NIST Cyber Security Framework

NIST CSF: The seven-step cybersecurity framework process

Greg Belding
December 23, 2019 by
Greg Belding

One would have to be living under a rock to think that cybersecurity isn’t one of the most important considerations in today’s world. In response to the growing need for a cybersecurity framework, President Barack Obama signed Executive Order 13636 in 2014, outlining mandatory standards for government and military (optional for the private sector) created by the National Institute of Standards and Technology (NIST). This would be known as the NIST Cybersecurity Framework (NIST CSF)

NIST CSF provides a seven-step process to establish new cybersecurity programs or improve currently existing programs. This article will detail what the seven-step process is and explore the purpose of this process and what each step recommends, along with tips for success when using this process.

Why is this seven-step process needed?

NIST recommends that organizations implement this process in order to best establish or update cybersecurity programs. Cybersecurity programs, or proposed programs, are compared to the five high-level functions of NIST CSF. These five functions are:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

These five functions are used to distill fundamental cybersecurity risk concepts so that the organization can determine how their cybersecurity program is doing and whether there are areas that need to be worked on. Likewise, these five functions serve as (optional) best practices to follow in order to establish a better cybersecurity program. 

The seven-step cybersecurity framework process

NIST recommends following this seven-step process when establishing a cybersecurity program and when reviewing previously existing cybersecurity programs to determine how they measure up. Below is a list of these seven steps, along with a detailed exploration of each step.

The seven steps

  1. Prioritize and Scope
  2. Orient
  3. Create a Current Profile
  4. Conduct a Risk Assessment
  5. Create a Target Profile
  6. Determine, Analyze and Prioritize Gaps
  7. Implement Action Plan

Step 1: Prioritize and scope

In this step, the organization must identify organization or mission objectives along with high-level organizational priorities. This allows the organization to make strategic cybersecurity implementation decisions and determine the scope of the systems (and other assets) that will support the organization. 

Key to this step is identifying important systems and assets so that their protection can be prioritized. After important systems and assets are protected, lower-priority ones can be focused on until all cybersecurity program missions are completed.

Step 2: Orient

The purpose of this step is to continue the implementation of a cybersecurity program for an organization. 

Once Step 1 is complete, the organization should identify related systems and assets, regulatory requirements and the program’s overall risk approach. The organization should then identify vulnerabilities of, and threats to, these systems and assets. 

If the scope of the cybersecurity program is mainly IT-related, vulnerability assessments and threat modeling will be given more weight in making the decision described in this step.

Step 3: Create a current profile

A Current Profile is developed by indicating which control outcomes (Category and Subcategory) of the Framework Core are currently being achieved. Partially achieved articles should be noted so supporting baseline information regarding subsequent steps can be provided. 

The Current Profile should integrate every control found in the NIST CSF in order to determine which control outcomes are being achieved. 

Step 4: Conduct a risk assessment

This risk assessment may be guided by previous risk assessment activities or the organization’s overall risk management process. Analyze the organization’s operational environment to determine the likelihood of cybersecurity events and their related impact. 

This risk assessment should not be narrowly focused on problem areas but also include what is working well too.

Step 5: Create a target profile

Create a target profile that focuses on the CSF Categories and Subcategories assessment and describes the desired cybersecurity outcomes. Organizations are given the freedom to add extra Categories and Subcategories based upon their specific organizational risks. 

A cautious or rational approach should be taken when creating this profile. Risk appetite should be considered as well, where the organization determines which risk category or vector is appropriate to accept.

Step 6: Determine, analyze and prioritize gaps

As the title suggests, in this step the organization determines, analyzes and prioritize any gaps that exist, based on the Current and Target Profiles enumerated above. A prioritized action plan should address these gaps and use costs and benefits, risks and mission-driven considerations to achieve the desired Target Profile outcomes. The resources needed to address these gaps should be determined as well.

Step 7: Implement action plan

After determining which steps need to be taken to address the gaps discussed above, the organization should determine which actions to take and carry out said actions to address the gaps, if any. Cybersecurity practices should then be adjusted to achieve the Target Profile. 

How to get the most out of these seven steps

The seven steps laid out above will bring an organization’s cybersecurity program up to speed regarding the NIST CSF, but by no means should the job be considered over. You need to repeat the seven steps continuously in order to assess and improve the organization’s cybersecurity program. 

Some organizations find that frequent repetition of Step 2 improves risk assessment quality. These steps are a roadmap for organizations and by no means one-size-fits-all, so adjust them if needed for your organization.


The National Institute of Standard and Technology (NIST) Cybersecurity Framework (CSF) was established by Executive Order in 2014, providing optional guidelines for better cybersecurity programs for critical infrastructure, organizations, businesses and municipalities. 

To help these entities comply with the CSF, a seven-step process is recommended. These steps entail comparing the current state of a cybersecurity program with a target cybersecurity program and closing the gaps to bring the program to the target state. These steps serve as flexible roadmap and the steps should be repeated to ensure continuous program improvement.


Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.