[{"data":1,"prerenderedAt":2605},["ShallowReactive",2],{"\u002Fglossary\u002Fnist":3,"\u002Fglossary\u002Fnist__related-terms":114,"explore-glossary-nistcsf-\u002Fglossary\u002Fnist":121,"explore-topics-nistcsf-\u002Fglossary\u002Fnist":937,"explore-hub-nistcsf":1546,"explore-compare-vs-\u002Fglossary\u002Fnist":2163,"explore-compare-\u002Fglossary\u002Fnist":2330,"explore-blog-nistcsf-\u002Fglossary\u002Fnist":2451,"explore-industry-nistcsf":1533},{"id":4,"title":5,"body":6,"description":87,"extension":96,"lastUpdated":97,"meta":98,"navigation":99,"path":100,"relatedFrameworks":101,"relatedTerms":104,"seo":108,"slug":111,"stem":112,"term":13,"__hash__":113},"glossary\u002F8.glossary\u002Fnist.md","Nist",{"type":7,"value":8,"toc":86},"minimark",[9,14,18,23,52,56,59,73,77],[10,11,13],"h2",{"id":12},"what-is-nist","What is NIST?",[15,16,17],"p",{},"NIST (National Institute of Standards and Technology) is a non-regulatory agency of the United States Department of Commerce that develops and publishes standards, guidelines, and best practices for technology and cybersecurity. NIST's publications are among the most widely referenced resources in information security worldwide, influencing both government and private sector organizations.",[19,20,22],"h3",{"id":21},"what-are-the-key-nist-publications","What are the key NIST publications?",[24,25,26,34,40,46],"ul",{},[27,28,29,33],"li",{},[30,31,32],"strong",{},"NIST Cybersecurity Framework (CSF)"," — a voluntary framework organized around five core functions (Identify, Protect, Detect, Respond, Recover) that provides a common language for managing cybersecurity risk. Widely adopted by organizations of all sizes.",[27,35,36,39],{},[30,37,38],{},"NIST SP 800-53"," — a comprehensive catalog of security and privacy controls for federal information systems. Often used as a reference by private organizations building security programs.",[27,41,42,45],{},[30,43,44],{},"NIST SP 800-171"," — security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems, required for defense contractors.",[27,47,48,51],{},[30,49,50],{},"NIST SP 800-37"," — the Risk Management Framework (RMF) that guides organizations through a structured process for managing security risk.",[19,53,55],{"id":54},"why-does-nist-matter-for-compliance","Why does NIST matter for compliance?",[15,57,58],{},"While NIST frameworks are voluntary for most private organizations, they serve as the foundation or reference point for many compliance requirements:",[24,60,61,64,67,70],{},[27,62,63],{},"Federal agencies are required to follow NIST guidelines",[27,65,66],{},"Defense contractors must comply with NIST SP 800-171 (enforced through CMMC)",[27,68,69],{},"Many ISO 27001 and SOC 2 control mappings reference NIST publications",[27,71,72],{},"Cyber insurance providers increasingly reference NIST CSF alignment",[19,74,76],{"id":75},"how-does-episki-help-with-nist","How does episki help with NIST?",[15,78,79,80,85],{},"episki supports NIST CSF as a framework and provides control mappings between NIST and other standards like ISO 27001 and SOC 2. Learn more on our ",[81,82,84],"a",{"href":83},"\u002Fframeworks","compliance platform",".",{"title":87,"searchDepth":88,"depth":88,"links":89},"",2,[90],{"id":12,"depth":88,"text":13,"children":91},[92,94,95],{"id":21,"depth":93,"text":22},3,{"id":54,"depth":93,"text":55},{"id":75,"depth":93,"text":76},"md","2026-04-16",{},true,"\u002Fglossary\u002Fnist",[102,103],"nistcsf","iso27001",[105,106,107],"framework","control-framework","risk-register",{"title":109,"description":110},"What is NIST? Definition & Compliance Guide","NIST (National Institute of Standards and Technology) is a US government agency that publishes widely used cybersecurity frameworks and guidelines, including the NIST Cybersecurity Framework (CSF).","nist","8.glossary\u002Fnist","2ae4F06Rs2No0I7mHDHgivjpmqOCtVisAqiVyvGLz0Q",[115,117,119],{"slug":106,"term":116},"What is a Control Framework?",{"slug":105,"term":118},"What is a Framework?",{"slug":107,"term":120},"What is a Risk Register?",[122,695],{"id":123,"title":124,"body":125,"description":87,"extension":96,"lastUpdated":97,"meta":678,"navigation":99,"path":679,"relatedFrameworks":680,"relatedTerms":685,"seo":689,"slug":692,"stem":693,"term":130,"__hash__":694},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":7,"value":126,"toc":664},[127,131,134,138,141,167,171,177,183,189,195,199,202,208,225,231,245,251,262,266,269,326,330,333,347,351,354,377,381,384,434,438,441,561,564,567,596,600,606,609,646,649,652,655,659],[10,128,130],{"id":129},"what-is-access-control","What is Access Control?",[15,132,133],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[19,135,137],{"id":136},"what-are-the-core-principles-of-access-control","What are the core principles of access control?",[15,139,140],{},"Access control is built on several foundational principles:",[24,142,143,149,155,161],{},[27,144,145,148],{},[30,146,147],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[27,150,151,154],{},[30,152,153],{},"Separation of duties"," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[27,156,157,160],{},[30,158,159],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[27,162,163,166],{},[30,164,165],{},"Default deny"," — access is denied by default unless explicitly granted",[19,168,170],{"id":169},"what-are-the-types-of-access-control","What are the types of access control?",[15,172,173,176],{},[30,174,175],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[15,178,179,182],{},[30,180,181],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[15,184,185,188],{},[30,186,187],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[15,190,191,194],{},[30,192,193],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[19,196,198],{"id":197},"what-are-access-control-components","What are access control components?",[15,200,201],{},"A complete access control program addresses:",[15,203,204,207],{},[30,205,206],{},"Authentication"," — verifying the identity of users:",[24,209,210,213,216,219,222],{},[27,211,212],{},"Passwords and passphrases",[27,214,215],{},"Multi-factor authentication (MFA)",[27,217,218],{},"Single sign-on (SSO)",[27,220,221],{},"Biometric authentication",[27,223,224],{},"Certificate-based authentication",[15,226,227,230],{},[30,228,229],{},"Authorization"," — determining what authenticated users can do:",[24,232,233,236,239,242],{},[27,234,235],{},"Permission assignments",[27,237,238],{},"Role definitions",[27,240,241],{},"Access control lists",[27,243,244],{},"Policy enforcement points",[15,246,247,250],{},[30,248,249],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[24,252,253,256,259],{},[27,254,255],{},"Provisioning (granting access when hired or role changes)",[27,257,258],{},"Review (periodic access certification)",[27,260,261],{},"Deprovisioning (revoking access upon termination or role change)",[19,263,265],{"id":264},"how-do-compliance-frameworks-address-access-control","How do compliance frameworks address access control?",[15,267,268],{},"Every major framework requires access control:",[24,270,271,280,294,308,317],{},[27,272,273,279],{},[30,274,275],{},[81,276,278],{"href":277},"\u002Fframeworks\u002Fsoc2","SOC 2"," — CC6.1 through CC6.8 cover logical and physical access controls",[27,281,282,288,289,293],{},[30,283,284],{},[81,285,287],{"href":286},"\u002Fframeworks\u002Fiso27001","ISO 27001"," — ",[81,290,292],{"href":291},"\u002Fglossary\u002Fannex-a","Annex A"," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[27,295,296,302,303,307],{},[30,297,298],{},[81,299,301],{"href":300},"\u002Fframeworks\u002Fhipaa","HIPAA"," — the ",[81,304,306],{"href":305},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","Security Rule"," requires access controls for ePHI (45 CFR 164.312(a))",[27,309,310,316],{},[30,311,312],{},[81,313,315],{"href":314},"\u002Fframeworks\u002Fpci","PCI DSS"," — Requirements 7 and 8 address access restriction and user identification",[27,318,319,325],{},[30,320,321],{},[81,322,324],{"href":323},"\u002Fframeworks\u002Fnistcsf","NIST CSF"," — PR.AC covers identity management, authentication, and access control",[19,327,329],{"id":328},"what-are-access-reviews","What are access reviews?",[15,331,332],{},"Regular access reviews (also called access certifications) are a critical control:",[24,334,335,338,341,344],{},[27,336,337],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[27,339,340],{},"Verify that access aligns with current job responsibilities",[27,342,343],{},"Identify and remove excessive or unnecessary access",[27,345,346],{},"Document review results and remediation actions",[19,348,350],{"id":349},"what-are-common-access-control-weaknesses","What are common access control weaknesses?",[15,352,353],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[24,355,356,359,362,365,368,371,374],{},[27,357,358],{},"Excessive permissions that accumulate over time (privilege creep)",[27,360,361],{},"Shared or generic accounts that prevent individual accountability",[27,363,364],{},"Delayed deprovisioning when employees leave or change roles",[27,366,367],{},"Lack of MFA on critical systems and remote access paths",[27,369,370],{},"Inconsistent access review processes with no documented remediation",[27,372,373],{},"Service accounts with standing privileged access and no rotation schedule",[27,375,376],{},"Lack of visibility into SaaS application access outside the corporate IdP",[19,378,380],{"id":379},"how-do-you-implement-access-control-in-practice","How do you implement access control in practice?",[15,382,383],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[385,386,387,393,399,405,411,417,428],"ol",{},[27,388,389,392],{},[30,390,391],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[27,394,395,398],{},[30,396,397],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[27,400,401,404],{},[30,402,403],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[27,406,407,410],{},[30,408,409],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[27,412,413,416],{},[30,414,415],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[27,418,419,422,423,427],{},[30,420,421],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[81,424,426],{"href":425},"\u002Fglossary\u002Faudit-trail","audit trail"," that satisfies compliance requirements.",[27,429,430,433],{},[30,431,432],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[19,435,437],{"id":436},"what-are-the-access-control-requirements","What are the access control requirements?",[15,439,440],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[442,443,444,464],"table",{},[445,446,447],"thead",{},[448,449,450,454,456,458,460,462],"tr",{},[451,452,453],"th",{},"Requirement",[451,455,278],{},[451,457,287],{},[451,459,301],{},[451,461,315],{},[451,463,324],{},[465,466,467,488,507,527,544],"tbody",{},[448,468,469,473,476,479,482,485],{},[470,471,472],"td",{},"Unique user IDs",[470,474,475],{},"CC6.1",[470,477,478],{},"A.5.16",[470,480,481],{},"§164.312(a)(2)(i)",[470,483,484],{},"Req 