Five functions. Twenty-three categories. Over a hundred subcategories. CyberHeed maps your organisation across the entire NIST Cybersecurity Framework - from current profile to target state.
The NIST Cybersecurity Framework (CSF), developed by the U.S. National Institute of Standards and Technology, provides a common language for understanding, managing, and communicating cybersecurity risk. Originally created for U.S. critical infrastructure, it has been adopted by organisations worldwide as the de facto framework for structuring cybersecurity programmes. NIST CSF 2.0, released in February 2024, expanded the framework with a new Govern function and improved guidance for all organisation sizes.
Executive Order 13636 directed federal agencies to use the framework. Critical infrastructure sectors - energy, healthcare, financial services, transportation - are expected to adopt it. Many U.S. state and local governments mandate it for their agencies and contractors.
Organisations worldwide adopt NIST CSF as their cybersecurity programme structure. It provides a vendor-neutral, technology-agnostic way to communicate security posture to boards, regulators, customers, and partners regardless of jurisdiction.
Financial services regulators, healthcare oversight bodies, and energy sector regulators frequently reference NIST CSF. In the U.S., the Federal Financial Institutions Examination Council (FFIEC) and HIPAA guidance both align with NIST CSF categories.
NIST CSF is voluntary and flexible. Organisations at any maturity level can use it to assess their current state, define a target state, and prioritise improvements. It does not prescribe specific controls - it provides the structure within which controls are organised.
NIST CSF consists of three main components that work together:
Five concurrent, continuous functions - Identify, Protect, Detect, Respond, Recover - broken into 23 categories and 108 subcategories. This is the taxonomy of cybersecurity activities. Each subcategory references informative standards (ISO 27001, COBIT, CIS Controls, etc.).
A profile aligns the framework core with your organisation's requirements, risk tolerance, and resources. You create a "Current Profile" (where you are) and a "Target Profile" (where you need to be). The gap between them drives your roadmap.
Four tiers describe the degree to which an organisation's cybersecurity risk management practices exhibit the characteristics of the framework - from Partial (Tier 1) to Adaptive (Tier 4). Tiers are not maturity levels - they describe risk management sophistication.
The five functions are not sequential steps - they are concurrent, continuous activities. Together they provide a strategic view of cybersecurity risk management across the full lifecycle of an incident.
Develop an understanding of your organisation's environment to manage cybersecurity risk to systems, people, assets, data, and capabilities. You cannot protect what you do not know you have.
Categories:
- Asset Management (ID.AM) - Inventories of hardware, software, data, systems
- Business Environment (ID.BE) - Mission, objectives, stakeholders, supply chain
- Governance (ID.GV) - Policies, legal requirements, risk management strategy
- Risk Assessment (ID.RA) - Threat and vulnerability identification, risk determination
- Risk Management Strategy (ID.RM) - Risk tolerance, risk decisions, processes
- Supply Chain Risk Management (ID.SC) - Third-party risk identification and management
Implement appropriate safeguards to ensure delivery of critical services. Limit or contain the impact of a potential cybersecurity event through preventive controls.
Categories:
- Identity Management and Access Control (PR.AC) - Authentication, authorisation, permissions
- Awareness and Training (PR.AT) - Security awareness for all roles
- Data Security (PR.DS) - Data at rest, in transit, integrity, disposal
- Information Protection Processes (PR.IP) - Policies, baselines, backups, response plans
- Maintenance (PR.MA) - System maintenance and repair
- Protective Technology (PR.PT) - Logging, removable media, network protections
Implement appropriate activities to identify the occurrence of a cybersecurity event in a timely manner. Detection enables rapid response - the faster you detect, the less damage occurs.
Categories:
- Anomalies and Events (DE.AE) - Baseline, event analysis, event correlation
- Security Continuous Monitoring (DE.CM) - Network, physical, personnel, malicious code monitoring
- Detection Processes (DE.DP) - Roles, testing, communication, continuous improvement
Implement appropriate activities to take action regarding a detected cybersecurity incident. Contain impact, communicate effectively, and conduct post-incident analysis.
Categories:
- Response Planning (RS.RP) - Execute response plan during or after an incident
- Communications (RS.CO) - Internal and external stakeholder coordination
- Analysis (RS.AN) - Investigation, impact understanding, forensics
- Mitigation (RS.MI) - Contain the incident, mitigate effects
- Improvements (RS.IM) - Lessons learned, update response strategies
Implement appropriate activities to maintain resilience and restore capabilities impaired during a cybersecurity incident. Return to normal operations while capturing lessons learned.
Categories:
- Recovery Planning (RC.RP) - Execute recovery plan during or after an incident
- Improvements (RC.IM) - Incorporate lessons learned into recovery strategy
- Communications (RC.CO) - Coordinate restoration with internal and external parties
Implementation tiers describe how an organisation views cybersecurity risk and the processes in place to manage it. They are not maturity levels - an organisation at Tier 1 may be appropriate for its risk tolerance. The tiers help communicate sophistication of risk management to stakeholders.
Risk management is ad hoc, reactive. Limited awareness of cybersecurity risk at the organisational level. No formalised processes for risk management collaboration.
Risk management practices exist but may not be established as policy. Some awareness of cybersecurity risk at the organisational level. Informal collaboration on risk.
Risk management practices are formally approved and expressed as policy. Organisation-wide approach to managing cybersecurity risk. Regularly updated based on changes.
Risk management practices adapt based on lessons learned and predictive indicators. Real-time continuous improvement. Organisation actively shares information with partners.
CyberHeed maps your organisation across all five functions, builds your Current Profile, helps define your Target Profile, and tracks remediation of every gap.
SmartPrep guides your team through structured conversations covering each function and its categories. AI captures your current capabilities across Identify, Protect, Detect, Respond, and Recover. Your Current Profile emerges from what your team actually does - not what you hope they do.
Define your Target Profile based on business requirements, risk tolerance, and regulatory obligations. The gap between current and target becomes your prioritised roadmap.
Upload evidence for each subcategory. AI validates whether your documentation and controls genuinely demonstrate the capability described in your Target Profile. Policies, procedures, technical configurations, training records, and incident reports - all mapped to NIST CSF subcategories automatically.
AutoMatch reads your existing documentation and maps it to the framework. Documents already created for ISO 27001, Essential Eight, or other frameworks are cross-referenced automatically.
NIST CSF is inherently continuous. CyberHeed tracks your profile across all functions over time. As you implement controls, your profile evolves. When new threats emerge or business requirements change, your Target Profile is updated and new gaps are surfaced.
Board reports, regulatory submissions, and customer security questionnaires are generated from your live profile - always current, always evidenced.
NIST CSF was designed to reference other frameworks. Its informative references link directly to ISO 27001, COBIT, CIS Controls, and more. If you've implemented any recognised framework, you already have significant NIST CSF coverage.
ISO 27001's 93 Annex A controls map across all five NIST CSF functions. Risk assessment, access control, incident response, business continuity, and monitoring requirements align closely between both frameworks.
Essential Eight strategies map strongly to the Protect and Detect functions. Patch management, application control, MFA, and admin privilege restrictions all have direct NIST CSF subcategory equivalents.
Other frameworks: [Links to: iso-27001.html], [Links to: essential-eight.html], [Links to: pci-dss.html], [Links to: cps-234.html], [Links to: cps-230.html], [Links to: desc-isr.html], [Links to: nca-ecc.html], [Links to: dfsa.html]
Five functions. Current state to target state. AI-guided assessment with continuous monitoring.
Book a Demo