The NIST Framework for Improving Critical Infrastructure Cybersecurity, which for brevity we'll call the Cybersecurity Framework (or CSF), is a set of "standards, guidelines, and best practices to manage cybersecurity-related risk." The guidelines in the Cybersecurity Framework are divided into five broad functions: Identify, Protect, Detect, Respond, and Recover. Each function is divided into categories and subcategories.
For example, the Identify function has a category called Asset Management, denoted with the four-letter code ID.AM, followed by a number indicating which outcome category (e.g. "physical devices within the organization are inventoried.") is being discussed. The Asset Management category has subcategories for physical device management, software and applications, organizational data flows, and more. Each outcome subcategory includes informational references to the relevant controls from NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.
Find more: noc engineer roles and responsibilities
How Do Organizations Use NIST CSF and NIST SP 800-53 R4?
The NIST Cybersecurity Framework is essentially a subset of Special Publication 800-53 Revision 4 that is organized around the five essential functions listed above. This excerpt from the framework does an excellent job summarizing how organizations use it, and the outcomes they can expect:
"Building from those standards, guidelines, and practices, the Framework provides a common taxonomy and mechanism for organizations to:
Describe their current cybersecurity posture;
Describe their target state for cybersecurity;
Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
Assess progress toward the target state;
Communicate among internal and external stakeholders about cybersecurity risk"
These frameworks were written for use by federal agencies managing critical infrastructure, but the guidelines and controls are highly relevant for any organization that wants to understand and improve upon its security posture.
