NIST Cybersecurity Framework: Structure, Tiers, and What’s New in 2.0

Hadas Spektor
Hadas Spektor

8  min read | min read | 21/02/2024

What Is the NIST Cybersecurity Framework? 

The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce, which defines standards for the benefit of U.S. public and private sector organizations. The NIST Cybersecurity Framework, first released in 2014, was developed as voluntary guidance provided by the U.S. government, intended to provide a universal standard for cybersecurity. 

The NIST Cybersecurity Framework is a comprehensive and flexible tool that organizations of all sizes and from all sectors can use to create, guide, or improve their cybersecurity programs. It suggests a set of best practices that can be tailored to meet an organization’s specific needs and risks.

The NIST Cybersecurity Framework comprises five core functions: Identify, Protect, Detect, Respond, Recover, and Govern—a recent addition in the new NIST Cybersecurity Framework 2.0. These functions provide a high-level view of an organization’s management of cybersecurity risk. Each function is divided into categories and subcategories, which detail specific outcomes of technical and/or management activities. By implementing this framework, organizations can better understand their cybersecurity position, communicate it more effectively, and address security weaknesses.

You can access the NIST Cybersecurity Framework and related resources here.


Which Types of Organizations Can Use the NIST Cybersecurity Framework? 

The NIST Cybersecurity Framework can be applied to a wide range of organizations, regardless of their size or the nature of their business. From small businesses to multinational corporations and government agencies, the NIST Cybersecurity Framework can provide useful guidance for managing cyber risk.

By design, the NIST framework is not limited to organizations that deal with sensitive data, such as healthcare providers or financial institutions. Any organization that uses technology in its operations can benefit from implementing the NIST Cybersecurity Framework. For example, retail businesses can use it to protect customer data, while universities can use it to secure student-facing applications and research data.

The framework is also beneficial for organizations that don’t have a mature cybersecurity program. It provides a clear roadmap for these organizations to develop their cybersecurity capabilities. On the other hand, organizations with established cybersecurity programs can use the framework to identify gaps in their current measures and enhance their security posture.

Note: In 2017, Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”, made the NIST Cybersecurity Framework mandatory for U.S. federal government agencies, several state and foreign governments, and insurance organizations.


Benefits of Using the NIST Cybersecurity Framework 

Improved Risk Management

By adopting this framework, organizations can identify potential threats and vulnerabilities in their systems and implement measures to mitigate these risks.

The NIST Cybersecurity Framework encourages organizations to adopt a proactive approach to risk management. This includes regularly assessing their cybersecurity posture, identifying weaknesses, and taking steps to address them before they can be exploited. This approach reduces the likelihood of a successful cyber attack and minimizes potential damage.

The framework provides a common language to discuss and understand cybersecurity risks. This enables better communication among different stakeholders, leading to more effective risk management.

Compliance and Regulatory Alignment

The framework helps organizations align with various compliance and regulatory requirements. It is designed to complement, not replace, an organization’s existing cybersecurity and risk management processes.

The guidelines set out by the NIST Cybersecurity Framework align with many industry standards and government regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS). Therefore, by implementing this framework, organizations can ensure they meet their regulatory obligations.

Also, the framework can serve as a useful tool for demonstrating compliance to auditors, regulators, and other stakeholders. It provides a structured and standardized way to document cybersecurity practices, making it easier for organizations to prove they are taking appropriate steps to manage cyber risks.

Increased Cyber Resilience

Cyber resilience refers to an organization’s ability to continue operating despite a cyber attack or other adverse events. The NIST Cybersecurity Framework promotes resilience by guiding organizations through a continuous cycle of understanding, managing, and reducing cybersecurity risks. 

This approach ensures that organizations are not only prepared for cyber threats but also equipped to respond and recover quickly when incidents occur. By enhancing cyber resilience, organizations can maintain their operations, protect their reputation, and minimize financial losses in the event of a cyber attack.

