NIST Cybersecurity Framework (CSF)

While the NIST Cybersecurity Framework (CSF) does not introduce new standards or concepts, it leverages and integrates industry-leading cybersecurity practices that were developed by organizations, including NIST and the International Organization for Standardization (ISO). Why not put these best practices to work in securing your cloud?

Don’t lag on the NIST CSF. We’ve found that applying the NIST CSF is a way for organizations to accomplish a large portion of their control needs in a unified way consistent with many industry and global standards and regulations. Trust Us to Get You There.

38North logo

Shake Up Your Approach to Compliance with 38North

Instead of chasing one or two standards, we recommend looking for the broadest approach to applying the least-burdensome controls framework. NIST CSF is one way to complement your existing risk management process and beef up your program. Even better, our NIST CSF security compliance and advisory services can take the burden off your technical teams (they have better things to do) and build a compliance program that takes care of NIST CSF.

What is the NIST CSF?

There are three components to the NIST CSF, each of which steps through identifying which activities and functions need to be implemented based on your maturity and profile.

The framework core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, organized into five functions.



cybersecurity risks to systems, assets, data and capabilities.


critical infrastructure services with appropriate safeguards.


the occurrence of a cybersecurity event through continuous monitoring.


appropriately to a detected cybersecurity event through incident response process.


from a cybersecurity event and repair and regain performance with minimal impact.

Know Your Tier and Profile

NIST CSF is largely about tailoring risk to your business risk profile. For this, you’ll need an unbiased assessment of your program — to know where you’re starting from — and a plan to implement changes. This can be done by finding your place in the framework’s implementation tiers and building a profile.

Framework Implementation Tiers

Knowing which NIST CSF tier your program needs to follow depends on your risk level and security posture. Our team can help you make sense of the increasing complexity as you step through the tiers.

  • Tier 1 (Partial): Your organization’s cyber risk management profiles aren’t formalized and are ad hoc. There is limited awareness of your organization’s cybersecurity risk at the enterprise level, and a cybersecurity risk management approach hasn’t been established.
  • Tier 2 (Risk Informed): Your organization has a cyber risk management policy approved by senior management, though not enterprise-wide. Senior management is taking steps to create objectives, understand threats, and implement procedures with adequate resources.
  • Tier 3 (Repeatable): Your organization has formal cybersecurity procedures, regularly updated with changes in risk management, business requirements, threats, and technology. Cyber personnel are well-trained and can perform their duties. Your organization also collaborates with business partners to make risk-based decisions.
  • Tier 4 (Adaptive): Your organization adapts its cybersecurity practices in real-time based on lessons learned and predictive indicators derived from current and past cybersecurity activities.

With continuous improvement, real-time collaboration, and continuous monitoring, your organization’s cybersecurity practices can rapidly respond to increasingly-sophisticated threats.

Framework Profile

The NIST CSF framework profile is a tool to describe your cybersecurity program. Profiles enable your organization to align their practices with business needs, risk tolerance, and resources.

Using the core and implementation tiers, you can create a current profile of the “as-is” state and a target profile of the “to-be” state. Comparing them can help identify gaps to enhance cybersecurity, and prioritize improvements to reach those goals.

38North NIST CSF Framework Services

You don’t have to tackle NIST CSF alone. We can help you make sense of the CSF and make a plan to improve your maturity over time. No matter where you are in your NIST CSF process, we have a program and proven path to help you get there with minimal headaches.

Get Ahead of the Pack with 38North

Book a conversation with one of our global security experts today and we’ll help you get ahead of the pack and become an early adopter of the NIST Cybersecurity Framework.

Contact Us

(Please do not provide additional PII in this box)
This field is for validation purposes and should be left unchanged.