8.2.1",[470,486,487],{},"PR.AC-1",[448,489,490,493,495,498,501,504],{},[470,491,492],{},"MFA",[470,494,475],{},[470,496,497],{},"A.8.5",[470,499,500],{},"Addressable",[470,502,503],{},"Req 8.4",[470,505,506],{},"PR.AC-7",[448,508,509,512,515,518,521,524],{},[470,510,511],{},"Access reviews",[470,513,514],{},"CC6.2",[470,516,517],{},"A.5.18",[470,519,520],{},"§164.312(a)(1)",[470,522,523],{},"Req 7.2",[470,525,526],{},"PR.AC-4",[448,528,529,531,534,537,539,542],{},[470,530,147],{},[470,532,533],{},"CC6.3",[470,535,536],{},"A.5.15",[470,538,520],{},[470,540,541],{},"Req 7.1",[470,543,526],{},[448,545,546,549,551,553,556,559],{},[470,547,548],{},"Deprovisioning",[470,550,514],{},[470,552,517],{},[470,554,555],{},"§164.312(a)(2)(ii)",[470,557,558],{},"Req 8.2.6",[470,560,487],{},[15,562,563],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[15,565,566],{},"A few notes on framework-specific nuances:",[24,568,569,574,582,589],{},[27,570,571,573],{},[30,572,301],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[27,575,576,581],{},[30,577,578,580],{},[81,579,315],{"href":314}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[27,583,584,588],{},[30,585,586],{},[81,587,278],{"href":277}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[27,590,591,595],{},[30,592,593],{},[81,594,324],{"href":323}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[19,597,599],{"id":598},"how-does-zero-trust-relate-to-access-control","How does zero trust relate to access control?",[15,601,602,603,85],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[30,604,605],{},"never trust, always verify",[15,607,608],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[24,610,611,617,623,634,640],{},[27,612,613,616],{},[30,614,615],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[27,618,619,622],{},[30,620,621],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[27,624,625,628,629,633],{},[30,626,627],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[81,630,632],{"href":631},"\u002Fglossary\u002Fencryption","encryption",") is evaluated before access is granted.",[27,635,636,639],{},[30,637,638],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[27,641,642,645],{},[30,643,644],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[15,647,648],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[15,650,651],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[15,653,654],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[19,656,658],{"id":657},"how-does-episki-help-with-access-control","How does episki help with access control?",[15,660,661,662,85],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[81,663,84],{"href":83},{"title":87,"searchDepth":88,"depth":88,"links":665},[666],{"id":129,"depth":88,"text":130,"children":667},[668,669,670,671,672,673,674,675,676,677],{"id":136,"depth":93,"text":137},{"id":169,"depth":93,"text":170},{"id":197,"depth":93,"text":198},{"id":264,"depth":93,"text":265},{"id":328,"depth":93,"text":329},{"id":349,"depth":93,"text":350},{"id":379,"depth":93,"text":380},{"id":436,"depth":93,"text":437},{"id":598,"depth":93,"text":599},{"id":657,"depth":93,"text":658},{},"\u002Fglossary\u002Faccess-control",[681,682,103,683,684,102],"cmmc","soc2","hipaa","pci",[686,687,632,688],"minimum-necessary-rule","audit-trail","user-entity-controls",{"title":690,"description":691},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","access-control","8.glossary\u002Faccess-control","06FHtOe5hEs65vhNnMjZcNgPP9NXCQTnLD9llz_jEjM",{"id":696,"title":697,"body":698,"description":87,"extension":96,"lastUpdated":97,"meta":924,"navigation":99,"path":925,"relatedFrameworks":926,"relatedTerms":927,"seo":931,"slug":934,"stem":935,"term":703,"__hash__":936},"glossary\u002F8.glossary\u002Fbusiness-continuity.md","Business Continuity",{"type":7,"value":699,"toc":914},[700,704,707,711,714,728,731,735,741,752,758,775,781,798,804,821,825,848,852,855,881,884,888,905,909],[10,701,703],{"id":702},"what-is-business-continuity","What is Business Continuity?",[15,705,706],{},"Business continuity is the capability of an organization to continue delivering products and services at acceptable predefined levels following a disruptive incident. A business continuity plan (BCP) documents the procedures and resources needed to maintain operations during and after events such as natural disasters, cyberattacks, pandemics, infrastructure failures, or supply chain disruptions.",[19,708,710],{"id":709},"what-is-the-difference-between-business-continuity-and-disaster-recovery","What is the difference between business continuity and disaster recovery?",[15,712,713],{},"While often discussed together, business continuity and disaster recovery serve different purposes:",[24,715,716,722],{},[27,717,718,721],{},[30,719,720],{},"Business continuity"," focuses on maintaining overall business operations — it encompasses people, processes, facilities, and technology",[27,723,724,727],{},[30,725,726],{},"Disaster recovery"," focuses specifically on restoring IT systems and data after a disruption",[15,729,730],{},"Disaster recovery is a subset of business continuity. A comprehensive business continuity program includes disaster recovery as one of its components.",[19,732,734],{"id":733},"what-are-the-components-of-a-business-continuity-plan","What are the components of a business continuity plan?",[15,736,737,740],{},[30,738,739],{},"Business Impact Analysis (BIA)"," — identifies critical business functions, the impact of disrupting them, and the maximum tolerable downtime:",[24,742,743,746,749],{},[27,744,745],{},"Recovery Time Objective (RTO) — the maximum acceptable time to restore a function",[27,747,748],{},"Recovery Point Objective (RPO) — the maximum acceptable data loss measured in time",[27,750,751],{},"Maximum Tolerable Period of Disruption (MTPD) — the longest the business can survive without the function",[15,753,754,757],{},[30,755,756],{},"Risk assessment"," — identifies threats that could disrupt operations and evaluates their likelihood and impact:",[24,759,760,763,766,769,772],{},[27,761,762],{},"Natural disasters (earthquakes, floods, severe weather)",[27,764,765],{},"Technology failures (hardware failure, software bugs, network outages)",[27,767,768],{},"Cyber incidents (ransomware, DDoS attacks, data breaches)",[27,770,771],{},"Human factors (key personnel loss, labor disputes)",[27,773,774],{},"Supply chain disruptions (vendor failures, logistics breakdowns)",[15,776,777,780],{},[30,778,779],{},"Recovery strategies"," — defines how critical functions will be maintained or restored:",[24,782,783,786,789,792,795],{},[27,784,785],{},"Alternative work locations or remote work capabilities",[27,787,788],{},"Redundant systems and infrastructure",[27,790,791],{},"Manual workaround procedures",[27,793,794],{},"Third-party recovery services",[27,796,797],{},"Communication plans for employees, customers, and stakeholders",[15,799,800,803],{},[30,801,802],{},"Plan documentation"," — the written BCP includes:",[24,805,806,809,812,815,818],{},[27,807,808],{},"Roles and responsibilities",[27,810,811],{},"Contact information for key personnel and vendors",[27,813,814],{},"Step-by-step recovery procedures for each critical function",[27,816,817],{},"Resource requirements",[27,819,820],{},"Communication templates",[19,822,824],{"id":823},"how-do-compliance-frameworks-address-business-continuity","How do compliance frameworks address business continuity?",[24,826,827,832,837,842],{},[27,828,829,831],{},[30,830,287],{}," — control A.5.29 addresses information security during disruption, and A.5.30 addresses ICT readiness for business continuity",[27,833,834,836],{},[30,835,324],{}," — the Recover function (RC) addresses recovery planning, improvements, and communications",[27,838,839,841],{},[30,840,278],{}," — the Availability criterion addresses system uptime and recovery capabilities",[27,843,844,847],{},[30,845,846],{},"ISO 22301"," — the dedicated international standard for business continuity management systems",[19,849,851],{"id":850},"how-do-you-test-a-business-continuity-plan","How do you test a business continuity plan?",[15,853,854],{},"A business continuity plan that has not been tested is unreliable. Testing approaches include:",[24,856,857,863,869,875],{},[27,858,859,862],{},[30,860,861],{},"Tabletop exercises"," — team discussions walking through scenarios",[27,864,865,868],{},[30,866,867],{},"Structured walkthroughs"," — step-by-step review of procedures with assigned teams",[27,870,871,874],{},[30,872,873],{},"Simulation tests"," — practicing response to a simulated disruption",[27,876,877,880],{},[30,878,879],{},"Full interruption tests"," — actually activating recovery procedures (highest assurance but most disruptive)",[15,882,883],{},"Testing should occur at least annually and after significant changes to the business or infrastructure.",[19,885,887],{"id":886},"what-are-common-pitfalls-with-business-continuity","What are common pitfalls with business continuity?",[24,889,890,893,896,899,902],{},[27,891,892],{},"BCP exists on paper but is never tested or updated",[27,894,895],{},"Critical dependencies on single points of failure are not identified",[27,897,898],{},"Communication plans do not account for the disruption itself (e.g., email is down)",[27,900,901],{},"Key personnel are not trained on their BCP responsibilities",[27,903,904],{},"The plan does not keep pace with business changes",[19,906,908],{"id":907},"how-does-episki-help-with-business-continuity","How does episki help with business continuity?",[15,910,911,912,85],{},"episki helps organizations document their business continuity plans, schedule and track testing exercises, and maintain evidence of BCP activities for auditors. The platform links BCP activities to ISO 27001 and NIST CSF requirements. Learn more on our ",[81,913,84],{"href":83},{"title":87,"searchDepth":88,"depth":88,"links":915},[916],{"id":702,"depth":88,"text":703,"children":917},[918,919,920,921,922,923],{"id":709,"depth":93,"text":710},{"id":733,"depth":93,"text":734},{"id":823,"depth":93,"text":824},{"id":850,"depth":93,"text":851},{"id":886,"depth":93,"text":887},{"id":907,"depth":93,"text":908},{},"\u002Fglossary\u002Fbusiness-continuity",[103,102],[928,929,107,930],"disaster-recovery","incident-response","risk-treatment-plan",{"title":932,"description":933},"What is Business Continuity? Definition & Compliance Guide","Business continuity planning ensures an organization can maintain essential operations during and after a disruptive event. Learn the key components and frameworks.","business-continuity","8.glossary\u002Fbusiness-continuity","dyPU67gMtqXpCCrubDS7MtzzpZM4MS8zudQDFFznv_U",[938,1237],{"id":939,"title":940,"body":941,"description":1207,"extension":96,"faq":1208,"frameworkSlug":102,"lastUpdated":97,"meta":1222,"navigation":99,"path":1223,"relatedTerms":1224,"relatedTopics":1227,"seo":1232,"stem":1235,"__hash__":1236},"frameworkTopics\u002F5.frameworks\u002Fnistcsf\u002Fdetect-function.md","NIST