Community and Industry Collaboration

The framework was developed through a collaborative process involving industry, academia, and government stakeholders. This collaborative approach continues to be a focus of the framework’s ongoing evolution and refinement.

By adopting the NIST Cybersecurity Framework, organizations join a community of practice committed to strengthening cybersecurity. They can share experiences, learn from each other, and contribute to the continuous improvement of the framework.


NIST Cybersecurity Framework Structure 

The NIST Cybersecurity Framework is a tiered, risk-based approach towards managing cybersecurity risk. Let’s explore each function in detail.


This function helps organizations understand their business context, the resources that support their critical functions, and the associated cybersecurity risks. It’s about gaining an in-depth understanding of the systems, assets, data, and capabilities that are essential for the organization to operate effectively.

The Identify function is further divided into several categories, including Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management Strategy. Each of these categories plays a critical role in understanding the overall cybersecurity posture of an organization. An effective identification process helps in prioritizing efforts, aligning them with the organization’s risk management strategy and business needs.


This function focuses on developing and implementing safeguards to ensure delivery of critical services. The goal is to limit or contain the impact of a potential cybersecurity event. It’s about protecting your systems and data from cybersecurity threats.

The Protect function includes categories such as Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology. By implementing effective protective measures, an organization can provide assurance that its systems and data are adequately secured against potential cybersecurity threats.


This function is about implementing appropriate activities to identify the occurrence of a cybersecurity event in a timely manner. The faster an organization can detect a cybersecurity event, the quicker it can respond, potentially minimizing the damage caused.

The Detect function is divided into categories including Anomalies and Events, Security Continuous Monitoring, and Detection Processes. Each of these categories aids in the timely discovery of cybersecurity events, enabling a swift and effective response.


This function involves developing and implementing appropriate activities to take action regarding a detected cybersecurity event. The goal is to contain the impact of the event and maintain or restore operations.

The categories under the Respond function include Response Planning, Communications, Analysis, Mitigation, and Improvements. These categories help an organization to effectively manage a cybersecurity event, reducing its potential impact and enabling a swift recovery.


This function is about developing and implementing appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The goal is to get back to normal operations as quickly as possible after a cybersecurity event.

The categories under the Recover function include Recovery Planning, Improvements, and Communications. These categories aid in the swift restoration of services, ensuring minimal disruption to business operations and reducing the overall impact of the cybersecurity event.


What’s New in the NIST Cybersecurity Framework 2.0? 

The NIST Cybersecurity Framework 2.0 introduces significant updates to enhance its effectiveness and relevance in the evolving cybersecurity landscape. 

The new version adds a Govern function, underscoring the importance of governance in cybersecurity. This function focuses on organizational context, risk management strategies, roles, and policies, particularly emphasizing cybersecurity supply chain risk management.

Additionally, there’s an increased emphasis on managing cybersecurity risks in supply chains. This addresses the complexities and risks of globally interconnected supply chain ecosystems, reflecting the growing significance of supply chain security.

The framework also updates guidelines to reflect emerging technologies like the Internet of Things (IoT), Artificial Intelligence (AI), and cloud computing. These updates address the unique threats posed by these technologies, such as IoT device vulnerabilities and AI-driven cyber-attacks. Additionally, the framework considers evolving threat tactics, including sophisticated phishing and ransomware campaigns, ensuring its continued relevance in safeguarding against modern cybersecurity challenges.


NIST Framework Implementation Tiers 

The NIST framework’s implementation tiers represent a progression from informal, reactive responses to agile and risk-informed cybersecurity practices.

Tier 1: Partial

This tier represents the entry-level stage of an organization’s cybersecurity maturity. At this level, an organization’s cybersecurity practices are predominantly unorganized and reactive. The organization may lack a clear picture of its cybersecurity landscape, with risk management practices often inconsistent and sporadic.

