subcategories, Informative References, or implementation guidance should be resourced more, or less.
See A Guide to Creating CSF 2.0 Community Profiles for more information on creating and using Community Cybersecurity priorities are driven by
Profiles. strategic objectives, laws, regulations, and
risk responses. To learn more, see SP 800-37
2. NIST Organizational Profile Template about organization-wide risk management
NIST provides a CSF Organizational Profile template as a Microsoft Excel spreadsheet. You can download it and tasks in the Prepare Step. IR 8286B
fill it in to create Current and Target Profiles for your organization. The template facilitates side-by-side offers information about how the CSF Core
comparison of Current and Target Profiles to identify and analyze gaps. You can find the template on the CSF 2.0 supports risk response decisions.
website.
NIST CSF 2.0: CREATING AND USING ORGANIZATIONAL PROFILES
A QUICK START GUIDE
CREATE THE ORGANIZATIONAL PROFILE – PART 1
Determine what types of supporting information each Profile should include for the
selected CSF outcomes... Steps for creating an Organizational Profile are:
3a: Download the latest CSF Organizational Profile template spreadsheet and customize as desired.
3b: Include cybersecurity outcomes that apply to your use case, and document rationales as needed.
3c: Document current cybersecurity Practices in the Current Profile columns. More detailed entries may
provide better insights for later steps.
3d: Document cybersecurity Goals and the plans for achieving them in the Target Profile columns. Entries may
be based on CSF Informative References, new cybersecurity requirements, new technologies, and trends in
cyber threat intelligence.
3e: Note the importance of each Goal using the Priority field.
Identifying and analyzing the differences between the Current and Target
Profiles enables an organization to find gaps and develop a prioritized action
plan for addressing those gaps. Using Profiles in this manner helps your organization make
better-informed decisions about how to improve cybersecurity risk management in a prioritized and
cost-effective manner.
Step 5a
Implementing Action Plans fulfilled
The Action Plan is fulfilled through any with
combination of management, programmatic,
and technical controls. As those controls are
implemented, the Organizational Profile can
be used to track implementation status. Step 5b
Subsequently, controls and associated risks Updating Your Profile
can be monitored through Key Performance
Implement activities that follow your Action Plan
Indicators (KPI) and Key Risk Indicators (KRI).
are a part of an ongoing cyber risk management
Cyber risks that fall beyond Risk Tolerance
program (feedback loops and lines of
are observed through Risk Assessments.
communication more nuanced than shown). Risk
Risks beyond Risk Tolerance may prompt
Assessments, as described in SP 800-30 can
updates to the Action Plan, Organizational
leverage Risk Tolerance statements when
Profile, and/or Risk Tolerance statements.
identifying risks, as well as determining likelihood
Gap Analysis may also result in the creation
and impact of those risks. The changing likelihood
of POA&M for gaps that will take a longer
and impact are a measure of the effectiveness of
remediation timeline. More information
the Action Plan and the discrete controls. Risk
about KPI, KRI, Risk Tolerance, and POA&Ms causes
update
monitoring is also performed using KPI and KRI.
can be discovered in IR 8286B and
of Changes in risks, likelihoods, and/or impacts may
SP 800-37 . all result in updates to the Organizational Profile.