CSF Detect Function",{"type":7,"value":942,"toc":1196},[943,947,954,957,960,964,967,1006,1009,1013,1016,1019,1039,1043,1046,1049,1063,1067,1070,1114,1118,1121,1159,1163,1166,1169,1173,1182],[10,944,946],{"id":945},"what-is-the-nist-csf-detect-function","What is the NIST CSF Detect function?",[15,948,949,950,953],{},"The ",[30,951,952],{},"Detect (DE) function"," develops and implements activities to identify the occurrence of a cybersecurity event in a timely manner. Detect is where the cybersecurity program proves it can see what is actually happening. No preventive control is perfect, and the gap between compromise and detection — dwell time — is one of the most decisive variables in the final impact of an attack. An adversary detected within hours is an incident; an adversary detected after six months is a breach.",[15,955,956],{},"Detect sits between Protect (the preventive function) and Respond (the reactive function). Telemetry from the platforms, identities, data stores, and networks protected in the Protect function flows into Detect, where continuous monitoring and event analysis turn raw signals into actionable alerts. Those alerts become the inputs to Respond.",[15,958,959],{},"Detect is also the function most likely to be measured badly. A detection program that produces thousands of alerts that nobody reads is not detecting anything; it is generating noise. Mature NIST CSF Detect programs are judged by mean time to detect (MTTD), true-positive rate, and coverage against relevant threat scenarios — not by alert volume.",[10,961,963],{"id":962},"how-detect-changed-in-nist-csf-20","How Detect changed in NIST CSF 2.0",[15,965,966],{},"NIST CSF 1.1 split the Detect function into three categories: Anomalies and Events (DE.AE), Security Continuous Monitoring (DE.CM), and Detection Processes (DE.DP). NIST CSF 2.0 consolidated these into two:",[442,968,969,982],{},[445,970,971],{},[448,972,973,976,979],{},[451,974,975],{},"Category",[451,977,978],{},"ID",[451,980,981],{},"Focus",[465,983,984,995],{},[448,985,986,989,992],{},[470,987,988],{},"Continuous Monitoring",[470,990,991],{},"DE.CM",[470,993,994],{},"Monitoring of networks, physical environments, personnel activity, and third parties",[448,996,997,1000,1003],{},[470,998,999],{},"Adverse Event Analysis",[470,1001,1002],{},"DE.AE",[470,1004,1005],{},"Analysis of anomalies, correlation across sources, and characterization of events",[15,1007,1008],{},"The old Detection Processes category (DE.DP) was partially folded into DE.AE and partially moved into the Govern function's oversight and improvement outcomes. The net effect is a cleaner distinction: DE.CM is the telemetry layer, DE.AE is the analysis layer, and governance of the detection program itself is handled through Govern.",[19,1010,1012],{"id":1011},"continuous-monitoring-decm","Continuous Monitoring (DE.CM)",[15,1014,1015],{},"DE.CM covers the collection of telemetry and the continuous monitoring of the environment for cybersecurity-relevant signals. This includes monitoring of networks, endpoints, cloud services, applications, identities, physical environments, personnel activity, and third-party connections. DE.CM outcomes are usually measured in coverage: what percentage of the environment is visible, which assets or tiers of assets are blind spots, and whether critical logs are being retained for long enough to support Respond and Recover.",[15,1017,1018],{},"A healthy DE.CM program integrates logs from:",[24,1020,1021,1024,1027,1030,1033,1036],{},[27,1022,1023],{},"Endpoints — EDR agents across workstations, servers, and mobile devices.",[27,1025,1026],{},"Identity providers — authentication logs, privileged access, federation, and token issuance events.",[27,1028,1029],{},"Cloud providers — control-plane audit logs, data-plane access logs, and configuration change logs.",[27,1031,1032],{},"Network — flow data, DNS logs, and network detection and response (NDR) sensors on segments where they are warranted.",[27,1034,1035],{},"Applications — application-layer logs for critical business systems.",[27,1037,1038],{},"Third parties — logs from managed service providers, SaaS vendors, and partners with privileged access.",[19,1040,1042],{"id":1041},"adverse-event-analysis-deae","Adverse Event Analysis (DE.AE)",[15,1044,1045],{},"DE.AE takes the raw signals collected by DE.CM and turns them into characterized events. Analysts triage anomalies, correlate across sources, determine the scope and potential impact, and decide whether an event warrants escalation to the Respond function. DE.AE is where the real expertise lives. Signatures catch known-bad behavior; DE.AE analysis catches the variants, the novel techniques, and the low-and-slow activity that evades pure-signature detection.",[15,1047,1048],{},"Mature DE.AE practices include:",[24,1050,1051,1054,1057,1060],{},[27,1052,1053],{},"Threat-informed detection engineering — mapping detection coverage to a threat model such as MITRE ATT&CK.",[27,1055,1056],{},"Purple-team exercises that test whether detections actually fire against realistic attack scenarios.",[27,1058,1059],{},"Documented triage runbooks that produce consistent decisions regardless of which analyst is on shift.",[27,1061,1062],{},"Feedback loops from Respond back to DE.AE — every incident becomes an opportunity to improve future detection.",[10,1064,1066],{"id":1065},"implementation-guidance","Implementation guidance",[15,1068,1069],{},"A pragmatic sequence for standing up the Detect function:",[385,1071,1072,1078,1084,1090,1096,1102,1108],{},[27,1073,1074,1077],{},[30,1075,1076],{},"Decide what must be detected."," Start from the prioritized risk register in the Identify function. Pick the top threat scenarios that matter most to the business — ransomware on critical systems, credential theft of privileged identities, exfiltration of regulated data — and design detection coverage to meet them.",[27,1079,1080,1083],{},[30,1081,1082],{},"Centralize logs."," Choose a SIEM, a log analytics platform, or a managed detection service. What matters is that logs from endpoints, identities, and cloud control planes are collected, retained for a defined period, and searchable.",[27,1085,1086,1089],{},[30,1087,1088],{},"Start with high-fidelity detections."," Identity-centric detections (impossible travel, MFA bypass, new admin creation, token theft indicators) and EDR-based detections tend to produce the highest signal-to-noise ratios. Expand from there.",[27,1091,1092,1095],{},[30,1093,1094],{},"Write and test runbooks."," Every detection should have a runbook that tells an analyst how to triage it. Runbooks should be living documents updated after every incident.",[27,1097,1098,1101],{},[30,1099,1100],{},"Tune continuously."," Alert fatigue kills detection programs. Measure false-positive rates and either tune, suppress, or remove noisy detections.",[27,1103,1104,1107],{},[30,1105,1106],{},"Measure coverage against a framework."," Use MITRE ATT&CK or a similar model to track detection coverage over time. Coverage gaps become initiatives in the NIST CSF roadmap.",[27,1109,1110,1113],{},[30,1111,1112],{},"Feed improvements back to Govern and Identify."," Detection findings often change the risk picture; that information belongs in the risk register and in leadership reporting.",[10,1115,1117],{"id":1116},"common-challenges","Common challenges",[15,1119,1120],{},"Detect programs commonly hit these walls:",[24,1122,1123,1129,1135,1141,1147,1153],{},[27,1124,1125,1128],{},[30,1126,1127],{},"Tooling without tuning."," A SIEM deployed and left on defaults produces a flood of low-value alerts. Investment in detection engineering is non-negotiable.",[27,1130,1131,1134],{},[30,1132,1133],{},"Coverage illusions."," Dashboards that count log sources ingested rather than relevant telemetry collected can create a false sense of coverage. Measure coverage against real threat scenarios, not against log volume.",[27,1136,1137,1140],{},[30,1138,1139],{},"Logs that cannot be searched quickly."," Detection value evaporates if analysts cannot query logs in seconds. Storage architecture and retention policies matter as much as collection.",[27,1142,1143,1146],{},[30,1144,1145],{},"Alert fatigue."," Analysts triaging hundreds of alerts per shift will miss the important ones. Suppress noise aggressively and treat alert volume as a defect metric, not a success metric.",[27,1148,1149,1152],{},[30,1150,1151],{},"No purple-teaming."," Detections that have never been tested against realistic attack simulations often fail silently when a real attack occurs. Regular purple-team exercises validate that the detections actually work.",[27,1154,1155,1158],{},[30,1156,1157],{},"Unclear escalation criteria."," Analysts need a clear rule for when an adverse event becomes an incident and handoff to the Respond function begins. Ambiguity here costs minutes that matter.",[10,1160,1162],{"id":1161},"measuring-detect-outcomes","Measuring Detect outcomes",[15,1164,1165],{},"Mean time to detect (MTTD) is the headline metric for the NIST CSF Detect function, but MTTD alone can be misleading. A Detect program with excellent MTTD for commodity malware but no visibility into identity-based attacks is not actually strong. Mature Detect programs report a small portfolio of metrics: MTTD by scenario class, true-positive rate per detection, alert-to-escalation time, coverage of the MITRE ATT&CK tactics most relevant to the threat model, and percentage of incidents first detected by internal telemetry rather than by a third party or an affected customer. That last metric — internal-first detection rate — is often the most honest measure of Detect maturity.",[15,1167,1168],{},"Detect also benefits from ongoing threat intelligence integration. Intelligence about current adversary behavior, sector-specific threats, and software supply chain compromises should flow into the detection engineering backlog and update existing detections. Without this feedback loop, DE.CM coverage and DE.AE analytics slowly drift behind what attackers are actually doing.",[10,1170,1172],{"id":1171},"how-episki-helps","How episki helps",[15,1174,1175,1176,1178,1179,1181],{},"episki connects directly to your identity provider, EDR, cloud accounts, and SIEM to measure DE.CM coverage and DE.AE performance as living metrics. Coverage gaps against the risk scenarios that matter most to the business become tracked initiatives with owners and due dates. Detection engineering improvements captured in one place are automatically reflected in the NIST CSF profile and in the corresponding ",[81,1177,278],{"href":277},", ",[81,1180,287],{"href":286},", HIPAA, and PCI DSS controls. Leadership sees mean time to detect trending down quarter over quarter; practitioners see the concrete work that made it happen.",[15,1183,1184,1185,1191,1192,85],{},"Ready to turn the NIST CSF Detect function into live, measurable