Protect and secure your data from cyber attacks
Data Protection
Data Security
Data Insights
The 5 Steps to Cyber Resilience
Cloud & SaaS
Enterprise
Industries
The NIST Cybersecurity Framework is a set of voluntary, risk-based guidelines to help organizations establish and manage their cybersecurity risk. Developed by the National Institute of Standards and Technology (NIST), the Cybersecurity Framework (CSF) has been widely adopted across sectors for structuring security programs, including HIPAA-aligned healthcare programs and those involving financial services regulations.
Backup and recovery teams should take special note, since cyber incidents like ransomware and targeted cyber attacks are key causes of extended service outages and revenue loss. Below is an overview of the core components of the NIST CSF, its functions, and examples of practical applications for backup and recovery teams to integrate into their workflows. Teams may find that with the NIST framework, cybersecurity becomes quickly scalable and easily replicable.
In developing the security framework, NIST aimed to create a common language for companies of all sizes and across industries to use when talking about cybersecurity. Risk management needs to be accessible to executive stakeholders just as readily as tech teams, so this common language works to increase alignment and encourage adoption across an organization.
Its adaptability and scalability have helped lead to the CSF’s widespread adoption. From early-stage Software as a Service (SaaS) startups to global enterprises, and across on-prem, hybrid, and multicloud infrastructures, the NIST IT Security Framework covers everybody. While the CSF is voluntary, its appeal across sectors has led to its adoption in highly-regulated industries like energy and finance, as well as being referenced by the U.S. federal cybersecurity guidance documents.
The most recent version of the framework, NIST CSF 2.0, was released in 2024. This version added the “Govern” function, which expanded supply chain and risk governance guidance. This expanded coverage helps organizations working to increase their cyber resilience by supporting ransomware recovery strategies and strengthening overall data resilience across distributed networks.
The NIST cyber framework is organized into three components: Core, Profiles, and Tiers. Each component defines different aspects of the foundations of a solid cybersecurity program. Core covers activities, profiles handle specific business needs, and tiers measure program maturity. The combination of these components is what provides your organization with the complete framework you need to maintain data integrity in the face of a cyber incident.
The CSF framework core is a set of cybersecurity activities and best practices organized into functions, categories, and subcategories. Functions may include Identify and Protect, which break down into categories and subcategories, like asset management and access control.
The core is designed to help organizations connect their cybersecurity investments with risk reduction efforts and prioritize systems critical to revenue. Aligning business outcomes with risk management increases cross-departmental buy-in from executive stakeholders and makes it clear to everyone that data security best practices are being followed.
Profiles are customizations to the framework based on specific business needs and risk tolerance. For example, a healthcare organization will want to ensure patient data is protected, while a SaaS startup’s main priority may be service uptime. Profiles are designed to help teams prioritize investments of time and resources.
Tiers are used to measure the maturity of your cybersecurity practices. These tiers measure process rigor, not just technical controls. Tiers are intended to help teams evaluate risk posture and lay out roadmaps for improvement. There are four tiers in the current CSF:
Tier 1: Partial
Mostly ad hoc and reactive, Tier 1 provides limited awareness and involves minimal participation from external teams.
Tier 2: Risk Informed
Risk-aware but not organization-wide, at Tier 2, awareness is more widespread, but practice is still only partial due to limited information sharing.
Tier 3: Repeatable
Formal policies are now in place and updated regularly, the organization as a whole is involved, and regular collaboration means more complete information sharing.
Tier 4: Adaptable
This tier demonstrates continuous improvement processes in place, and the framework is integrated fully into organizational culture.
By establishing six functions as the backbone of the cybersecurity framework, NIST emphasizes a lifecycle approach from governance to recovery, giving organizations a structured risk management tool. The first function, Govern, which is new as of the release of CSF 2.0 in 2024, formalizes policies and oversight, aligning cybersecurity with overall enterprise risk management.
Govern was added to establish an overarching function that encompasses the establishment and ongoing maintenance of an organization’s cybersecurity risk management strategy, expectations, and policies. Examples of tasks here include assigning a Chief Information Security Officer (CISO) and creating an incident response plan with assigned ownership roles.
Identify incorporates an understanding of the organization’s cybersecurity risks with its inventory of assets, suppliers, and associated external risk factors. The goal is to enable teams to prioritize their efforts within broader risk management strategies and business contexts. Examples include flagging mission-critical databases and inventorying data and systems for backup prioritization.
The Protect function includes actions taken to secure the assets identified in the previous function. Outcomes here include identity access management (IAM) and encryption for backups at rest and in transit. Specific examples include immutable backups, air-gapped storage environments, role-based access controls, and other data security solutions.
Detect calls for continuous monitoring and anomaly detection. Ransomware is known to compromise backup processes, so being able to identify and mitigate such attacks before they progress is critical for cyber resilience. Specific examples include monitoring for unusual access patterns, automating alerts for abnormal backup changes, and detecting intrusions.
Once an attack is identified, this function defines how an organization responds in the moment. The function covers cyber incident response planning and communication, including a response playbook and stakeholder notification processes. For example, isolating a compromised backup by disconnecting the infected system and quarantining affected clusters can protect other systems and processes from incurring downtime.
The final function, Recovery, includes the restoration of services and data impacted by a breach or attack and the return to normal operations. This function is part of a robust cyber resilience plan and may entail restoring systems from an immutable backup, using pre-attack snapshots to restore operations, and validating data integrity post-recovery.
Backup and recovery operations can be mapped directly to each of the NIST Core Functions:
Tiers are a practical assessment tool for teams to use in evaluating the maturity of their backup and recovery operations, as well as for benchmarking these maturity levels, backed by industry research, as progress is made and tracked.
For example, if your organization’s backups are still initiated manually, operations are at Tier 1. In contrast, when you have automated recovery workflows, you’ve arrived at Tier 4. This knowledge promotes business continuity by reducing downtime in the event of a cyber incident.