* Risk Assessment can occur at any time and can inform any step
NIST CSF 2.0: CREATING AND USING ORGANIZATIONAL PROFILES
A QUICK START GUIDE
NEXT STEPS
SP 800-37
NIST SP 800-37 Revision 2, Risk Management Framework
for Information Systems & Organizations
What’s Next. Here’s a list of things you can do to move this QSG into practice:
• Familiarize yourself with the NIST CSF Organizational Profile template SP 800-53 NIST SP 800-53 Revision 5, Security and Privacy Controls
for Information Systems & Organizations
• See if there is a Community Profile relevant for you at the NIST Community Profiles
site SP 800-30 NIST SP 800-30 Revision 1, Guide for Conducting Risk
Assessments
• Determine how many CSF Organizational Profiles you need [Step 1]
• Inventory your cybersecurity requirements Resources
• Prioritize CSF outcomes in your Organizational Profiles [Step 2] Organizational Profile Template NIST CSF 2.0 Reference Tool
• Assess your Current Profile [Step 3] Informative References Implementation Examples
• Read more about Informative References A Guide to Creating CSF 2.0 Community Profiles
Quick-Start Guide for Using the CSF Tiers
• Improve your cybersecurity program over time [Steps 4 & 5]
NIST Cybersecurity Framework 2.0:
Small Business Quick-Start Guide
• Assess the potential impact of a total or partial loss of critical business assets and Technical Deep Dive: Staging Cybersecurity Risks for Enterprise Risk Management and
operations. (GV.0C-04) Governance Oversight
• Assess whether cybersecurity insurance is appropriate for your business. (GV.RM-04)
• Assess cybersecurity risks posed by suppliers and other third parties before entering into Questions to Consider
formal relationships. (GV.SC-06) • As our business grows, how often are we reviewing our cybersecurity strategy?
• Do we need to upskill our existing staff, hire talent, or engage an external partner
Prioritize to help us establish and manage our cybersecurity plan?
• Prioritize managing cybersecurity risks alongside other business risks. (GV.RM-03) • Do we have acceptable use policies in place for business and for employee-owned
devices accessing business resources? Have employees been educated on these
Communicate policies?
• Communicate leadership’s support of a risk-aware, ethical, and continually improving Related Resources
culture. (GV.RR-01)
• Communicate, enforce, and maintain policies for managing cybersecurity risks. (GV.PO-01) • Securing Small and Medium-Sized Supply Chains Resource Handbook
• Choosing A Vendor/Service Provider
Prioritize
Technical Deep Dive: Integrating Cybersecurity and Enterprise Risk Management
• Prioritize inventorying and classifying your business data. (ID.AM-07)
• Prioritize documenting internal and external cybersecurity threats and associated Questions to Consider
responses using a risk register. (ID.RA) • What are our most critical business assets (data, hardware, software, systems, facilities,
services, people, etc.) we need to protect?
Communicate
• What are the cybersecurity and privacy risks associated with each asset?
• Communicate cybersecurity plans, policies, and best practices to all staff and • What technologies or services are personnel using to accomplish their work? Are these
relevant third parties. (ID.IM-04) services or technologies secure and approved for use?
• Communicate to staff the importance of identifying needed improvements to Related Resources
cybersecurity risk management processes, procedures, and activities. (ID.IM)
• NIST Risk Register Template
• Take Stock. Know What Sensitive Information You Have
• Evaluating Your Operational Resilience and Cybersecurity Practices
Actions to Consider Getting Started with an Incident Response Plan Contact Phone
Before an incident occurs, you want to be ready with a basic response Business
plan. This will be customized based on the business but should include: Leader:
Understand
A business champion: Someone who is responsible for developing Technical
• Understand what your incident response plan is and who has authority and Contact:
responsibility for implementing various aspects of the plan. (RS.MA-01) and maintaining your incident response plan.
Who to call: List all the individuals who may be part of your State
Assess incident response efforts. Include their contact information, Police:
• Assess your ability to respond to a cybersecurity incident. (RS.MA-01) responsibilities, and authority.
Legal:
• Assess the incident to determine its severity, what happened, and its root cause. What/when/how to report: List your business's
(RS.AN-03, RS.MA-03) communications/reporting responsibilities as required by laws, Bank:
regulations, contracts, or policies.
Insurance:
Prioritize Technical Deep Dive: NIST Computer Security Incident Handling Guide
• Prioritize taking steps to contain and eradicate the incident to prevent further Questions to Consider
damage. (RS.MI)
• Do we have a cybersecurity incident response plan? If so, have we practiced it to see if it is
Communicate feasible?
• Communicate a confirmed cybersecurity incident with all internal and external • Do we know who the key internal and external stakeholders and decision-makers are who
stakeholders (e.g., customers, business partners, law enforcement agencies, will assist if we have a confirmed cybersecurity incident?
regulatory bodies) as required by laws, regulations, contracts, or policies. Related Resources
(RS.CO-02/03)
• Incident Response Plan Basics
• FBI’s Internet Crime Complaint Center
• Data Breach Response: A Guide for Business
• Best Practices for Victim Response and Reporting of Cyber Incidents
View the Quick-Start Guide for Creating and Using Organizational Profiles for more detailed information on how to get started creating Current and Target Profiles for your organization.