operations? ",[81,1186,1190],{"href":1187,"rel":1188},"https:\u002F\u002Fepiski.app\u002Fauth\u002Fregister",[1189],"nofollow","Start a trial"," or ",[81,1193,1195],{"href":1194},"\u002Fdemo","book a demo",{"title":87,"searchDepth":88,"depth":88,"links":1197},[1198,1199,1203,1204,1205,1206],{"id":945,"depth":88,"text":946},{"id":962,"depth":88,"text":963,"children":1200},[1201,1202],{"id":1011,"depth":93,"text":1012},{"id":1041,"depth":93,"text":1042},{"id":1065,"depth":88,"text":1066},{"id":1116,"depth":88,"text":1117},{"id":1161,"depth":88,"text":1162},{"id":1171,"depth":88,"text":1172},"A complete guide to the NIST CSF Detect function — continuous monitoring, adverse event analysis, and detection processes that surface attacks in time to respond.",{"items":1209},[1210,1213,1216,1219],{"label":1211,"content":1212},"What is the Detect function in NIST CSF?","The Detect function develops and implements activities to identify the occurrence of a cybersecurity event in a timely manner. Detect covers continuous monitoring, anomaly and event analysis, and the detection processes that turn telemetry into actionable alerts. Strong Detect shrinks dwell time — the gap between when an attacker gets in and when the organization notices.",{"label":1214,"content":1215},"How did the Detect function change in NIST CSF 2.0?","NIST CSF 2.0 consolidated the original three Detect categories (Anomalies and Events, Security Continuous Monitoring, Detection Processes) into two: Continuous Monitoring (DE.CM) and Adverse Event Analysis (DE.AE). The outcomes previously captured in Detection Processes were folded into DE.AE and the Govern function's oversight category.",{"label":1217,"content":1218},"What should Detect actually produce?","Detect should produce high-fidelity alerts that reach a human or automated responder within minutes and that clearly describe what happened, on which asset, affecting which data, with enough context to begin response. The measure of a healthy Detect program is mean time to detect (MTTD) and the ratio of true-positive to false-positive alerts.",{"label":1220,"content":1221},"Do small organizations need a SIEM to satisfy Detect?","Not necessarily. The NIST Cybersecurity Framework is outcome-based — Detect requires that cybersecurity events are identified in a timely manner, not that a specific tool is deployed. Small organizations can often meet early Detect maturity with cloud-native logging, endpoint detection and response (EDR), identity provider logs, and managed detection and response (MDR) services.",{},"\u002Fframeworks\u002Fnistcsf\u002Fdetect-function",[1225,687,1226],"continuous-monitoring","siem",[1228,1229,1230,1231],"protect-function","respond-function","govern-function","framework-profiles",{"title":1233,"description":1234},"NIST CSF Detect Function (DE): Categories, Subcategories, and Implementation","The NIST CSF Detect function finds cybersecurity events in time to act. Learn DE.CM and DE.AE, build continuous monitoring coverage, and tune detections for real outcomes.","5.frameworks\u002Fnistcsf\u002Fdetect-function","H0LVEtvNGPwmDYOsIoTCZVbzfCvU92sFePdfpUQ3bGw",{"id":1238,"title":1239,"body":1240,"description":1532,"extension":96,"faq":1533,"frameworkSlug":102,"lastUpdated":97,"meta":1534,"navigation":99,"path":1535,"relatedTerms":1536,"relatedTopics":1538,"seo":1541,"stem":1544,"__hash__":1545},"frameworkTopics\u002F5.frameworks\u002Fnistcsf\u002Ffive-functions.md","NIST CSF Five Functions",{"type":7,"value":1241,"toc":1508},[1242,1246,1249,1252,1260,1264,1267,1271,1277,1283,1289,1295,1301,1307,1311,1314,1318,1321,1324,1330,1336,1342,1348,1354,1360,1363,1366,1370,1373,1376,1382,1388,1394,1397,1400,1404,1407,1410,1416,1422,1428,1434,1440,1443,1446,1450,1453,1456,1462,1468,1474,1477,1480,1484,1487],[10,1243,1245],{"id":1244},"the-core-of-the-nist-cybersecurity-framework","The core of the NIST Cybersecurity Framework",[15,1247,1248],{},"The NIST Cybersecurity Framework (CSF) organizes cybersecurity activities into five core functions: Identify, Protect, Detect, Respond, and Recover. These functions provide a high-level, strategic view of an organization's cybersecurity risk management lifecycle. They are not meant to be followed sequentially but rather operate concurrently and continuously as part of a mature security program.",[15,1250,1251],{},"The five functions apply to organizations of all sizes and across all industries. They serve as a common language for communicating cybersecurity posture to executives, boards, regulators, and technical teams. Each function breaks down into categories and subcategories that provide progressively more specific guidance.",[15,1253,1254,1255,1259],{},"Note that NIST CSF 2.0 introduced a sixth function, Govern, which is covered in the ",[81,1256,1258],{"href":1257},"\u002Fframeworks\u002Fnistcsf\u002Fv2-changes","NIST CSF 2.0 changes"," topic.",[10,1261,1263],{"id":1262},"identify-id","Identify (ID)",[15,1265,1266],{},"The Identify function develops an organizational understanding of how to manage cybersecurity risk to systems, people, assets, data, and capabilities. Before you can protect anything, you must know what you have and what risks you face.",[19,1268,1270],{"id":1269},"key-categories","Key categories",[15,1272,1273,1276],{},[30,1274,1275],{},"Asset management (ID.AM)"," - Inventory and manage all physical devices, software platforms, data flows, and external information systems. You cannot protect assets you do not know exist. This includes hardware inventories, software bills of materials, data classification schemes, and mapping of information flows between systems.",[15,1278,1279,1282],{},[30,1280,1281],{},"Business environment (ID.BE)"," - Understand the organization's mission, objectives, stakeholders, and supply chain. Cybersecurity priorities should align with business goals and risk tolerance. This category ensures that security investments support the most critical business functions.",[15,1284,1285,1288],{},[30,1286,1287],{},"Governance (ID.GV)"," - Establish and maintain cybersecurity policies, roles, responsibilities, and coordination between internal and external stakeholders. Governance provides the management framework that directs all other cybersecurity activities.",[15,1290,1291,1294],{},[30,1292,1293],{},"Risk assessment (ID.RA)"," - Identify, analyze, and prioritize cybersecurity risks. This includes threat intelligence, vulnerability identification, likelihood and impact analysis, and risk determination. Risk assessments inform where to allocate resources for the greatest security benefit.",[15,1296,1297,1300],{},[30,1298,1299],{},"Risk management strategy (ID.RM)"," - Define risk tolerance and establish processes for managing risk on an ongoing basis. This includes policies for accepting, mitigating, transferring, or avoiding identified risks.",[15,1302,1303,1306],{},[30,1304,1305],{},"Supply chain risk management (ID.SC)"," - Identify, assess, and manage risks associated with third-party service providers, vendors, and supply chain partners. This category has grown in importance as organizations increasingly depend on external services and software.",[19,1308,1310],{"id":1309},"practical-application","Practical application",[15,1312,1313],{},"The Identify function should produce a comprehensive picture of your organization's cybersecurity posture. This includes a current asset inventory, a risk register prioritized by business impact, documented governance structures, and an understanding of your supply chain dependencies. This foundation enables informed decisions across all other functions.",[10,1315,1317],{"id":1316},"protect-pr","Protect (PR)",[15,1319,1320],{},"The Protect function implements safeguards to ensure delivery of critical services and limit the impact of potential cybersecurity events. This is where preventive controls are designed and deployed.",[19,1322,1270],{"id":1323},"key-categories-1",[15,1325,1326,1329],{},[30,1327,1328],{},"Identity management, authentication, and access control (PR.AC)"," - Manage credentials, implement multi-factor authentication, enforce least privilege, and control access to physical and logical assets. Access control is consistently one of the most critical protective measures across all compliance frameworks.",[15,1331,1332,1335],{},[30,1333,1334],{},"Awareness and training (PR.AT)"," - Ensure that personnel at all levels receive cybersecurity awareness training appropriate to their roles. Privileged users, executives, and third-party stakeholders each need tailored training programs.",[15,1337,1338,1341],{},[30,1339,1340],{},"Data security (PR.DS)"," - Protect data at rest and in transit through encryption, integrity checking, and data loss prevention mechanisms. This category covers the entire data lifecycle from creation through disposal.",[15,1343,1344,1347],{},[30,1345,1346],{},"Information protection processes and procedures (PR.IP)"," - Maintain and use security policies, baselines, and procedures that protect information and systems. This includes configuration management, change control, backup procedures, and incident response planning.",[15,1349,1350,1353],{},[30,1351,1352],{},"Maintenance (PR.MA)"," - Perform and log maintenance on organizational assets in a controlled manner. Remote maintenance must be approved, logged, and conducted using secure channels.",[15,1355,1356,1359],{},[30,1357,1358],{},"Protective technology (PR.PT)"," - Deploy technical security solutions including firewalls, intrusion prevention systems, endpoint protection, and security monitoring tools. Audit logs must be maintained and protected, and communications and control networks must be secured.",[19,1361,1310],{"id":1362},"practical-application-1",[15,1364,1365],{},"The Protect function translates risk assessments from the Identify function into concrete security controls. Effective protection requires layered defenses that address people (training), process (policies and procedures), and technology (security tools). No single control is sufficient -- defense in depth is the guiding principle.",[10,1367,1369],{"id":1368},"detect-de","Detect (DE)",[15,1371,1372],{},"The Detect function defines activities to identify the occurrence of a cybersecurity event in a timely manner. The speed of detection directly impacts the severity of a security incident.",[19,1374,1270],{"id":1375},"key-categories-2",[15,1377,1378,1381],{},[30,1379,1380],{},"Anomalies and events (DE.AE)"," - Establish baselines of normal activity and detect deviations that may indicate malicious behavior. This includes analyzing event data from multiple sources, correlating events to identify patterns, and determining the impact of detected anomalies.",[15,1383,1384,1387],{},[30,1385,1386],{},"Security continuous monitoring (DE.CM)"," - Monitor information systems and assets at regular intervals to detect cybersecurity events and verify the effectiveness of protective measures. This encompasses network monitoring, physical environment monitoring, personnel activity