IAMRoadmapIAMRoadmap
Back to Compliance
Security Standard

NIST CSF

NIST Cybersecurity Framework

United States / Global
Effective: February 12, 2014
Updated: February 26, 2024

Overview

The NIST Cybersecurity Framework provides a policy framework of computer security guidance for organizations to assess and improve their ability to prevent, detect, and respond to cyber attacks. CSF 2.0 adds a new Govern function and emphasizes supply chain risk management. While voluntary, it has become a de facto standard for cybersecurity programs.

IAM Requirements

Identify (ID.AM)

  • ID.AM-1: Inventory physical devices and systems
  • ID.AM-2: Inventory software platforms and applications
  • ID.AM-5: Prioritize resources based on classification and criticality
  • ID.AM-6: Establish cybersecurity roles and responsibilities

Protect - Identity Management (PR.AA)

  • PR.AA-1: Manage identities and credentials for authorized users
  • PR.AA-2: Manage identities and credentials for devices
  • PR.AA-3: Manage remote access
  • PR.AA-4: Manage access permissions incorporating least privilege
  • PR.AA-5: Authenticate users, devices, and other assets

Protect - Awareness (PR.AT)

  • PR.AT-1: All users are informed and trained
  • PR.AT-2: Privileged users understand roles and responsibilities

Detect (DE.CM)

  • DE.CM-1: Network monitoring for cybersecurity events
  • DE.CM-3: Personnel activity monitoring
  • DE.CM-6: External service provider activity monitoring

Compliance Checklist

1
Conduct current state assessment
2
Define target profile based on risk tolerance
3
Perform gap analysis
4
Prioritize and implement improvements
5
Establish identity and credential management
6
Implement access control policies
7
Deploy multi-factor authentication
8
Implement continuous monitoring
9
Establish incident response capabilities
10
Document and communicate policies
11
Conduct regular assessments
12
Integrate with enterprise risk management

Penalties for Non-Compliance

No direct penalties (voluntary framework), but required for federal contractors and increasingly expected by regulators

Quick Facts

Region
United States / Global
Effective Date
February 12, 2014
Enforcing Body
National Institute of Standards and Technology (NIST)

Related Certifications

Related Vendors

Related Solutions

Resources

Official Website

Related Regulations & Frameworks

ISO 27001

Global

ISO/IEC 27001 Information Security Management

SOC 2

Global

Service Organization Control 2

Back to All Compliance