Additional Resources
The NIST Cybersecurity Framework Reference Tool allows users to explore the full CSF 2.0 Core in human and machine-readable versions (in JSON and Excel), while also maintaining
resources with information to help you achieve your desired outcomes, such as:
• Mapping: Informative references are mappings indicating relationships between the CSF 2.0 and various standards, guidelines, regulations, and other content. They help inform
how an organization may achieve the Core’s outcomes.
• Implementation examples provide illustrations of concise, action-oriented steps to guide organizations in achieving the CSF outcomes. The examples are not a comprehensive
list of all actions that could be taken by an organization, nor are they a baseline of required actions; they are a set of helpful examples to get organizations thinking about
concrete steps.
NIST Cybersecurity and Privacy Reference Tool (CPRT) provides a simple way to access reference data from various NIST cybersecurity and privacy standards, guidelines, and Frameworks–
downloadable in common formats (XLSX and JSON).
NIST SP 800-53 provides a catalog of security and privacy controls you can choose from. The controls are flexible, customizable, and implemented as part of an organization-wide process to
manage risk. View and export from the Cybersecurity and Privacy Reference Tool (CPRT).
The Workforce Framework for Cybersecurity (NICE Framework) helps employers achieve the outcomes in the CSF 2.0 by assisting them to identify critical gaps in cybersecurity staffing and
capabilities; determine and communicate position responsibilities and job descriptions; and provide staff training and career pathways.
NIST Cybersecurity Framework 2.0:
Quick-Start Guide for Cybersecurity Supply
Chain Risk Management (C-SCRM)
Establishing a C-SCRM Capability Checklist of actions for Activity 1: Create a C-SCRM strategy, objectives,
The CSF has a Category within its Govern Function dedicated to C-SCRM: the Cybersecurity policies, and processes.
Supply Chain Risk Management (GV.SC) Category. GV.SC contains the key outcomes that every
organization should achieve through its C-SCRM capability. Additionally, many of the ☐ Establish a C-SCRM strategy that lays out the objectives of the capability.
subcategories within the remainder of the CSF can be used to identify and communicate C- ☐ Develop a C-SCRM plan (with milestones) and C-SCRM policies and procedures
SCRM-related requirements internally for organizations and for their vendors. that guide implementation and improvement of the plan and the capability;
socialize those policies and procedures with organizational stakeholders.
Perform these activities to establish your organization’s C-SCRM capability:
☐ Develop and implement C-SCRM processes based on the strategy, objectives,
Activity 1: Create a C-SCRM strategy, objectives, policies, and processes. [GV.SC-01] policies, and procedures that are agreed upon and performed by the
Activity 2: Identify your organization’s technology suppliers and determine how critical each organizational stakeholders.
one is to your organization. [GV.SC-04] ☐ Establish a cross-organizational mechanism that ensures alignment between
Activity 3: Establish C-SCRM roles and requirements and communicate them within and functions that contribute to C-SCRM management, such as cybersecurity, IT,
outside your organization. This includes identifying C-SCRM roles and responsibilities [GV.SC- legal, human resources, engineering, etc.
02] and C-SCRM requirements [GV.SC-05]. Checklist of actions for Activity 2: Identify your organization’s
technology suppliers and determine how critical each one is to your
It is also important to coordinate and harmonize activities between your C-SCRM capability
organization.
and other internal capabilities. Here are a few examples:
☐ Develop criteria for supplier criticality based on, for example, the importance of
• Integrate C-SCRM into cybersecurity and enterprise risk management, risk assessment, and the supplier’s products or services to the organization’s business, sensitivity of
improvement processes, and monitor the performance of C-SCRM practices throughout the data processed or stored by the supplier, and degree of access to the
technology lifecycle. [GV.SC-03, GV.SC-09] See the Enterprise Risk Management Quick-Start organization’s systems.