monitoring, malicious code detection, unauthorized mobile code detection, and external service provider activity monitoring.",[15,1389,1390,1393],{},[30,1391,1392],{},"Detection processes (DE.DP)"," - Maintain and test detection processes and procedures to ensure awareness of anomalous events. Detection roles and responsibilities must be defined, detection activities must comply with applicable requirements, detection processes must be tested, and event detection information must be communicated to appropriate parties.",[19,1395,1310],{"id":1396},"practical-application-2",[15,1398,1399],{},"The Detect function relies heavily on technology solutions such as SIEM platforms, intrusion detection systems, endpoint detection and response (EDR) tools, and network traffic analysis. However, technology alone is insufficient. Organizations must define what constitutes normal activity, establish alert thresholds, create response playbooks for different detection scenarios, and regularly test their detection capabilities through exercises like red team engagements and tabletop exercises.",[10,1401,1403],{"id":1402},"respond-rs","Respond (RS)",[15,1405,1406],{},"The Respond function defines activities to take action regarding a detected cybersecurity incident. A well-prepared response capability limits the damage of an incident and supports faster recovery.",[19,1408,1270],{"id":1409},"key-categories-3",[15,1411,1412,1415],{},[30,1413,1414],{},"Response planning (RS.RP)"," - Develop and maintain incident response plans that are executed during and after an incident. Plans should be documented, assign roles and responsibilities, and be tested regularly through exercises.",[15,1417,1418,1421],{},[30,1419,1420],{},"Communications (RS.CO)"," - Coordinate response activities with internal and external stakeholders. This includes notifying affected parties, coordinating with law enforcement when appropriate, sharing information with ISACs and other intelligence sharing organizations, and managing public relations.",[15,1423,1424,1427],{},[30,1425,1426],{},"Analysis (RS.AN)"," - Investigate detected incidents to understand their scope, determine impact, and support forensic analysis. Notifications from detection systems must be investigated, the impact of the incident must be understood, and forensic evidence must be collected and preserved.",[15,1429,1430,1433],{},[30,1431,1432],{},"Mitigation (RS.MI)"," - Contain the incident to prevent expansion and mitigate its effects. This includes isolating affected systems, implementing temporary countermeasures, and addressing newly identified vulnerabilities.",[15,1435,1436,1439],{},[30,1437,1438],{},"Improvements (RS.IM)"," - Incorporate lessons learned from detection and response activities into future response plans and strategies. Post-incident reviews should identify what worked, what did not, and what changes are needed.",[19,1441,1310],{"id":1442},"practical-application-3",[15,1444,1445],{},"Effective incident response requires preparation long before an incident occurs. Organizations should maintain documented response plans, conduct tabletop exercises at least annually, establish communication templates for different incident types, maintain relationships with law enforcement and forensic firms, and test recovery procedures. The Respond function works hand-in-hand with the Detect function -- detection without response capability provides limited value.",[10,1447,1449],{"id":1448},"recover-rc","Recover (RC)",[15,1451,1452],{},"The Recover function develops and implements activities to maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity incident.",[19,1454,1270],{"id":1455},"key-categories-4",[15,1457,1458,1461],{},[30,1459,1460],{},"Recovery planning (RC.RP)"," - Develop and maintain recovery plans that are executed during and after an incident. Plans should address the restoration of systems, data, and operations to normal levels within defined recovery time objectives.",[15,1463,1464,1467],{},[30,1465,1466],{},"Improvements (RC.IM)"," - Incorporate lessons learned from recovery activities into updated recovery strategies. This creates a feedback loop that strengthens resilience over time.",[15,1469,1470,1473],{},[30,1471,1472],{},"Communications (RC.CO)"," - Manage public relations, repair reputational damage, and communicate recovery activities to internal and external stakeholders. Coordinated communication during recovery maintains trust with customers, partners, and regulators.",[19,1475,1310],{"id":1476},"practical-application-4",[15,1478,1479],{},"Recovery planning encompasses business continuity planning, disaster recovery procedures, data backup strategies, and communications planning. Organizations should define recovery time objectives (RTOs) and recovery point objectives (RPOs) for all critical systems, test backup restoration regularly, and maintain alternate processing capabilities for mission-critical services.",[10,1481,1483],{"id":1482},"how-the-five-functions-work-together","How the five functions work together",[15,1485,1486],{},"The five functions are not a linear sequence but a continuous cycle. Risk identification informs protective controls, protective controls support detection capabilities, detection triggers response, response enables recovery, and recovery feeds back into improved identification and protection.",[15,1488,1489,1490,1494,1495,1499,1500,1504,1505,1507],{},"Organizations using the NIST CSF should assess their maturity across all five functions using ",[81,1491,1493],{"href":1492},"\u002Fframeworks\u002Fnistcsf\u002Fimplementation-tiers","implementation tiers"," and build ",[81,1496,1498],{"href":1497},"\u002Fframeworks\u002Fnistcsf\u002Fframework-profiles","framework profiles"," that capture their current and target states. The five functions also ",[81,1501,1503],{"href":1502},"\u002Fframeworks\u002Fnistcsf\u002Fmapping-to-other-frameworks","map to other frameworks"," like SOC 2, ISO 27001, and ",[81,1506,315],{"href":314},", making them a useful organizing structure for organizations managing multiple compliance requirements.",{"title":87,"searchDepth":88,"depth":88,"links":1509},[1510,1511,1515,1519,1523,1527,1531],{"id":1244,"depth":88,"text":1245},{"id":1262,"depth":88,"text":1263,"children":1512},[1513,1514],{"id":1269,"depth":93,"text":1270},{"id":1309,"depth":93,"text":1310},{"id":1316,"depth":88,"text":1317,"children":1516},[1517,1518],{"id":1323,"depth":93,"text":1270},{"id":1362,"depth":93,"text":1310},{"id":1368,"depth":88,"text":1369,"children":1520},[1521,1522],{"id":1375,"depth":93,"text":1270},{"id":1396,"depth":93,"text":1310},{"id":1402,"depth":88,"text":1403,"children":1524},[1525,1526],{"id":1409,"depth":93,"text":1270},{"id":1442,"depth":93,"text":1310},{"id":1448,"depth":88,"text":1449,"children":1528},[1529,1530],{"id":1455,"depth":93,"text":1270},{"id":1476,"depth":93,"text":1310},{"id":1482,"depth":88,"text":1483},"A detailed exploration of the five core functions of the NIST Cybersecurity Framework -- Identify, Protect, Detect, Respond, and Recover.",null,{},"\u002Fframeworks\u002Fnistcsf\u002Ffive-functions",[1537],"grc",[1539,1231,1540],"implementation-tiers","v2-changes",{"title":1542,"description":1543},"NIST CSF Five Functions - Identify, Protect, Detect, Respond, Recover","Understand the five core NIST CSF functions that organize cybersecurity activities. Learn what each function covers and how they work together.","5.frameworks\u002Fnistcsf\u002Ffive-functions","UKMCkvYY8EuaXD7Ye2itJwTIEwrWdBaTphfOZvfHqb4",{"id":1547,"title":1548,"advantages":1549,"body":1571,"checklist":2090,"cta":2099,"description":87,"extension":96,"faq":2102,"hero":2119,"lastUpdated":2133,"meta":2134,"name":324,"navigation":99,"path":323,"resources":2135,"seo":2148,"slug":102,"stats":2151,"stem":2161,"__hash__":2162},"frameworks\u002F5.frameworks\u002Fnistcsf.md","Nistcsf",[1550,1557,1564],{"title":1551,"description":1552,"bullets":1553},"Tailored CSF roadmap","Start with opinionated baseline controls, then layer your own.",[1554,1555,1556],"Gap analysis highlights missing outcomes","Auto-generated improvement initiatives","Budget impact estimates for leadership",{"title":1558,"description":1559,"bullets":1560},"Continuous monitoring and AI ops","Stream alerts, detections, and incidents into CSF context.",[1561,1562,1563],"Connect SIEM, EDR, and cloud posture tools","AI summarizes incidents for exec updates","Workflows escalate unreviewed alerts",{"title":1565,"description":1566,"bullets":1567},"Board and customer alignment","Share progress externally with confidence.",[1568,1569,1570],"Customizable scorecards for customers or partners","Trend lines show quarter-over-quarter improvements","Trust room access with expiring links",{"type":7,"value":1572,"toc":2068},[1573,1577,1584,1587,1591,1598,1601,1605,1608,1619,1622,1625,1628,1666,1672,1676,1679,1682,1686,1695,1697,1707,1709,1719,1721,1730,1732,1742,1744,1754,1757,1761,1767,1793,1798,1802,1809,1812,1826,1829,1839,1843,1854,1871,1878,1882,1890,1898,1909,1913,1916,1963,1966,1970,1973,2005,2008,2011,2015,2018,2062,2065],[10,1574,1576],{"id":1575},"what-is-nist-csf","What is NIST CSF?",[15,1578,1579,1580,1583],{},"The NIST Cybersecurity Framework (NIST CSF) is a voluntary, outcome-based set of cybersecurity guidelines published by the ",[81,1581,1582],{"href":100},"National Institute of Standards and Technology",". The NIST Cybersecurity Framework gives organizations a shared vocabulary and a prioritized structure for managing cybersecurity risk, measuring program maturity, and communicating security posture to executives, boards, regulators, customers, and insurers.",[15,1585,1586],{},"NIST CSF is not a certification, a control catalog, or a compliance standard. It is a framework — a model that organizes cybersecurity activities into functions, categories, and subcategories so that any organization can describe its current cybersecurity posture, describe its target cybersecurity posture, identify and prioritize opportunities for improvement, assess progress, and communicate cybersecurity risk in a consistent way. Because NIST CSF is technology- and sector-neutral, it has become one of the most widely adopted cybersecurity frameworks in the world, used by Fortune 500 companies, federal contractors, critical infrastructure operators, state and local governments, startups, nonprofits, and multinational enterprises.",[19,1588,1590],{"id":1589},"nist-origin-and-executive-order-13636","NIST origin and Executive Order 13636",[15,1592,1593,1594,1597],{},"The NIST Cybersecurity Framework was created in response to a growing wave of attacks against United States critical infrastructure. In February 2013, President Barack Obama signed ",[30,1595,1596],{},"Executive Order 13636 — Improving Critical Infrastructure Cybersecurity",", which directed NIST to work with industry, academia, and other government agencies to develop a voluntary cybersecurity framework for critical infrastructure operators. The