making sense of the nist csf

Making Sense of the NIST CSF

Making Sense of the NIST CSF 1200 628 Craig Shuster
making sense of the nist csf

Making Sense of the NIST CSF

How I Learned to Stop Worrying about Ambiguity and Love the NIST CSF

by Craig Shuster, Axio Director of Cyber Engineering

November 27, 2018

Of course, the whole point of a Doomsday Machine is lost, if you keep it a secret!

Dr. Strangelove

The Framework for Improving Critical Infrastructure Cybersecurity (aka the NIST Cybersecurity Framework, aka the NIST CSF) offers security organizations a framework to build, manage, and measure their cybersecurity programs.

However, when reading the document, it can feel like the actual framework is a secret—much like Dr. Strangelove’s doomsday device. I don’t actually believe the framework is a secret, but there is a certain level of decoding that organizations need to do to understand how to apply the CSF.

But before I dig into how, let’s look at why the NIST CSF is even worth decoding in the first place. After all, your time is finite. Is it worth the effort to understand the CSF as a framework for your cybersecurity program? We think that it is.

As we’ve written previously, the NIST CSF can help security professionals overcome the three hurdles of security maturity reporting. These are: building a shared language with executives and the board of directors, facilitating complex cybersecurity conversations, and mapping cybersecurity assessment findings to cybersecurity roadmaps.  It’s critical that security organizations overcome these challenges because boards and executives are becoming increasingly interested in cybersecurity planning and strategy. Once you have the Board’s attention, you need to present a cybersecurity assessment they’ll actually care about. That’s where the NIST CSF fits in.

OK, so let’s dig in. The NIST CSF is structured into four core elements:

  • Five Functions
  • Twenty-two Categories
  • Ninety-eight Subcategories
  • Numerous Informative References

The Functions and Categories are generally a grouping methodology. The Subcategories are described by NIST as “specific outcomes of technical and/or management activities.” It is excellent to know what outcomes an organization should look for from a cybersecurity program. However, if the desired outcome for a Subcategory is not being achieved, what activities should an organization start to perform or enhance to achieve that outcome? This information isn’t spelled out in the NIST CSF document. You need to dig into the Informative References.

The Informative References section includes references to a number of standards, guidelines, and practices, including the Center for Internet Security Critical Security Controls, COBIT, ISO 27001, and NIST SP 800-53. These resources are great tools that organizations can use while determining the cybersecurity controls and activities that will be the most beneficial to the organization’s cybersecurity posture. For example, NIST SP 800-53 contains over 700 cybersecurity controls and control enhancements that can be leveraged to meet the outcomes included in the NIST CSF Subcategories. That alone can be overwhelming—if you go it alone.

In order to assist organizations, build, manage, and measure their cybersecurity programs with the NIST CSF, we have created the NIST CSF Edition on the Axio360 platform. The Axio360 platform enables organizations to evaluate their cybersecurity programs using the NIST CSF (as well as the Cybersecurity Capability Maturity Model (C2M2)). The NIST CSF Edition of the Axio360 platform contains direct linkage to the NIST SP 800-53 controls that correlate with the NIST CSF Subcategories, which allows users to quickly and easily dive deeper into areas and controls where additional information is required. Users are then able to use the Axio360 platform to create Action Items and Targets to which the organization can manage.

These resources on the Axio360 platform ensure that organizations are driving towards cybersecurity industry best practices and have the means to measure themselves against targets they can set for themselves.

By providing a framework for assessing and communicating the organization’s cybersecurity posture, the NIST CSF accomplishes several very important objectives. However, there is a gap when organizations look for guidance on shoring up their weaknesses. This is where the Axio360 platform comes into play. And we’d love to show you how.


Understand your cyber risk exposure as it relates to the business and in financial terms.

Start by asking one question: “If a cyber event happens to us, what might it look like?” Generate some scenarios based on what you do, how you use technology and what the impact of that technology failing might be. Could there be a data breach? Could there be an interruption in systems? Could somebody dupe one of our treasury folks into wiring money to a fraudulent account? Could a hack into our process control technology cause tangible damage and bodily injury? Now take a sampling of scenarios, get various operational and functional folks around a table and use their collective knowledge to estimate the impact of those events. Gaining this knowledge is especially critical if Moody’s independently attempts to estimate your financial exposure to a catastrophic cyber event. They simply won’t be able to achieve the same level of accuracy without knowing how the organization ticks on a daily basis. You have that knowledge and can use it to your advantage.


Utilize a maturity based cyber program management framework, such as NIST-CSF or the C2M2.

Align it with the scenarios that you’ve quantified in step one, and ensure that it is reported to the Board in an understandable means. Why one of these maturity models? Because a maturity-based approach recognizes that cyber risk is dynamic and managing it is a 24/7 endeavor. Compliance frameworks and standards on the other hand, won’t ever go away, but all too often produce a fall sense of confidence once the checklist is complete and compliance framework met. And why align the methodology with the scenarios? Because that connects the cybersecurity program with the business, a critical link for Boards effectively understand the cyber program. Further, it is the best way to align the universe of controls and technologies with the areas of greatest risk, providing additional evidence for folks like Moody’s that you are focused on appropriately protecting the long-term health of the organization.


Maintain the resources and financial ability to recover from a meaningful event.

At the end of the day, everything translates into financial terms. Strive to maintain the right balance of financial reserves and insurance to pay for as much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others. How do you get there? See Step One.