Guide for more information on C-SCRM integration.
☐ Prioritize suppliers into criticality levels based on the criteria. See NIST IR 8179,
• Include your relevant suppliers in cybersecurity incident planning, response, and recovery Criticality Analysis Process Model: Prioritizing Systems and Components for more
activities. [GV.SC-08] See NIST’s Computer Security Incident Handling Guide for more information on a structured method for prioritization.
information on key practices for cybersecurity incidents.
☐ Keep a record of all suppliers, prioritized based on the criticality criteria.
NIST CSF 2.0: CYBERSECURITY SUPPLY CHAIN RISK MANAGEMENT (C-SCRM)
A QUICK START GUIDE
HOW TO USE THE CSF TO ESTABLISH AND OPERATE A C-SCRM CAPABILITY
Checklist of actions for Activity 3: Establish C-SCRM roles and C-SCRM requirements:
requirements and communicate them within and outside your ☐ Establish security requirements for suppliers, products, and services commensurate
organization. with their criticality and potential impact if compromised.
☐ Include all cybersecurity and supply chain requirements that suppliers must follow and
C-SCRM roles and responsibilities: how compliance with the requirements may be verified in default contractual language.
☐ Identify one or more specific roles or positions that will be responsible and ☐ Define the rules and protocols for information sharing between the organization and its
accountable for planning, resourcing, and executing C-SCRM activities. suppliers and sub-tier suppliers in contracts.
☐ Document C-SCRM roles and responsibilities in policy. ☐ Include security requirements in contracts based on their criticality and potential
☐ Create responsibility matrixes (e.g., RACI charts) to document who will be impact if compromised.
responsible, accountable, consulted, and informed for C-SCRM activities and how ☐ Define security requirements in service level agreements (SLAs) for monitoring
those teams and individuals will be consulted and informed. suppliers for acceptable security performance throughout the supplier relationship
☐ Include C-SCRM responsibilities and performance requirements in personnel lifecycle.
descriptions to ensure clarity and improve accountability. ☐ Specify in contracts the rights and responsibilities of the organization, its suppliers, and
☐ Document performance goals for personnel with C-SCRM responsibilities, and their supply chains with respect to potential cybersecurity risks. Contractually require
periodically measure them to demonstrate and improve performance. suppliers to do the following:
☐ Develop roles and responsibilities for suppliers, customers, and business partners ☐ disclose cybersecurity features, functions, and vulnerabilities of their products and
to address shared responsibilities for applicable cybersecurity risks and integrate services for the life of the product or the term of service
them into organizational policies and applicable third-party agreements. ☐ provide and maintain a current component inventory (e.g., software or hardware
☐ Internally communicate C-SCRM roles and responsibilities for suppliers. bill of materials) for critical products
☐ Establish rules and protocols for information sharing and reporting processes ☐ vet their employees and guard against insider threats
between the organization and its suppliers. ☐ provide evidence of performing acceptable security practices through, for example,
self-attestation, conformance to known standards, certifications, or inspections
NIST CSF 2.0: CYBERSECURITY SUPPLY CHAIN RISK MANAGEMENT (C-SCRM)
A QUICK START GUIDE
HOW TO USE THE CSF TO DEFINE AND COMMUNICATE SUPPLIER REQUIREMENTS
Developing Supplier Requirements Examples of CSF Categories and Subcategories that are likely to include requirements for suppliers
An organization should specify requirements for Govern: Protect:
technology suppliers. Robustness of these
• Organizational Context: Legal, regulatory, and • Identity Management, Authentication, and Access Control:
requirements should correspond to supplier criticality.