executive order explicitly called for a flexible, repeatable, performance-based, and cost-effective approach that could scale from small municipal utilities to the largest financial institutions.",[15,1599,1600],{},"NIST published version 1.0 of the NIST Cybersecurity Framework in February 2014 after a year of public workshops, industry comment periods, and collaboration with more than three thousand individuals and organizations. The first version of NIST CSF introduced the five core functions — Identify, Protect, Detect, Respond, and Recover — along with the concept of framework profiles and implementation tiers. Even though NIST CSF was designed for critical infrastructure, organizations in every sector quickly adopted it because it filled a gap that prescriptive standards did not: a business-friendly model for talking about cybersecurity risk.",[19,1602,1604],{"id":1603},"the-evolution-of-nist-csf","The evolution of NIST CSF",[15,1606,1607],{},"In April 2018, NIST released NIST CSF version 1.1. This incremental update clarified existing guidance, added a new Supply Chain Risk Management category (ID.SC), improved the self-assessment language, and added authentication and identity proofing subcategories. NIST CSF 1.1 contained 108 subcategories grouped under 23 categories across the five functions, and it remained the dominant version of the NIST Cybersecurity Framework for six years.",[15,1609,1610,1611,1614,1615,1618],{},"In February 2024, NIST published ",[30,1612,1613],{},"NIST CSF 2.0"," — the first major revision of the NIST Cybersecurity Framework. NIST CSF 2.0 expanded the scope of the framework beyond critical infrastructure, added a brand-new sixth function called ",[30,1616,1617],{},"Govern",", reorganized several categories, and introduced a richer set of implementation resources including quick-start guides, informative references, and community profiles.",[10,1620,1258],{"id":1621},"nist-csf-20-changes",[15,1623,1624],{},"The jump from NIST CSF 1.1 to NIST CSF 2.0 is the most significant update the NIST Cybersecurity Framework has ever received. The changes are not cosmetic — they reshape how organizations are expected to structure and govern their cybersecurity programs.",[15,1626,1627],{},"Highlights of NIST CSF 2.0:",[24,1629,1630,1636,1642,1648,1660],{},[27,1631,1632,1635],{},[30,1633,1634],{},"A sixth function — Govern (GV)"," — elevates cybersecurity governance from a sub-category under Identify to a standalone top-level function covering organizational context, risk management strategy, roles and responsibilities, policy, oversight, and cybersecurity supply chain risk management.",[27,1637,1638,1641],{},[30,1639,1640],{},"Explicit scope expansion"," — NIST CSF 2.0 applies to organizations of any size, sector, or maturity level, not just critical infrastructure. Small-business quick-start guides, community profiles, and sector-specific profiles make the NIST Cybersecurity Framework accessible to organizations that previously found NIST CSF 1.1 too enterprise-centric.",[27,1643,1644,1647],{},[30,1645,1646],{},"Stronger supply chain focus"," — GV.SC expands the NIST CSF treatment of third-party risk, supplier due diligence, and software supply chain security, reflecting the lessons of SolarWinds, Kaseya, Log4j, and MOVEit.",[27,1649,1650,1653,1654,1656,1657,1659],{},[30,1651,1652],{},"Improved implementation guidance"," — NIST CSF 2.0 ships with a companion CSF Reference Tool, searchable informative references mapping NIST CSF subcategories to ",[81,1655,38],{"href":100},", ISO 27001, CIS Controls, ",[81,1658,278],{"href":277},", and more.",[27,1661,1662,1665],{},[30,1663,1664],{},"Refreshed implementation tiers"," — the four-tier maturity model (Partial, Risk-Informed, Repeatable, Adaptive) now explicitly incorporates governance and supply chain considerations.",[15,1667,1668,1669,1671],{},"For a deep dive into every structural and categorical change between NIST CSF 1.1 and NIST CSF 2.0, see our ",[81,1670,1258],{"href":1257}," guide.",[10,1673,1675],{"id":1674},"the-six-core-functions-of-nist-csf-20","The six core functions of NIST CSF 2.0",[15,1677,1678],{},"The NIST Cybersecurity Framework organizes cybersecurity activity into a small number of top-level functions. NIST CSF 1.1 defined five functions; NIST CSF 2.0 defines six. Each function represents a category of outcomes that a mature cybersecurity program must deliver, and each function decomposes into categories and subcategories that describe the outcomes in progressively more specific terms.",[15,1680,1681],{},"The six NIST CSF 2.0 functions are:",[19,1683,1685],{"id":1684},"govern-gv","Govern (GV)",[15,1687,949,1688,1690,1691,85],{},[30,1689,1617],{}," function — new in NIST CSF 2.0 — establishes, communicates, and monitors the organization's cybersecurity risk management strategy, expectations, and policy. Govern is the leadership and accountability layer of NIST CSF. It sits above the other five functions and informs everything the organization does to identify, protect, detect, respond, and recover. Deep dive: ",[81,1692,1694],{"href":1693},"\u002Fframeworks\u002Fnistcsf\u002Fgovern-function","NIST CSF Govern function",[19,1696,1263],{"id":1262},[15,1698,949,1699,1702,1703,85],{},[30,1700,1701],{},"Identify"," function develops an organizational understanding of cybersecurity risk to systems, people, assets, data, and capabilities. Identify is where you inventory what you have, understand the business context in which it operates, and decide what matters most. Without Identify, the rest of the NIST Cybersecurity Framework has nothing to act on. Deep dive: ",[81,1704,1706],{"href":1705},"\u002Fframeworks\u002Fnistcsf\u002Fidentify-function","NIST CSF Identify function",[19,1708,1317],{"id":1316},[15,1710,949,1711,1714,1715,85],{},[30,1712,1713],{},"Protect"," function implements safeguards to ensure delivery of critical services and limit or contain the impact of cybersecurity events. Protect encompasses identity and access management, awareness and training, data security, information protection processes, maintenance, and protective technology. Deep dive: ",[81,1716,1718],{"href":1717},"\u002Fframeworks\u002Fnistcsf\u002Fprotect-function","NIST CSF Protect function",[19,1720,1369],{"id":1368},[15,1722,949,1723,1726,1727,85],{},[30,1724,1725],{},"Detect"," function develops and implements appropriate activities to identify the occurrence of a cybersecurity event in a timely manner. Detect covers continuous monitoring, anomaly analysis, and detection processes — the telemetry, alerting, and threat-hunting capabilities that surface attacks as they happen. Deep dive: ",[81,1728,1729],{"href":1223},"NIST CSF Detect function",[19,1731,1403],{"id":1402},[15,1733,949,1734,1737,1738,85],{},[30,1735,1736],{},"Respond"," function contains activities to take action regarding a detected cybersecurity incident. Respond covers incident response planning, communications, analysis, containment, eradication, and lessons-learned improvements. A strong Respond capability is what separates a contained incident from a front-page breach. Deep dive: ",[81,1739,1741],{"href":1740},"\u002Fframeworks\u002Fnistcsf\u002Frespond-function","NIST CSF Respond function",[19,1743,1449],{"id":1448},[15,1745,949,1746,1749,1750,85],{},[30,1747,1748],{},"Recover"," function contains activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Recover covers recovery planning, improvements, and communications. Recover is how organizations return to normal operations while capturing lessons learned to strengthen the program. Deep dive: ",[81,1751,1753],{"href":1752},"\u002Fframeworks\u002Fnistcsf\u002Frecover-function","NIST CSF Recover function",[15,1755,1756],{},"Together, the six NIST CSF functions describe the complete cybersecurity lifecycle. Mature organizations operate all six functions simultaneously and continuously, not in a linear sequence.",[10,1758,1760],{"id":1759},"nist-csf-implementation-tiers","NIST CSF implementation tiers",[15,1762,1763,1764,1766],{},"NIST CSF uses ",[30,1765,1493],{}," to describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the NIST Cybersecurity Framework. The four tiers are not a maturity scale in the traditional sense — NIST is careful to say that Tier 4 is not required for every organization. Instead, implementation tiers help organizations choose an appropriate level of rigor given their risk tolerance, mission, regulatory obligations, threat environment, and resources.",[24,1768,1769,1775,1781,1787],{},[27,1770,1771,1774],{},[30,1772,1773],{},"Tier 1 — Partial",": Cybersecurity risk management is ad hoc and reactive. Policies are informal, risk awareness is limited, and supply chain considerations are rarely formalized.",[27,1776,1777,1780],{},[30,1778,1779],{},"Tier 2 — Risk-Informed",": Risk management practices are approved by management but may not be established organization-wide. Cybersecurity activities consider organizational risk objectives.",[27,1782,1783,1786],{},[30,1784,1785],{},"Tier 3 — Repeatable",": Formal policies exist and are applied consistently. The organization has the people, processes, and tooling to operate the NIST Cybersecurity Framework repeatably.",[27,1788,1789,1792],{},[30,1790,1791],{},"Tier 4 — Adaptive",": The organization adapts its cybersecurity practices based on lessons learned, threat intelligence, and changes in the business environment. Cybersecurity risk management is part of the organizational culture.",[15,1794,1795,1796,1671],{},"For a complete walkthrough of each tier, including how to select a target tier and move between tiers, see our ",[81,1797,1760],{"href":1492},[10,1799,1801],{"id":1800},"nist-csf-framework-profiles","NIST CSF framework profiles",[15,1803,1804,1805,1808],{},"A ",[30,1806,1807],{},"framework profile"," is the unique alignment of NIST CSF functions, categories, and subcategories with the organization's business requirements, risk tolerance, and resources. Profiles are the tool that turns the NIST Cybersecurity Framework from a generic model into a specific plan for a specific organization.",[15,1810,1811],{},"NIST CSF supports two kinds of profiles:",[24,1813,1814,1820],{},[27,1815,1804,1816,1819],{},[30,1817,1818],{},"Current Profile"," describes the cybersecurity outcomes the organization is achieving today.",[27,1821,1804,1822,1825],{},[30,1823,1824],{},"Target Profile"," describes the cybersecurity outcomes the organization wants to achieve.",[15,1827,1828],{},"The gap between the Current Profile and the Target Profile becomes a prioritized roadmap: which NIST CSF subcategories need investment, in what order, and at what cost. Community profiles published by NIST (for small business, healthcare, financial services, manufacturing, and others) give organizations a head start by providing pre-built Target Profiles tailored to specific sectors.",[15,1830,1831,1832,1836,1837,85],{},"For a complete framework profiles walkthrough — including how to build your first profile, how to use community profiles, and how to link profiles to your ",[81,1833,1835],{"href":1834},"\u002Fglossary\u002Fcontrol-framework","control framework"," — see ",[81,1838,1801],{"href":1497},[10,1840,1842],{"id":1841},"nist-csf-categories-and-subcategories","NIST CSF categories and subcategories",[15,1844,1845,1846,1849,1850,1853],{},"Below the function layer, NIST CSF decomposes cybersecurity activity into ",[30,1847,1848],{},"categories"," and ",[30,1851,1852],{},"subcategories",". Categories group related outcomes within a function (for example, Asset Management, Access Control, Continuous Monitoring), and subcategories express specific outcome statements that a mature program should achieve.",[24,1855,1856,1866],{},[27,1857,1858,1861,1862,1865],{},[30,1859,1860],{},"NIST CSF 1.1"," defined 23 categories and ",[30,1863,1864],{},"108 subcategories"," across the five original functions.",[27,1867,1868,1870],{},[30,1869,1613],{}," reorganized the catalog around six functions. The total number of subcategories in NIST CSF 2.0 was restructured (and slightly reduced after consolidation) to roughly 106, grouped under 22 categories, with Govern contributing six new categories of its own.",[15,1872,1873,1874,1877],{},"Every NIST CSF subcategory is written as an outcome — for example, \"PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization.\" NIST intentionally avoids prescribing specific technologies, controls, or implementation details. Instead, NIST CSF provides ",[30,1875,1876],{},"informative references"," that map each subcategory to specific controls in NIST SP 800-53, ISO 27001 Annex A, CIS Critical Security Controls, COBIT, and other authoritative sources. This outcome-first design is what makes NIST CSF work across industries, company sizes, and technology stacks.",[10,1879,1881],{"id":1880},"mapping-nist-csf-to-other-frameworks","Mapping NIST CSF to other frameworks",[15,1883,1884,1885,1178,1887,1889],{},"One of the most valuable properties of the NIST Cybersecurity Framework is its ability to act as a unifying layer across multiple compliance regimes. Organizations that need to satisfy ",[81,1886,278],{"href":277},[81,1888,287],{"href":286},", HIPAA, PCI DSS, GDPR, FedRAMP, CMMC, and NIST SP 800-171 at the same time can use NIST CSF as the \"Rosetta Stone\" that maps each requirement to a common set of outcomes.",[15,1891,1892,1893,1897],{},"For federal contractors in particular, NIST CSF acts as the governance umbrella above NIST SP 800-171 and ",[81,1894,1896],{"href":1895},"\u002Fframeworks\u002Fcmmc\u002Fnist-800-171-mapping","CMMC",", both of which are derived from the NIST family of publications. A NIST CSF Target Profile that references NIST SP 800-53 informative references can be reused — with minor adjustments — as an ISO 27001 Statement of Applicability, a SOC 2 Trust Services Criteria mapping, and a HIPAA Security Rule crosswalk.",[15,1899,1900,1901,1903,1904,1908],{},"For a detailed crosswalk between NIST CSF and the major compliance frameworks — including worked examples of how a single NIST CSF subcategory maps to multiple standards — see ",[81,1902,1881],{"href":1502},". If you are actively building that mapping into a live compliance program, our ",[81,1905,1907],{"href":1906},"\u002Fnow\u002Fnist-csf-mapping-compliance","NIST CSF mapping compliance"," guide walks through the operational mechanics.",[10,1910,1912],{"id":1911},"who-uses-nist-csf","Who uses NIST CSF?",[15,1914,1915],{},"The NIST Cybersecurity Framework started as a voluntary framework for United States critical infrastructure. A decade later, NIST CSF is used by:",[24,1917,1918,1924,1933,1939,1945,1951,1957],{},[27,1919,1920,1923],{},[30,1921,1922],{},"Critical infrastructure operators"," — energy, water, transportation, communications, healthcare, and financial services organizations that fall under the 16 critical infrastructure sectors originally targeted by Executive Order 13636.",[27,1925,1926,1929,1930,85],{},[30,1927,1928],{},"Federal agencies and federal contractors"," — Executive Order 13800 required federal agencies to use NIST CSF to manage cybersecurity risk. Agencies and their contractors routinely use NIST CSF alongside ",[81,1931,1932],{"href":1895},"NIST SP 800-171 and the CMMC program",[27,1934,1935,1938],{},[30,1936,1937],{},"State, local, tribal, and territorial (SLTT) governments"," — many states have adopted NIST CSF as the baseline cybersecurity model for agencies and municipal systems.",[27,1940,1941,1944],{},[30,1942,1943],{},"Large enterprises"," — Fortune 500 companies use NIST CSF to communicate cybersecurity risk to boards, investors, insurers, and regulators.",[27,1946,1947,1950],{},[30,1948,1949],{},"Small and mid-sized businesses (SMBs)"," — especially after NIST CSF 2.0, which ships with SMB-specific quick-start guides and community profiles.",[27,1952,1953,1956],{},[30,1954,1955],{},"Non-US organizations"," — NIST CSF is widely used outside the United States as a practical cybersecurity model that complements ISO 27001 and other international standards.",[27,1958,1959,1962],{},[30,1960,1961],{},"Insurers and investors"," — cyber insurance carriers and private-equity diligence teams increasingly ask portfolio companies to report maturity against NIST CSF as evidence of disciplined cybersecurity risk management.",[15,1964,1965],{},"The common thread is that NIST CSF works for any organization that needs to manage cybersecurity risk and communicate that risk to non-technical stakeholders. That is essentially every organization.",[10,1967,1969],{"id":1968},"nist-csf-vs-nist-sp-800-53-vs-nist-sp-800-171","NIST CSF vs NIST SP 800-53 vs NIST SP 800-171",[15,1971,1972],{},"NIST publishes dozens of cybersecurity documents, and three of them — NIST CSF, NIST SP 800-53, and NIST SP 800-171 — are often confused. Here is how they differ and how they fit together.",[24,1974,1975,1985,1995],{},[27,1976,1977,1980,1981,1984],{},[30,1978,1979],{},"NIST CSF (Cybersecurity Framework)"," is an ",[30,1982,1983],{},"outcome-based framework",". It defines what cybersecurity outcomes to achieve (the subcategories) but does not tell you exactly how to achieve them. NIST CSF is voluntary, technology-neutral, and applies to any organization.",[27,1986,1987,1990,1991,1994],{},[30,1988,1989],{},"NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations)"," is a comprehensive ",[30,1992,1993],{},"control catalog",". SP 800-53 contains more than one thousand security and privacy controls organized into families such as Access Control (AC), Audit and Accountability (AU), and System and Communications Protection (SC). NIST SP 800-53 is mandatory for US federal information systems under FISMA and the Risk Management Framework (RMF).",[27,1996,1997,2000,2001,2004],{},[30,1998,1999],{},"NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)"," is a ",[30,2002,2003],{},"derived subset"," of NIST SP 800-53 focused on protecting Controlled Unclassified Information (CUI) in nonfederal systems. SP 800-171 is mandatory for any organization that handles CUI on behalf of the federal government and forms the basis for CMMC.",[15,2006,2007],{},"The relationship between the three is straightforward: NIST CSF describes the outcomes, NIST SP 800-53 and NIST SP 800-171 describe the controls that deliver those outcomes, and the NIST CSF informative references tell you which 800-53 and 800-171 controls satisfy each NIST CSF subcategory. Organizations use NIST CSF to frame the strategy and use NIST SP 800-53 or NIST SP 800-171 to implement the controls.",[15,2009,2010],{},"Federal contractors that handle CUI will typically use all three: NIST CSF for executive communication and maturity scoring, NIST SP 800-171 as the binding control baseline, and NIST SP 800-53 as the deeper reference catalog.",[10,2012,2014],{"id":2013},"getting-started-with-nist-csf","Getting started with NIST CSF",[15,2016,2017],{},"Implementing the NIST Cybersecurity Framework does not require a multi-year consulting engagement. A typical first NIST CSF implementation follows a repeatable pattern:",[385,2019,2020,2026,2032,2038,2044,2050,2056],{},[27,2021,2022,2025],{},[30,2023,2024],{},"Scope and prioritize"," — decide which parts of the organization are in scope for this iteration of NIST CSF. Startups often scope the entire company. Enterprises may scope a business unit, a product line, or a critical system.",[27,2027,2028,2031],{},[30,2029,2030],{},"Build a Current Profile"," — score the organization's current performance against each NIST CSF subcategory. Be honest. Many organizations discover that half of their NIST CSF subcategories are informal or partially implemented.",[27,2033,2034,2037],{},[30,2035,2036],{},"Build a Target Profile"," — decide what level of NIST CSF maturity the organization needs. Community profiles and sector profiles published by NIST are excellent starting points.",[27,2039,2040,2043],{},[30,2041,2042],{},"Perform a gap analysis"," — the delta between Current and Target is your NIST CSF roadmap. Prioritize by business impact, risk, and cost.",[27,2045,2046,2049],{},[30,2047,2048],{},"Select implementation tiers"," — match each part of the program to an appropriate tier. Not every subcategory needs to be Tier 4.",[27,2051,2052,2055],{},[30,2053,2054],{},"Execute and measure"," — track initiatives, re-score the NIST CSF profile quarterly, and report progress to leadership.",[27,2057,2058,2061],{},[30,2059,2060],{},"Map to other frameworks"," — reuse the NIST CSF profile as the source of truth for SOC 2, ISO 27001, HIPAA, and CMMC evidence.",[15,2063,2064],{},"episki was built for exactly this workflow. episki turns NIST CSF into a live scorecard: you import or build a Current Profile, choose a Target Profile, and episki generates the initiatives, tasks, and evidence collection needed to close the gap — all mapped to your other frameworks automatically. If you are starting from scratch or migrating from NIST CSF 1.1 to NIST CSF 2.0, episki can help you skip the spreadsheet phase entirely.",[15,2066,2067],{},"Ready to operationalize the NIST Cybersecurity Framework? Start a trial, import your controls, and share a NIST CSF scorecard with leadership the same day.",{"title":87,"searchDepth":88,"depth":88,"links":2069},[2070,2074,2075,2083,2084,2085,2086,2087,2088,2089],{"id":1575,"depth":88,"text":1576,"children":2071},[2072,2073],{"id":1589,"depth":93,"text":1590},{"id":1603,"depth":93,"text":1604},{"id":1621,"depth":88,"text":1258},{"id":1674,"depth":88,"text":1675,"children":2076},[2077,2078,2079,2080,2081,2082],{"id":1684,"depth":93,"text":1685},{"id":1262,"depth":93,"text":1263},{"id":1316,"depth":93,"text":1317},{"id":1368,"depth":93,"text":1369},{"id":1402,"depth":93,"text":1403},{"id":1448,"depth":93,"text":1449},{"id":1759,"depth":88,"text":1760},{"id":1800,"depth":88,"text":1801},{"id":1841,"depth":88,"text":1842},{"id":1880,"depth":88,"text":1881},{"id":1911,"depth":88,"text":1912},{"id":1968,"depth":88,"text":1969},{"id":2013,"depth":88,"text":2014},{"title":2091,"description":2092,"items":2093},"NIST