Week-10: NIST

Week-10 NIST Cybersecurity Framework (CSF)

Ali Jaddoa, ,

Ali.Jaddoa@roehampton.ac.uk

Date: of Dec 2025


25/26
Week-10: NIST

Cyber Security is Hard

But, how to make sure everyhting is covered?


25/26
Week-10: NIST

Standards and frameworks

Different frameworks guide cyber risk management -each with its own focus and adoption.

Framework Focus Adoption / Use Case
NIST CSF 2.0 Outcome-based, flexible, governance-driven Widely used; adaptable to any sector
ISO/IEC 27001 International ISMS, compliance & certification Global; formal audits & certification
OCTAVE Risk assessment, scenario-driven Critical infrastructure & large orgs

25/26
Week-10: NIST

NIST CSF 2.0

  • Helps organisations manage and reduce cybersecurity risk
  • Built around six core functions
  • Based on recognised standards and best practice
  • Provides a clear method for assessing maturity and improving controls
  • Aligns well with ISO/IEC 27001 (next week)

25/26
Week-10: NIST

NIST Components

  • A - CSF Core
    • Functions → Categories → Subcategories (outcomes)
  • B - Profiles
    • Describe Current vs Target cybersecurity posture
    • Support gap analysis
  • C - Tiers
    • Characterise maturity of risk governance & management
    • From Tier 1 (Partial)Tier 4 (Adaptive)

25/26
Week-10: NIST

A. NIST CSF 2.0 - The Core

What you need to do.

  • 6 Functions: Govern, Identify, Protect, Detect, Respond, Recover
  • 22 Categories (high-level outcomes)
  • 106 Subcategories (specific outcomes)
  • Each subcategory links to informative references (SP 800-53, ISO, CIS Controls)
  • Delivered as a spreadsheet with rows/columns of outcomes & mappings
  • “Outcome” = security goal (Category = high-level, Subcategory = specific)
 NIST CSF Core

25/26
Week-10: NIST

1. GOVERN (GV)

Categories (high-level outcomes):

  • Organizational Context (GV.OC)
  • Risk Management Strategy (GV.RM)
  • Roles, Responsibilities, and Authorities (GV.RR)
  • Policy (GV.PO)
  • Oversight (GV.OV)
  • Cybersecurity Supply Chain Risk Management (GV.SC)

Example: Define a supply chain risk policy requiring vendors to comply with ISO/IEC 27001.


25/26
Week-10: NIST

2. IDENTIFY (ID)

Categories:

  • Asset Management (ID.AM)
  • Risk Assessment (ID.RA)
  • Improvement (ID.IM)

Example: Maintain an updated inventory of cloud servers and assess them for vulnerabilities quarterly.


25/26
Week-10: NIST

3. PROTECT (PR) (CIA)

Categories:

  • Identity Management, Authentication, and Access Control, Backup (PR.AA)
  • Awareness and Training (PR.AT)
  • Data Security (PR.DS)
  • Platform Security (PR.PS)
  • Technology Infrastructure Resilience (PR.IR)

Example: Enforce multi-factor authentication (MFA) for all staff and provide annual phishing awareness training.


25/26
Week-10: NIST

4. DETECT (DE)

Categories:

  • Continuous Monitoring (DE.CM)
  • Adverse Event Analysis (DE.AE)

Example: Use a SIEM system to detect unusual login attempts and analyse logs for signs of compromise.


25/26
Week-10: NIST

5. RESPOND (RS)

(More to this in the last week with incident response)

Categories:

  • Incident Management (RS.MA)
  • Incident Analysis (RS.AN)
  • Incident Response Reporting and Communication (RS.CO)
  • Incident Mitigation (RS.MI)

Example: Activate the incident response plan during a ransomware attack, isolate infected systems, and notify stakeholders.


25/26
Week-10: NIST

6. RECOVER (RC)

Categories:

  • Incident Recovery Plan Execution (RC.RP)
  • Incident Recovery Communication (RC.CO), e.g. Backup

Example: Restore critical services from tested backups and update customers with regular recovery progress reports.


