NIST CSF Controls: A Handy Checklist

NIST CSF Controls: A Handy Checklist

One of the most common drawbacks of cybersecurity frameworks and standards is that they fail to make a sufficiently compelling case to business leaders. Many focus on the needs of IT teams and exhibit high technological complexity and technical challenges for implementation. Others are biased towards specific types of computing infrastructure or even specific vendors.

The NIST Cybersecurity Framework takes a different approach. It makes clear from the outset that cyber-risk is business risk. To that end, it is more a risk-management framework, and that is something business leaders are very familiar with. The NIST CSF controls span six function areas, 22 categories, and 106 subcategories to ensure comprehensive coverage.

The framework serves as voluntary guidance, drawing from widely adopted best practices and

existing guidelines and standards. It also gives organizations complete flexibility over how they implement the framework and how they prioritize their information security strategies. Version 1.1, published in 2018, also places a greater emphasis on protecting supply chains. While version 2.0, published in 2024, emphasizes the integration of cybersecurity into business strategy and promotes top-down governance.

NIST Security Controls

The NIST security control categories span six function areas that cover the entire lifecycle of cybersecurity-related incidents. Each of the 22 NIST CSF control categories are broken down into subcategories, of which there is a total of 106. These are directly tied to desired business outcomes. For example, the very first subcategory addresses physical device inventorying.

In addition to the Framework Core detailed above, there are two other main components – the Framework Implementation Tiers and the Framework Profile. The tiers provide context as to how the organization views its cybersecurity risk and how it manages it. The profiles represent the desired outcomes, prioritizations, and controls adopted specifically for your organization.

#1. Govern

The first phase of implementing the framework aims to assist you in developing and supervising a cybersecurity strategy that aligns with your organization's overarching mission and risk tolerance. It addresses organizational context, risk management strategy, cybersecurity supply chain risk management, roles, responsibilities and authorities, policies, processes, and procedures, and oversight.

  • Stakeholder and Legal Expectations Comprehension: Understand the demands of stakeholders and adhere to legal requirements regarding cybersecurity.
  • Cybersecurity Alignment with Organizational Goals: Ensure cybersecurity measures are in line with the objectives and targets of your organization.
  • Risk Management Strategy Implementation: Implement and oversee a cybersecurity risk management strategy, including enforcing standards for third parties and maintaining accountability and incident response protocols.

#2. Identify

The second phase deals with evaluating your current environment and building out your risk profile. This involves inventorying every information-bearing device or virtual machine that makes up your environment and defining the roles and responsibilities of your stakeholders and workforce.

  • Asset management: Create a complete inventory of all devices, accounts, personnel, data assets, facilities, and their risk profiles. 
  • Business environment: Define the organization’s mission, stakeholders, objectives, and activities to inform cybersecurity roles. 
  • Governance: Draft the policies and procedures intended to manage and monitor the organization’s regulatory, risk, and operational environments.
  • Risk assessment: Assess, qualify, and quantify the risks facing your business in order to prioritize the next steps.
  • Risk management strategy: Identify your priorities, constraints, and tolerance to risk to support operational decisions. 
  • Supply chain risk management: Apply the previous two categories to the context of supply chain risk management. 

#3. Protect

The next phase deals with the protective measures to be applied to mitigate the risks identified in the second phase. This function area encompasses the technical, physical, and administrative measures required across six primary categories:

  • Identity management, authentication, and access control: Establish a robust way to grant and revoke access rights, ideally using multifactor authentication.
  • Awareness and training: Implement a documented training program for personnel and partners to ensure everyone understands your policies and procedures.
  • Data security: Ensure that data at rest or in transit is protected by encryption and that all devices are correctly tracked and managed.
  • Information protection processes and procedures: Establish a way to enforce your policies and procedures and identify the scope and key roles and responsibilities.
  • Maintenance: Create a maintenance program for managing and maintaining all data-bearing assets and system components.
  • Protective technology: Establish protective measures, such as antimalware, spam-filtering, and security incident and event management (SIEM).

#4. Detect

The fourth phase covers an organization’s ability to detect threats and maintain full visibility over its computing environment. This plays a vital role in advanced and proactive security, since it guards against new and unknown threats as well.

  • Anomalies and events: Establish a way to detect anomalous activity and the potential impact of such events.
  • Security continuous monitoring: All assets and networks must be monitored around the clock with a solution like managed detection and response
  • Detection processes: Enforce a cybersecurity-aware company culture by ensuring that detection processes and procedures are properly maintained.

#5. Respond

Next, organizations must have a clearly defined and documented process for responding to threats. This is vital for stopping attacks in progress and mitigating their effects before they lead to far-reaching consequences:

  • Response planning: Determine how and when incident response plans are executed and maintained.
  • Communications: Identify the key roles and responsibilities of your incident response personnel, including any external support from law enforcement and other third parties.
  • Analysis: Establish an effective way to analyze incidents to ensure an effective and appropriate response and support future remediation plans.
  • Mitigation: Perform activities to prevent the proliferation of an incident and mitigate its effects on your organization. 
  • Improvements: Response activities should draw upon your audit trails to determine exactly what went wrong and improve based on these insights.

#6. Recover

The sixth and final stage is all about preparing for the worst-case scenario. Regardless of how sophisticated your detection and response capabilities are, it is vital that you have a process in place for recovering from an incident, such as a data breach, with as little damage to your business, clients, and stakeholders as possible.

  • Recovery planning: Document your disaster recovery processes and establish ways to minimize damage by restoring affected systems as quickly and as safely as possible.
  • Improvements: Create a plan for identifying the strengths and weaknesses of your IT incident recovery methods to improve them in the future.
  • Communications: Recovery activities must be properly coordinated, which means all personnel and third parties must be clearly aware of their roles and available to contact.


Charles IT is Connecticut’s premier compliance and information security expert. We offer the full range of managed technology solutions and consultancy services to ensure your business is up to speed with the latest threats. Get in touch today to schedule a meeting!

New call-to-action

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”