contractual requirements regarding cybersecurity — Identities and credentials for authorized users, services, and
Organizations can use two different methods for including privacy and civil liberties obligations — are hardware are managed by the organization [PR.AA-01]
specifying supplier requirements: understood and managed [GV.OC-03] • Awareness and Training: Individuals in specialized roles are provided
1. Use CSF Categories and Subcategories. Not all • Roles, Responsibilities, and Authorities: Roles, with awareness and training so that they possess the knowledge and
Categories and Subcategories will apply to all responsibilities, and authorities related to skills to perform relevant tasks with cybersecurity risks in mind
suppliers. You can pick and choose requirements that cybersecurity risk management are established, [PR.AT-02]
fit your mission or business supplier criticality level. communicated, understood, and enforced [GV.RR- Detect:
Select requirements for suppliers based on their 02]
• Continuous Monitoring: Personnel activity and technology usage are
criticality and your mission or business. To do that, • Cybersecurity Supply Chain Risk Management: monitored to find potentially adverse events [DE.CM-03]
review the list of CSF Categories and Subcategories, Cyber supply chain risk management processes are
Respond:
and determine which ones will be applicable to identified, established, managed, monitored, and
suppliers within each of the criticality levels, based on improved by organizational stakeholders [GV.SC] • Incident Management: Incidents are escalated or elevated as needed
the risk appetite for each supplier criticality level. [RS.MA-04]
Identify:
• Incident Response Reporting and Communication: Internal and
When considering individual supplier agreements, • Risk Assessment: The authenticity and integrity of
external stakeholders are notified of incidents [RS.CO-02]
determine if additional supplier requirements are hardware and software are assessed prior to
needed based on existing criticality criteria, such as acquisition and use [ID.RA-09]; Critical suppliers are Recover:
your mission or business, data type being processed, assessed prior to acquisition [ID.RA-10] • Incident Recovery Plan Execution: The integrity of backups and other
or digital product or service being provided. • Improvement: Improvements are identified from restoration assets is verified before using them for restoration
security tests and exercises, including those done in [RC.RP-03]
2. Create CSF Target Profiles for Each Supplier
Criticality Level. The next page explains how to coordination with suppliers and relevant third • Incident Recovery Communication: Recovery activities and progress
express supplier requirements for each supplier parties [ID.IM-02] in restoring operational capabilities are communicated to designated
criticality level. internal and external stakeholders [RC.CO-03]
NIST CSF 2.0: CYBERSECURITY SUPPLY CHAIN RISK MANAGEMENT (C-SCRM)
A QUICK START GUIDE
HOW TO USE THE CSF TO DEFINE AND COMMUNICATE SUPPLIER REQUIREMENTS
Follow these steps to create Target Profiles for communicating C-SCRM requirements to your suppliers.
1. Scope the Target Profile. Decide which of your supplier criticality levels it will apply to, and determine any other
restrictions to be placed on the Profile’s scope, such as suppliers of a particular type of product or service only. You
can create as many Target Profiles as you need to specify the requirements for all of your suppliers.
2. Select the CSF Categories to include. Identify which CSF Categories and Subcategories correspond to your
Additional resources for creating Target Profiles
requirements, and only include those Categories and Subcategories in the Target Profile. • Quick-Start Guide for Creating and Using Organizational
3. Determine what types of information to include in your Target Profile. Target Profiles are flexible and can contain Profiles (including Target Profiles)
whatever types of information you want to communicate to your suppliers. The notional Profile excerpt below • A Guide to Creating CSF 2.0 Community Profiles
captures each selected Category’s and Subcategory's relative priority, the internal practices that the supplier must (Community Profiles have much in common with
follow, and references to additional sources of information on achieving the Category and Subcategory. creating Target Profiles for numerous suppliers to
follow)
4. Fill in the columns, and share the Target Profile. Once the contents of the Target Profile have been internally
reviewed and finalized, it can be shared with your suppliers as your set of C-SCRM requirements for them. • Quick-Start Guide for Using the CSF Tiers (to help inform
creation of Target Profiles)
Target Selected Informative
Selected CSF Outcomes
Priority
Target Internal Practices
References • Enterprise Risk Management Quick-Start Guide
PR.PS, The hardware, software (e.g., High 1. Configure platforms to allow the installation • NIST SP 800-161r1, • Informative Reference Mapping Quick-Start Guide (for
firmware, operating systems, of organization-approved software only. control SI-3 accessing and using existing Informative References for
applications), and services of physical 2. Verify the source of new software and the • ISO 27002:2022, a Target Profile)
and virtual platforms are managed software’s integrity before installing it. control 8.7
consistent with the organization’s risk 3. Configure platforms to use only approved • …
strategy to protect their confidentiality, DNS services that block access to known
integrity, and availability malicious domains.