Evidence all of the aforementioned components with peer benchmarking and best practices insight.

Because cyber risk is incredibly dynamic and traditional means of risk management, such as complying with standards or achieving certifications can only serve as a baseline, benchmarking and best practices insight can be the best way to prove cybersecurity maturity. Is your cyber exposure in line or more favorable than your peers? Is your cyber program in line or more favorable than your peers? Have you purchased an insurance program that is in line or more favorable than your peers?

Put it all together and Board of Directors can confidently and continuously validate that the organization is meeting its fiduciary responsibility for managing cyber risk: “We understand our exposure, we’re managing the risk as effectively as possible, we have the ability and financial resources to recover from a major event, and we can provide evidence.”

using nist csf to overcome hurdles of security maturity reporting

Using NIST CSF to Overcome the 3 Hurdles of Security Maturity Reporting

Using NIST CSF to Overcome the 3 Hurdles of Security Maturity Reporting 1200 628 Axio
Using NIST CSF To Overcome The 3 Hurdles Of Security Maturity Reporting

Using NIST CSF to Overcome the 3 Hurdles of Security Maturity Reporting

by Jason Tugman, V.P. Cyber Risk Engineering

December 18, 2018

A key challenge for cybersecurity professionals is communicating their organization’s cybersecurity successes and challenges to senior leadership, each of whom is likely to have varying degrees of technical understanding. However, finding a shared language—one that strikes a balance between ambiguity and complexity—is critical to an organization’s ability to form a unified understanding of its security maturity. Communicating without a shared language can result in frustration or, worst, a misrepresentation or misunderstanding of a critical cybersecurity challenge.

In this blog post I’ll discuss how the NIST Cybersecurity Framework’s (CSF) Framework Core can help you overcome the three hurdles of security maturity reporting. I’ll also demonstrate how the Axio360 Dashboard leverages the Framework Core to generate board-ready information graphics that enable cyber risk and security professionals to clearly communicate the security maturity of an organization.

Hurdle #1: Building a Shared Language

The first hurdle on our way to effective security maturity reporting is finding a shared language that enables unambiguous communication to technical and non-technical executives and board members. Thankfully, the CSF Framework Core1 offers a solution for framing these nuanced cybersecurity conversations.

According to NIST, “The Framework Core consists of five concurrent and continuous Functions – Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.2

In more detail, these five functions are:

The 5 Functions of the NIST CSF Framework Core


Develop an organizational understanding to manage cybersecurity risk to the systems, people, assets, data, and capabilities.


Develop and implement appropriate safeguards to ensure delivery of critical services.


Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.


Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.


Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.3

As you can see, the CSF Framework Core Functions are commonly understood verbs, and each has a clear call to action associated with it. Thus, the Functions can set the stage for operative-level communications. Security professionals can align the organization’s security maturity roadmaps, metrics, programs, and initiatives with each of the five Functions.

In Hurdle #3 we will discuss how Axio360 natively supports the CSF Functions in both the CSF and C2M2 (DOE Cybersecurity Capability Maturity Model) Dashboards.

Hurdle #2 – Facilitating Complex Cybersecurity Conversations

The second hurdle on our way to effective security maturity reporting is distilling complex, often multi-threaded, cybersecurity projects and initiatives.

Having established the CSF Framework Core as our common language, we can begin to communicate the successes and challenges of our cybersecurity programs through their respective Functions. A sampling of topics by CSF Function can be found in the below table.

As you can see, framing a cybersecurity discussion within the context of the CSF Functions provides context and clarity for every member of the board regardless of their technical knowledge.

Hurdle #3 Mapping Cybersecurity Assessment Findings to Cybersecurity Roadmaps

The third, and probably most important, communication hurdle is having the ability to correlate recent cybersecurity assessment findings to security investment requests. No amount of improvement in the communication of what or how of our cybersecurity program will compensate for our inability to communicate the why:  Why a security investment is needed; why a project is on the roadmap; why one project requires priority over another.

CSF Functions are natively integrated into the Axio360 dashboard, so no matter if you are performing a CSF or C2M2 assessment, you have the ability to talk about the organization’s security maturity directly through the language of CSF.

Axio360 allows you to communicate workstreams, target profiles, mitigation projects, and security investments using the CSF Functions.

Bringing it all together: Connecting Security Maturity Reporting/Metrics and Cybersecurity Initiatives

Framing a conversation through the CSF Functions allows for easy correlations to be drawn, and understood, between the Functions. For example, it allows you to say, “We lack a capability to Identify all of our assets (ID.AM). While, we have robust applications and processes in place to Protect Access (PR.AC), those protections are only effective for our known assets. We are seeking a security investment to improve our ability to Identify organizational assets. Doing so will allow us to ensure that all assets are not only inventoried, but they have the appropriate controls in place to Protect access to them.”

Even better: The Axio360 platform does the work for you—correlating your organization’s security maturity roadmaps, metrics, programs, and initiatives, with each of the five Functions. This has the power to transform how you communicate to senior leadership. Using Axio360’s native integration with the CSF Functions, you now communicate a unified understanding of your organization’s cybersecurity posture.



(NIST, pp. 6-8)
2 (NIST, p. 3)
(NIST, 2018, pp. 9-8)

Works Cited

NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity Ver.1.1. National Institute of Standards and Technology.




Copyright 2018 Axio Global, Inc.

Axio360 NIST CSF

The time has come for you to take control of your cyber risk.