The NIST CSF provides a 7-step approach for the implementation and improvement of their cybersecurity posture utilizing the NIST CSF.
The 7-steps include:
Prioritize and Scope. The organization identifies its business/mission objectives and high-level organizational priorities.
Orient. The organization identifies related systems and assets, regulatory requirements, and overall risk approach and then identifies threats to, and vulnerabilities of, those systems and assets.
Create a Current Profile. The organization develops a Current Profile by indicating which Category and Subcategory outcomes from the Framework Core are currently being achieved.
Conduct a Risk Assessment. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization.
Create a Target Profile. The organization creates a Target Profile that focuses on the assessment of the Framework Categories and Subcategories describing the organization’s desired cybersecurity outcomes.
Determine, Analyze, and Prioritize Gaps. The organization compares the Current Profile and the Target Profile to determine gaps. Next, it creates a prioritized action plan to address those gaps that draw upon mission drivers, a cost/benefit analysis, and understanding of risk to achieve the outcomes in the Target Profile.
Implement Action Plan. The organization determines which actions to take in regards to the gaps, if any, identified in the previous step.