Election Security Spotlight – NIST Cybersecurity Framework

What it is

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is a set of voluntary standards, guidelines, best practices, and recommendations for managing cybersecurity risk at an organizational level. NIST CSF aims to standardize the cybersecurity risk landscape under a cohesive framework. It is composed of three parts: Framework Core, Framework Implementation Tiers, and Framework Profiles.

The Framework Core consists of five key areas, called functions, to form an executive-level approach to securing networks and responding to incidents. The functions are

  1. Identify – have full visibility of risk to systems, assets, data, and capabilities;
  2. Protect – implement safeguards to ensure delivery of services;
  3. Detect – be able to identify the occurrence of a cybersecurity event;
  4. Respond – be able to take action regarding a detected cybersecurity event; and
  5. Recover – strengthen cybersecurity resiliency and maintain plans to restore any capabilities or services that were impaired due to a cybersecurity event.

NIST CSF is built for scalability and gradual implementation through a four-tiered implementation system that takes into account an organization’s current risk management practices and threat environment coupled with regulatory and organizational constraints. These Framework Implementation Tiers are

  • Tier 1 – Partial – an ad-hoc and reactive cybersecurity program with little awareness of organizational risk;
  • Tier 2 – Risk-Informed – increased awareness, but no formalized risk program;
  • Tier 3 – Repeatable – formalized organization-wide risk management program with consistently applied policies and the ability to repeatedly respond to incidents; and
  • Tier 4 – Adaptive – proactive response to risk based on previous and current cybersecurity activities, including lessons learned and predictive indicators

A Framework Profile is the customized adoption of the NIST CSF by an organization. It is the alignment of the functions with the business requirements, risk tolerance, and resources of a specific organization. It is meant to show how cybersecurity programs are supporting the mission while fulfilling cybersecurity requirements and managing threats associated with the technical environment.

Why does it matter

The CSF is an important high-level tool for organizations to focus on being proactive in their approach to cybersecurity. You can use the CSF to document, assess, and improve your security practices in a methodical, established way. Even if you have already documented operational guidelines, security practices, and incident response plans, the CSF’s highly customizable approach can help you bring them together into a comprehensive organizational approach to cybersecurity.

Importantly, the NIST CSF doesn’t dictate what your risk tolerance should be, or what best practices or mitigations you put in place. The goal is to make sure there are “conscious” decisions on the part of the organizations that cover the most important aspects of cybersecurity and improve the ability to communicate technical risk to non-technical decision-makers. By developing a current and target profile, an organization can understand the gap between the two and develop a resource plan for closing that gap. That target state may be a Tier 4 implementation, or it may be at a lower tier, you are left to choose what’s best for your organization.

What you can do

While other good models exist, the NIST CSF has the advantage of being well known, so there tend to be more resources and support for it. To begin, election offices should build out a current Framework Profile. NIST has provided multiple resources to aid in this process. The NIST CSF also provides within the document a seven-step process that can be used to create or improve a cybersecurity program. The process is cyclical and is built around evaluating and updating your current framework profile. The EI-ISAC recommends that election officials incorporate this cyclical process into their cybersecurity program.

Election offices can also take advantage of the Nationwide Cybersecurity Review (NCSR), which is sponsored by the U.S. Department of Homeland Security (DHS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) and is based on the NIST CSF. The NCSR is a no-cost, anonymous, annual self-assessment designed to measure gaps and capabilities of state, local, tribal, and territorial governments’ (SLTT) cybersecurity programs.


The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact[email protected].