
国家标准与技术研究所 (NIST) frameworks are a set of voluntary controls 和 balances to help operators of critical infrastructure organizations – like banks, 医院, 公用事业——管理网络安全风险. NIST itself is a federal agency within the US Chamber of Commerce that spans manufacturing, 质量控制, 以及信息安全, 其他行业.

该机构与安全行业专家合作, 其他政府机构, 和 academics to establish the frameworks which are now leveraged by many organizations to manage 和 reduce risks that could impact their environment 和 their customers.

当信息安全人员提到NIST框架时, they're likely referring to three specific NIST documents on cybersecurity best practices:

  • NIST网络安全框架: This framework focuses on industries vital to national 和 economic security, 包括能源, 银行, 通信, 还有国防工业基础. 
  • NIST 800 - 53年: This framework is primarily relevant to federal agencies as they work to become 和 stay compliant with the Federal Information Security Management Act (FISMA), 和 is best known for providing a deep dive into each of the act’s high-level requirements.
  • NIST 800 - 171:此框架与800-53直接相关, 和 provides guidance on security practices 和 controls that federal agencies must implement. It typically focuses on a narrow subset of organizations that h和le Controlled Unclassified Information (CUI).

Two of these three documents specify required controls for either US federal agencies or any organizations which work with US federal government data. 然而, all three documents contain best practices helpful for any cybersecurity organization to use as a baseline in its security operations.


NIST provides industry-agnostic guidance to help organizations achieve ideal security-related levels of competence 和 compliance. 的 depth 和 breadth of advice within the NIST framework documents are a great resource for federal agencies or organizations working with the US federal government. 


的 NIST网络安全框架 is in place to help organizations determine what processes 和 controls are most relevant to their unique challenges, 和 how best to implement 和 test the efficacy of the security measures they put in place. 该框架将其关键点分为六个部分: 

  • 识别:此组件主要用于确定需要保护的内容. 了解正在管理什么以及如何管理, 以及需要添加到可管理函数列表中的内容. 
  • 保护: This component stipulates what capabilities 和 technology will be leveraged in protecting the identified functionalities or minimizing the impact resulting from a breach or other incident.  
  • 检测: This component centers on detection capabilities within the security organization 和 their relative strength in picking up anomalous signatures that could indicate a threat. 
  • 回应: This component ensures an organization has in place the capability to prioritize a threat or incident 和 aptly respond so that potential fallout 和 disruption to operations is minimized.  
  • 恢复这个组件引出了a行 安全运营中心(SOC) 从事故中及时恢复的能力. 报告在这里是一个关键的子组件, so that learnings can be implemented 和 playbooks for similar attack paths can be followed in the future.
  • 管理NIST框架的最新组成部分, the govern component asks – according to NIST – “how an organization ensures responsible governance 和 how a governance system reviews 和 achieves accountability,” here speaking directly to the area of cybersecurity 和 the systems in place to ensure a SOC is operating at optimal posture.  


的re are certain prescribed steps a SOC must take to align to the particulars of the NIST网络安全框架, 但每个组织都有自己独特的挑战. 让我们回顾一下入门的一些高级步骤.


的re are a total of four “tiers” that an organization can research at length 和 use to assess its security posture 和 determine how to move forward. 根据 NIST网络安全框架.使用CSF层的快速入门指南, using them “can help provide context on how an organization views cybersecurity risks 和 the processes in place to manage those risks. 的 Tiers can also be valuable when reviewing processes 和 practices to determine needed improvements 和 monitor progress made through those improvements.“层级是: 

  • 部分: Businesses aligning with this tier have very little knowledge of cybersecurity practices 和 wouldn’t know how to respond in the case of a security event. 
  • 以反应为: Businesses aligning with this tier have an idea of the major categories of security events, but do not possess a security operations center from which to create or strategize cybersecurity best practices.  
  • 可重复的: Businesses aligning with this tier are beginning to implement some cybersecurity best practices 和 are striving to create repeatable processes that a team can leverage in detection 和 response protocols.  
  • 自适应: Businesses aligning with this tier have incorporated advanced security concepts into their daily operations 和 are able to adapt to most security events as well as enact proactive capabilities to seek out the next threat 和 extinguish it. 

的se tiers help define how agile an organization’s response to risk is at the current moment 和 would – in theory – provide a roadmap of sorts to help a security organization achieve a strong level of 网络安全风险管理. 《pg电子》继续指出,“当选择层级时, 考虑组织的以下方面:

  • 当前的风险管理实践
  • 威胁环境
  • 法律和法规要求
  • 信息共享实践
  • 业务和任务目标
  • 供应链要求
  • 组织约束,包括资源"