4. ...
…
NIST CSF 2.0: CYBERSECURITY SUPPLY CHAIN RISK MANAGEMENT (C-SCRM)
A QUICK START GUIDE
NEXT STEPS
CSF 2.0 provides guidance for reducing cybersecurity risks by helping organizations discuss, organize, and address gaps in their cybersecurity program in a standard way. The cybersecurity
outcomes described in CSF affect cybersecurity, ICT, and enterprise risks. Understanding these dependencies is an essential activity in CSRM, ICT RM, and ERM. The Cybersecurity Risk
Register (CSRR) described in the NIST IR 8286 series of publications enables organizations to identify, manage, and monitor the relationships between discrete risks and aspects of a CSF-
based cybersecurity program that address those risks. The CSRR allows organizations to identify, organize, analyze, and report on cybersecurity risks at the system level. CSF Organizational
Profiles are a natural byproduct of a comprehensive CSRR, because the relative priority of CSF outcomes becomes apparent based on how significant the impacts of identified cybersecurity
risks might be to the organization’s priorities, such as its strategic objectives, products and services, or customers.
NIST Cybersecurity Framework 2.0: Enterprise Risk Management Quick-Start Guide
CSF 2.0 Supports Six Activity Points For Informing,
Implementing, and Monitoring ERM
CSF 2.0 is a valuable guide for helping to review and improve security and privacy considerations as
part of a holistic enterprise risk approach. CSF is most helpful when it is paired with other ERM
elements. For example, as agency officials and corporate boards provide oversight of all relevant
risks, the CSF process helps ensure that cybersecurity strategy is well-executed. Managers plan and
implement risk treatment based on that strategy, record and report progress, and provide agency/
business leaders with information needed for effective operations and mission success.
The Activity Points, which are further described in subsequent pages, include:
• 1 – Leaders define and record enterprise mission, priorities, and risk appetite. Accountability is
assigned for managing both positive and negative types of risk. (GV.OC, GV.RM, GV.SC)
• 2 – Organization-level managers interpret risk appetite into specific guidance regarding security
and privacy requirements, and associated risk tolerance. (GV.RR, GV.PO, ID.RA)
• 3 – Risk strategy and requirements aid implementation of shared security solutions and system-
level controls to achieve an acceptable level of risk. (PROTECT, DETECT, RESPOND, and RECOVER)
• 4 – Risk response outcomes are reflected as residual risk in system-level risk registers as part of
ongoing assessment and continuous monitoring activities. (ID.RA, ID.IM, GV.OV)
Illustration of enterprise risk management integration and coordination
• 5 – Risk registers are normalized and aggregated at the organizational unit level, supporting
from NIST SP 800-221
reporting, analysis, and organization-level adjustment. (ID.IM, GV.OV)
• 6 – Combined risk results from the enterprise are used to maintain an enterprise-level risk
register and risk profile, supporting enterprise business decisions and any adjustments needed
CSF 2.0, as part of a holistic ERM approach, for the risk strategy. (GV.PO, GV.OV)
helps ensure that leaders continually have the Supporting Resources:
information they need for making informed • SP 800-221, Enterprise Impact of Information and Communications Technology Risk: Governing and
Managing ICT Risk Programs Within an Enterprise Risk Portfolio
business/agency decisions. • SP 800-221A, Information and Communications Technology (ICT) Risk Outcomes: Integrating ICT Risk
Management Programs with the Enterprise Risk Portfolio
NIST Cybersecurity Framework 2.0: Enterprise Risk Management Quick-Start Guide
Based on internal and external organizational context, leaders
Aligning enterprise priorities with strategic activity use governance systems to set risk priorities, risk appetite,
and risk strategy. This understanding sets the tone for how the
As senior leaders and organizational managers observe and enterprise conducts, measures, and reports risk management activities and
performance. Actions include processes for aligning priorities and risk direction for
discuss risk management strategy (to take advantage of business partners and other members of the organization’s cybersecurity supply chain.