25/26
Week-10: NIST

NIST: Functions and 22 categories

width:11O% center


25/26
Week-10: NIST

Activity 1: Classify Controls into CSF Functions

Pick the correct NIST CSF Function for each row.

Control Govern Identify Protect Detect Respond Recover
1. Multi-factor authentication
2. Asset inventory
3. SIEM log analysis
4. Backup restoration testing
5. Security awareness training
6. Patch management
7. Vendor risk review
8. Incident notification

25/26
Week-10: NIST

B. CSF Profiles

  • Describe an organisation’s posture against CSF outcomes
  • Help assess, prioritise and communicate cybersecurity needs
  • Built with context such as mission, stakeholders and threat landscape

Types of Profiles

  • Current Profile: What the organisation achieves today
  • Target Profile: Desired outcomes for future capability
  • Community Profile: Shared baseline for a sector or use case

25/26
Week-10: NIST

B. CSF Profiles: In a nutshell

width:11O% center


25/26
Week-10: NIST

CSF Profile - Lifecycle Steps

Profiles describe what outcomes you achieve.

CSF Profile Lifecycle
  • Scope - Define scope (whole org, business unit, or specific threat)
  • Gather - Collect policies, risk registers, BIA, standards, roles
  • Create - Document Current & Target Profiles
  • Analyse gaps - Compare Current vs Target → action plan
  • Implement & update - Execute plan, update Profile continuously

🔄 Continuous improvement cycle

25/26
Week-10: NIST

C. CSF Tiers

Tiers describe how mature your governance and processes are when achieving those outcomes.

CSF Tiers Diagram
  • Tier 1 - Partial Ad hoc, limited awareness
  • Tier 2 - Risk Informed Some processes, fragmented, not org-wide
  • Tier 3 - Repeatable Formalised policies, consistent and reviewed
  • Tier 4 - Adaptive Continuous improvement, agile, integrated with ERM

➡️ Tiers = levels of maturity in governance & risk practices

➡️ Provide progressive targets for improving cybersecurity posture

25/26
Week-10: NIST

Building a CSF Profile with Tiers

Step Action Outcome
1 Review current alignment with CSF Functions & Categories Understand present capabilities
2 Assign each Function/Category to a Tier (1-4) Measure current maturity
3 Combine with business objectives Define the Current Profile
4 Identify desired outcomes & maturity levels Define the Target Profile
5 Compare Current vs Target Identify gaps & required improvements
6 Document improvements in a roadmap Action plan to move toward Target Profile

25/26
Week-10: NIST

Example – CSF Profiles with Tiers

A university IT department manages staff and student data. Backups exist but are not encrypted. Logs are collected but rarely monitored. There is no formal incident response plan.

Applying the CSF Profile and Tiers

Step What you do Example for the university
1 Review current alignment Focus on PR.DS (Data Security) and RS.MA (Incident Management)
2 Assign Current Tiers PR.DS = Tier 2 (basic controls) RS.MA = Tier 1 (ad hoc response)
3 Define Current Profile Limited encryption and weak incident handling
4 Define Target Profile PR.DS → Tier 3 (encrypted backups, monitoring) RS.MA → Tier 3 (formal IR plan and testing)
5 Identify gaps No encryption, no IR plan, unclear roles
6 Create a roadmap Q2: Implement encryption Q3–Q4: Develop IR plan, assign roles, test annually

25/26
Week-10: NIST

Activity: CSF Profiles and Tiers

A small university department has limited budget and no dedicated SOC. Backups are done monthly, logs are collected but not reviewed, and there is no formal incident response plan. Basic MFA is enabled for staff.

Task: estimate the Current Tier and Target Tier for each CSF Category below.

CSF Category Current Tier (1-4) Target Tier (1-4) Gap / Comment
PR.DS (Data Security)
DE.CM (Continuous Monitoring)
RS.MA (Incident Management)

25/26
Week-10: NIST

NIST: Issue

The NIST CSF defines what outcomes an organisation should achieve.

