NIST Cybersecurity Framework v1.1 (CSF)

    Standards and Frameworks

    NIST Cybersecurity Framework v1.1 (CSF)

    The NIST Cybersecurity Framework version 1.1 (NIST CSF v1.1) provides a voluntary, prioritized, flexible and cost-effective approach to protecting critical infrastructure and other sectors against cybersecurity risks. The NIST CSF can be used by any organization regardless of its size, sector, and type.

    Last Updated: July 30, 2019

  • General

    NIST CSF was born in the recognition that national and economic security of the United States depends on the reliable function of critical infrastructure. President Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity (February 2013) directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure. Cybersecurity Enhancement Act of 2014 reinforced NIST’s EO 13636 role to facilitate and support the development of voluntary, industry-led cybersecurity standards and best practices for cybersecurity risk management.

    Under NIST CSF, organizations are provided with an approach to prioritize cybersecurity resources, identify, manage, and assess cybersecurity risks, and take action to reduce risk. The Framework also enhances cybersecurity communication within an organization and with other organizations (such as partners, suppliers, regulators, and auditors).

    NIST CSF consists of 3 components:

    1. The Core: provides an easy-to-understand set of desired cybersecurity outcomes. 
      • Framework Core guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management processes.
    2. Profiles: portrays organizations’ unique requirements, objectives, risk appetite, and resources. 
      • Framework Profiles portrays an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.
    3. Implementation Tiers: indicates how an organization manages cybersecurity risks. 
      • The Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management. The Tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.

    The Framework Core and Informative Requirements are available as separate downloads in three formats: spreadsheet (Excel) , alternate view (PDF) , and database (FileMaker Pro). NIST also provides a companion Roadmap discusses future steps and identifies key areas of cybersecurity development, alignment, and collaboration.

    The Department of Homeland Security’s Critical Infrastructure Cyber Community C³ Voluntary Program provide critical infrastructure owners and operators with further guidance in using CSF and managing their cyber risks.

    Any observations, suggestions, examples of use, and lessons learned can be communicated to NIST by emailing [email protected].

    Updates in CSF v1.1

    As an updated version, CSF v1.1 is fully compatible with CSF v1.0, and remains the flexible, voluntary, and cost-effective nature. CSF v1.1 clarifies the applicability for “technology”, which is minimally composed of Information Technology, operational technology, cyber-physical systems, and Internet of Things. It also clarifies utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements. In addition, the updated Framework provides an enhanced guidance for applying CSF to supply chain risk management, and summarizes the relevance and utility of CSF measurement for organizational self-assessment. The updates also provide better accounts for authorization, authentication, and identity proofing.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.