opportunities and to avoid known threats), they develop a
plan for managing risk to the optimal level. Understanding of objectives and risk appetite enables managers to interpret how to
apply those for their organizational units (OUs). Managers create risk tolerance
statements and metrics, defining a “target state” that will achieve stakeholder
The outcomes in the CSF Govern Function (GV) specifically objectives such as through secure shared infrastructure (e.g., organizationally-tailored
drive actionable planning about how to best manage control baselines, common controls, and monitoring strategy).
various enterprise risks to ICT, including privacy, supply
chain, AI, IoT, and OT on which the entity depends. The direction from leadership and OU management is applied in an operational
context, supporting system-level risk assessment, requirements definition, and
allocation. These enable effective categorization, control selection/implementation,
Beginning with an understanding of what information and and ongoing system-level authorization/monitoring.
technology are most important to the enterprise mission,
leaders define acceptable levels of risk for those assets and Questions to Consider
describe how personnel in various work roles will be Activity Point 1: Where do you draw the mission and strategic priorities of the organization from?
accountable for risk management success. (ID.AM, ID.RA) Do you have a process for defining and expressing Risk Appetite?
Activity Point 2: How is Risk Appetite translated into Risk Tolerance?
This actionable and proactive strategizing also makes clear Are cybersecurity risk management strategy outcomes reviewed to inform and adjust strategy and direction?
to customers and other stakeholders that effective risk Activity Point 3: How are organizational priorities, definition of acceptable risk, and performance requirements
management is a priority, that clear and accountable plans embedded in your system-level risk activities?
are in place to achieve that management, and that Are these translated into control selection, system constraints, reporting requirements, and anomaly detection?
monitoring processes are continually identifying
opportunities for improvement. These plans specifically Related Resources
apply the outcomes described in the CSF Organizational • NIST Risk Management Framework (RMF) for Information System and Organizations - a comprehensive, flexible,
Profile(s), in particular the PROTECT, DETECT, RESPOND, and repeatable, and measurable process to manage information security and privacy risk
RECOVER functions. • NIST IR 8286 series – specifically NIST IR 8286A - Identifying and Estimating Cybersecurity Risk for ERM
• NIST SP 800-30 Rev. 1 – Guide for Conducting Risk Assessments
NIST Cybersecurity Framework 2.0: Enterprise Risk Management Quick-Start Guide
Risk Assessment, Risk Treatment, and Information Sharing Ensure Value and Risk Optimization
Select Risk Response
After selecting and implementing controls and other methods of risk treatment, system-level personnel assess the effectiveness and efficiency of
that treatment (e.g., through the Assess step of the NIST Risk Management Framework). Risk managers evaluate threats and opportunities, in
alignment with risk strategy and direction from enterprise- and organization-level guidance. They determine the benefits of the following
responses: Mitigate, Accept, Avoid, and Transfer for negative risks; Realize, Share, Enhance, and Accept for positive risks.
Analyze and Prioritize Risks
There are benefits to both qualitative and quantitative risk analysis methodologies and even the use of multiple methodologies, based on
enterprise strategy, organization preference, and data availability (ID.RA). The relative priority of various types of risk must be decided upon by
those with appropriate authority, usually through guidance provided through the risk management strategy (GV.RM).
Communicate Risk Findings and Decisions
The cybersecurity risk register (CSRR) provides a location to record and communicate the known system-level threats and vulnerabilities, their
impact on business objectives, and actions taken or planned. Risk managers share information about residual risk, including metrics that support
ongoing assessment and authorization, and plans of actions & milestones for maintaining the appropriate level of risk based on stakeholders’
expectations (as expressed in the target state of the Organizational Profiles, especially the Govern and Identify functions).
Questions to Consider
How do CSF Target Profile outcomes (organizational agreement on how to best protect,
detect, respond, and recover) inform system-specific risk assessment and treatment?
How can we estimate likelihood and impact of those risks given the planned outcomes and
knowledge from previous results?