But it does not show:

  • Which assets those outcomes apply to
  • Who is responsible for each area
  • How to spot gaps across devices, applications, networks, data and users

The Cyber Defense Matrix to the rescue.


25/26
Week-10: NIST

The Cyber Defense Matrix

The Cyber Defense Matrix expands NIST CSF with a two‑dimensional model:

  • Dimension 1: CSF Functions - Identify, Protect, Detect, Respond, Recover
  • Dimension 2: Asset Classes - Devices, Applications, Networks, Data, Users
  • Creates a 5×5 grid to map security outcomes and capabilities to assets

Purpose

  • Clarifies responsibilities
  • Supports gap analysis and resource allocation
  • Improves communication across the organisation
 Cyber Defense Matrix 5×5 grid

25/26
Week-10: NIST

CDM Asset Classes

  • Devices - Hardware, firmware, OS, vendor apps, networking gear
  • Applications - In-house business apps and services
  • Networks - Routing, DNS, PKI, firewalls, VPNs
  • Data - At rest, in transit, and in use (databases, files, cloud)
  • Users - People and AI agents with IDs, credentials, and permissions

25/26
Week-10: NIST

Applications of the Cyber Defense Matrix

  • CSF profile status and planning
  • Responsibility assignments and handoffs
  • Measurement and metrics
  • Cybersecurity portfolio gap analysis
  • Structural and situational awareness
  • Vendor / product classification

25/26
Week-10: NIST

CDM used for CSF profile status and planing

  • The Cyber Defense Matrix (CDM) can represent Current vs Target Profiles
  • Makes it easier to:
    • Prioritise and allocate resources
    • Monitor progress over time
    • Communicate status to management & stakeholders

25/26
Week-10: NIST

CDM for Responsibility Assignment & Handoffs

  • The CDM is useful for defining who owns which responsibilities
  • Clarifies the division of security tasks across departments
  • Avoids unrealistic expectation that the security team handles everything

Benefit: Security is embedded across all business units, not siloed in the SOC.


25/26
Week-10: NIST

Lab

Please review your activities from here

Book


25/26

--- ## CSF Tiers - Mapping to [CMMI](https://cmmiinstitute.com) <p> The <strong>CMMI (Capability Maturity Model Integration)</strong> is a framework with five maturity levels. NIST CSF Tiers (four levels) align closely, both showing a progression from ad hoc processes → defined practices → continuous improvement. </p> <table style="border-collapse: collapse; width: 100%; border: 1px solid #ddd;"> <tr> <th style="text-align:left;">NIST CSF Tier</th> <th style="text-align:left;">CMMI Level</th> </tr> <tr> <td><strong>Tier 4 - Adaptive</strong></td> <td>Level 4-5: Systematised / Optimised</td> </tr> <tr> <td><strong>Tier 3 - Repeatable</strong></td> <td>Level 3: Formalised</td> </tr> <tr> <td><strong>Tier 2 - Risk Informed</strong></td> <td>Level 2: Fragmented</td> </tr> <tr> <td><strong>Tier 1 - Partial</strong></td> <td>Level 1: Random</td> </tr> </table>

Image (right)

--- ## Improving Cybersecurity Risk Communication <table style="border-collapse: collapse; border: none; width:100%;"> <tr style="border: none;"> <td width="55%" style="vertical-align: top; border: none; padding-right: 16px;"> <ul> <li>Use CSF to <strong>understand, assess, prioritise, and communicate</strong> cyber risk</li> <li><strong>Bidirectional flow</strong>: Executives ↔ Managers ↔ Practitioners</li> <li><strong>Profiles & gap analysis</strong> provide shared language for priorities and resources</li> <li>Aligns actions with <strong>mission objectives</strong>, stakeholder expectations, and <strong>risk appetite</strong></li> <li>KPIs/KRIs reported upward; expectations/resources cascade downward; Profiles updated iteratively</li> </ul> </td> <td width="45%" style="vertical-align: top; border: none;"> <img src="../../figures/nistcom.png" alt="Two-way risk communication among executives, managers, and practitioners" width="100%" style="margin-top: 4px;"> </td> </tr> </table>