Cybersecurity processes may not be formalized, and communication about cybersecurity issues may be limited and inconsistent. While organizations at this tier recognize the importance of cybersecurity, they lack the processes and protocols to effectively manage cybersecurity risks. The goal for organizations at this level would be to progress to the next tier, where cybersecurity practices become more structured and consistent.

Tier 2: Risk-Informed

At this tier, organizations have a more developed understanding of their cybersecurity risks but lack an organization-wide approach to managing those risks. Cybersecurity practices may be approved by management but may not be implemented consistently across the organization.

Risk management practices at this level are guided by an awareness of the potential impact of cyber threats. However, the organization’s overall approach to risk management may not be coherent, with different departments or units operating with varying degrees of cybersecurity awareness and practice. Progressing from this tier involves the organization developing a more consistent and organization-wide approach to managing cybersecurity risks.

Tier 3: Repeatable

This tier represents an organization that has a formalized and consistent approach to managing cybersecurity risk. At this level, the organization’s risk management practices are formally approved and expressed as policy. There is an organization-wide understanding of cybersecurity risks, and these risks are managed in line with the organization’s risk appetite and tolerance.

Organizations at the Repeatable level have a clear view of their cybersecurity landscape and are well-equipped to manage and respond to cyber threats. Their cybersecurity practices are regularly reviewed and updated based on changes in business requirements or the threat landscape. Progressing from this tier involves the organization integrating cybersecurity practices with its overall risk management process and becoming more proactive in identifying and managing cyber threats.

Tier 4: Adaptive

This tier represents an organization that has fully integrated cybersecurity into its overall risk management process. At this level, the organization responds to changing cybersecurity threats and risks in real-time, continually adapting its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities.

Organizations at the Adaptive tier are at the cutting edge of cybersecurity practices. They have a holistic understanding of their cybersecurity landscape and are proactive in managing their cybersecurity risks. Their cybersecurity practices are not only consistent and formalized but also continuously reviewed and updated to stay ahead of the evolving cybersecurity threat landscape.


How Sternum Can Close NIST Security Gaps

Sternum is an IoT security and observability platform, which lets you meet and exceed the security requirements of standards and regulations such as UL 2900, TIR 57, and the FDA Cybersecurity Guidance.

Embedded in the device itself, Sternum provides deterministic security with runtime protection against known and unknown threats; complete observability that provides data about individual devices and the entire device fleet; and anomaly detection powered by AI to provide real-time operational intelligence.

Sternum operates at the bytecode level, making it universally compatible with any IoT device or operating system including RTOS, Linux, OpenWrt, Zephyr, Micirum, and FreeRTOS. It has low overhead of only 1-3%, even on legacy devices. 

Here is how Sternum can help you improve IoT security to meet regulatory requirements:

  • Agentless security – integrates directly into firmware, making it a part of the core build. This ensures that the solution cannot be externally compromised and leveraged as a point of failure.
  • Automatic mitigation of known and zero-day threats – prevents 96.5% attacks in benchmark (RIPE) security tests. Its vulnerability-agnostic approach makes it equally effective in dealing with known and zero-day threats. This not only improves security but can also cut security patch management costs by as much as 60%.
  • Supply chain protection – relies on binary instrumentation, making it able to protect all running code. This extends to 3rd party and operating system libraries, effectively preventing all supply chain exploit attempts. 
  • Protection of isolated devices – does not rely on external communication to secure devices, making it equally effective for connected and isolated devices.
  • Live attack information with zero false positives – real-time alert system notifies about all blocked attacks, providing – for each – detailed logs and attack path analysis. The deterministic nature of EIV’s integrity checks ensures that all alerts are always valid.
  • Streamlined compliance – helps meet the latest cyber regulations for IoT devices (IEC 62443, FDA, NIST, etc) and the most current FBI recommendations for Internet of Medical Things (IoMT) endpoint protection.

Learn more about Sternum for IoT security

Article image source: NIST


Enter data to download case study

By submitting this form, you agree to our Privacy Policy.