Is our risk response proportionate to the exposure?
Related Resources
• SP 800-221, Enterprise Impact of Information and Communications Technology Risk: Governing
and Managing ICT Risk Programs Within an Enterprise Risk Portfolio
• NIST IR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management
• Risk Detail Schema Risk Detail CSRR Schema
NIST Cybersecurity Framework 2.0: Enterprise Risk Management Quick-Start Guide
Feedback from CSF Informative References and the MEA cycle help
monitor and adjust risk response, appetite/tolerance, and policy.
As risk management controls are operated, performance is evaluated and adjusted
to improve effectiveness and efficiency. Feedback from the MEA cycle sometimes
results in more than just adjustments to controls and other Informative References.
Feedback may lead to adjustments in:
• CSF Profile • Risk Tolerance
• Risk Detail Record • Risk Appetite
• Risk Response Description • Policy
• Risk Response • Strategy
This helps report results back to management and enterprise leadership. Results that
particularly reflect operational achievement (key performance indicators, or KPIs)
confirm conformance with the strategy (GV.RM, GV.SC). This also supports personnel
performance monitoring and reporting (GV.RR, GV.PO).
Managers integrate data from normalized and harmonized risk registers and from
organization-level reports, compliance and audit reports. These are considered in
light of non-technology risk management activities (e.g., credit risk, market risk, labor
Questions to Consider
risk). Considering composite outcomes of positive and negative risk management
enables effective balance among investments in and results of risk management How are top cybersecurity risks identified for leadership and recorded in the enterprise risk
activity. Results are reflected in an enterprise risk register (ERR) and an enterprise register?
risk profile (ERP) that provides a prioritized ERR. Are escalation criteria defined to ensure accountability and information sharing? (NIST IR
8286C)
In this way, CSF helps to guide the selection, implementation, and monitoring of Are processes in place to marry system/organization-level risk to enterprise-level
specific controls (such as those in the informative references), and the results ensure considerations?
an effective and ongoing holistic ERM solution for all types of risk. How are enterprise security and privacy risks (including opportunities) aligned with other risk
types?
NIST Cybersecurity Framework 2.0: Enterprise Risk Management Quick-Start Guide
What We Learned* EXPLORE MORE CSF
Risk Appetite – statements expressing a general way of defining risk you can accept
2.0 RESOURCES
Risk Tolerance – statements expressing a specific way of defining risk you cannot accept • CSF 2.0 website
Risk Identification – the process of understanding your risks • CSF 2.0 Organizational
Enterprise Risk Management – the process of managing general high-level risk Profiles
Information and Communications Technology Risk Management – the process of managing various ICT risks • Informative References
• SP 800-53 – security and
Cybersecurity Risk Management – the process of managing specific cybersecurity risks
privacy controls
CSF Govern – one of six high-level outcomes expressed in CSF; oversight to ensure cybersecurity is managed
• SP 800-221 – Integrating ICT
Negative Risks – things that are weaknesses or threats risk management and ERM
Positive Risks – things that are strengths or opportunities • SP 800-221A – Outcome
Framework for Integrating
Cybersecurity Risk Register – a list of your high-priority risks
ICT RM and ERM
Risk Response Description – the place in the CSRR where you note CSF outcomes and Informative Reference implementations
• IR 8286 – Overview of
Cybersecurity Framework Outcome – what cybersecurity you are trying to achieve integrating CSRM and ERM
Informative Reference Implementation – how you implement cybersecurity • IR 8286A – Deep dive on
risk registers
Online Informative References – a catalog of Informative References hosted at a NIST website
• IR 8286B – Prioritizing and
SP 800-53 Control – a security or privacy control from the NIST Special Publication 800-53 controls catalog treating risk responses
Monitor, Evaluate, Adjust – how you actualize cybersecurity; in a Deming Cycle, this is the do, check, act • IR 8286C – Integrating the
Feedback Loop – how you make adjustments and improvements CSF with ERM
*Descriptions provided are intended as plain language. Please see the NIST Glossary for official NIST definitions. • IR 8286D – BIA’s role in ERM