CSF launch guide","Use episki’s free trial to benchmark, prioritize, and communicate fast.",[2094,2095,2096,2097,2098],"Baseline maturity assessment","Control library mapped to CSF categories","Initiative tracker with due dates and owners","Risk register tied to CSF outcomes","Executive report template",{"title":2100,"description":2101},"See your NIST CSF score in episki","Start the trial, import controls, and share a scorecard the same day.",{"title":2103,"items":2104},"NIST CSF frequently asked questions",[2105,2107,2110,2113,2116],{"label":1576,"content":2106},"The NIST Cybersecurity Framework (CSF) is a voluntary framework published by the National Institute of Standards and Technology that helps organizations manage and reduce cybersecurity risk. It provides a common language for understanding, managing, and expressing cybersecurity risk through five core functions.",{"label":2108,"content":2109},"What is the difference between NIST CSF and ISO 27001?","NIST CSF is a voluntary, outcome-focused maturity framework that helps organizations assess and improve their cybersecurity posture. ISO 27001 is a certifiable standard requiring a formal ISMS. Many organizations use NIST CSF as an internal maturity model alongside ISO 27001 certification for external assurance.",{"label":2111,"content":2112},"Is NIST CSF mandatory?","NIST CSF is voluntary for most private-sector organizations but is mandatory for US federal agencies under Executive Order 13800. Many industries and regulators reference it as a best-practice baseline, and customers increasingly expect suppliers to demonstrate alignment.",{"label":2114,"content":2115},"What are the NIST CSF implementation tiers?","The four tiers describe the maturity of an organization's cybersecurity risk management. Tier 1 (Partial) is ad hoc and reactive. Tier 2 (Risk-Informed) has some risk awareness. Tier 3 (Repeatable) has formal policies. Tier 4 (Adaptive) continuously improves based on lessons learned and threat intelligence.",{"label":2117,"content":2118},"How does NIST CSF relate to other compliance frameworks?","NIST CSF maps to many standards including SOC 2, ISO 27001, HIPAA, and PCI DSS. Organizations use it as a unifying layer to identify control gaps and overlaps across multiple compliance requirements, reducing duplicate work when pursuing multiple frameworks.",{"headline":2120,"title":2121,"description":2122,"links":2123},"Measure security maturity","Operationalize NIST CSF across Identify, Protect, Detect, Respond, and Recover","episki translates CSF categories into action plans with real-time scoring and executive reporting.",[2124,2127],{"label":2125,"icon":2126,"to":1187},"Start NIST CSF trial","i-lucide-rocket",{"label":2128,"icon":2129,"color":2130,"variant":2131,"to":1194,"target":2132},"Book a demo","i-lucide-presentation","neutral","subtle","_blank","2026-04-27",{},{"headline":2136,"title":2136,"description":2137,"items":2138},"NIST CSF toolset","Everything you need to show measurable progress.",[2139,2142,2145],{"title":2140,"description":2141},"Quarterly business review pack","Slides with KPIs, upcoming initiatives, and resource needs.",{"title":2143,"description":2144},"Customer assurance brief","Explains how NIST CSF maps to their requirements.",{"title":2146,"description":2147},"Automation cookbook","Step-by-step instructions for connecting your tooling.",{"title":2149,"description":2150},"NIST CSF Framework Software","Operationalize NIST CSF with live maturity scoring, risk registers, and executive dashboards. Benchmark and improve your cybersecurity posture with episki.",[2152,2155,2158],{"value":2153,"description":2154},"Live maturity score","Automated scoring by category, tier, and business unit.",{"value":2156,"description":2157},"Unified risk register","Link risks to CSF categories with AI-prioritized remediation.",{"value":2159,"description":2160},"Executive-ready","Dashboards turn security work into business milestones.","5.frameworks\u002Fnistcsf","Doz-LVyeK9ESsWNopGw7Kjfzq0igBKQBgD_u17qdUwk",{"id":2164,"title":2165,"body":2166,"comparison":2257,"competitorA":2302,"competitorB":2303,"cta":2304,"description":87,"extension":96,"faq":1533,"hero":2307,"lastUpdated":2133,"meta":2316,"navigation":99,"path":2317,"seo":2318,"slug":2321,"slugA":2322,"slugB":2323,"stem":2324,"verdict":2325,"__hash__":2329},"compareVs\u002F7.compare\u002Fvs\u002Fdrata-vs-secureframe.md","Drata Vs Secureframe",{"type":7,"value":2167,"toc":2247},[2168,2172,2175,2179,2182,2188,2191,2195,2198,2201,2204,2208,2211,2214,2218,2221,2224,2228,2231,2234,2238,2241,2244],[10,2169,2171],{"id":2170},"drata-vs-secureframe-the-closest-comparison-in-compliance","Drata vs Secureframe: the closest comparison in compliance",[15,2173,2174],{},"If Vanta is the 800-pound gorilla, Drata and Secureframe are the two challengers most often compared against each other. They target similar buyers, cover similar frameworks, and offer similar automation. The differences are real but subtle — and they matter most in how your team experiences the platform day to day.",[19,2176,2178],{"id":2177},"feature-parity-with-different-emphasis","Feature parity with different emphasis",[15,2180,2181],{},"On paper, Drata and Secureframe look nearly identical. Both automate evidence collection, monitor your compliance posture continuously, support 15+ frameworks, and provide auditor-facing portals. The overlap is so significant that choosing between them often comes down to three factors: onboarding style, dashboard experience, and pricing.",[15,2183,2184,2187],{},[30,2185,2186],{},"Onboarding style"," is the clearest differentiator. Drata leans toward self-serve. The platform guides you through integration setup, control mapping, and evidence configuration with in-app workflows. For teams with compliance experience, this speed is an advantage — you can be operational in 1–2 weeks without waiting for a human to walk you through every step.",[15,2189,2190],{},"Secureframe takes the opposite approach. Every customer gets access to dedicated compliance managers who help interpret requirements, map controls to your environment, and prepare for audit. This white-glove model adds a week or two to implementation but dramatically reduces the learning curve for first-time audit teams.",[19,2192,2194],{"id":2193},"the-dashboard-question","The dashboard question",[15,2196,2197],{},"Drata's compliance dashboard is one of its signature features. The real-time posture view shows passing and failing controls across every framework, with compliance percentages and trend data. For compliance leads who report to a CISO or board, this visual layer simplifies status updates and makes it easy to demonstrate progress.",[15,2199,2200],{},"Secureframe also provides dashboards, but they feel more functional than visual. The platform surfaces actionable items — controls that need attention, evidence that's expiring, gaps to remediate — in a task-oriented format. It's effective, but it doesn't deliver the same at-a-glance executive view that Drata provides.",[15,2202,2203],{},"For teams that need board-ready compliance reporting, Drata has the edge. For teams that care more about daily workflow and task management, Secureframe's approach may feel more productive.",[19,2205,2207],{"id":2206},"integration-depth","Integration depth",[15,2209,2210],{},"Secureframe holds a slight advantage in integration count, with 150+ connections compared to Drata's 100+. The extra integrations primarily cover developer tools, identity providers, and security platforms. For teams running complex stacks with multiple CI\u002FCD pipelines, vulnerability scanners, and endpoint management tools, Secureframe's broader integration library means less manual evidence collection.",[15,2212,2213],{},"Drata's integrations, while fewer in number, tend to offer deeper configuration options for the platforms they do support. If your stack is standard — AWS or GCP, Okta or Google Workspace, GitHub, and a common HR tool — both platforms will serve you equally well.",[19,2215,2217],{"id":2216},"pricing-opacity","Pricing opacity",[15,2219,2220],{},"Neither Drata nor Secureframe publishes pricing. Both require a sales conversation to get a quote, and both scale based on team size, framework count, and contract terms. Based on market data, Drata typically starts around $10,000–$15,000\u002Fyr while Secureframe starts slightly lower at $8,000–$12,000\u002Fyr. At scale, both reach $30,000–$50,000\u002Fyr for larger organizations.",[15,2222,2223],{},"This pricing opacity creates a frustrating buying experience. You can't model costs internally before engaging sales. You can't easily compare options. And renewal conversations often involve price increases that are hard to predict at the time of initial purchase.",[19,2225,2227],{"id":2226},"where-both-platforms-struggle","Where both platforms struggle",[15,2229,2230],{},"The irony of comparing Drata and Secureframe is that their most significant limitations are shared. Both use pricing models that punish team growth. Both rely on templated control libraries that resist customization. Both treat policy documentation as a secondary concern — something generated through forms rather than crafted through a proper writing experience.",[15,2232,2233],{},"And both lock you into their workflow assumptions. If your compliance program doesn't map cleanly to their templates — if you run hybrid frameworks, need custom controls, or want to structure programs differently than the default — you'll spend time working around the platform instead of working within it.",[19,2235,2237],{"id":2236},"the-case-for-a-different-approach","The case for a different approach",[15,2239,2240],{},"When two products are this similar, the deciding factor often isn't which one is better — it's whether either one is the right category of tool for your needs. If you want maximum automation and are comfortable with enterprise pricing, Drata and Secureframe both deliver.",[15,2242,2243],{},"But if you want flat pricing at $500\u002Fmo, a Notion-like editor for compliance documentation, and the freedom to build programs that reflect how your team actually operates — episki offers something neither Drata nor Secureframe provides. No per-seat scaling. No opaque quotes. No templated policies that read like every other company's.",[15,2245,2246],{},"Just a workspace your compliance team will use daily, at a price that doesn't make your CFO wince.",{"title":87,"searchDepth":88,"depth":88,"links":2248},[2249],{"id":2170,"depth":88,"text":2171,"children":2250},[2251,2252,2253,2254,2255,2256],{"id":2177,"depth":93,"text":2178},{"id":2193,"depth":93,"text":2194},{"id":2206,"depth":93,"text":2207},{"id":2216,"depth":93,"text":2217},{"id":2226,"depth":93,"text":2227},{"id":2236,"depth":93,"text":2237},[2258,2263,2267,2272,2277,2282,2287,2292,2297],{"feature":2259,"competitorA":2260,"competitorB":2261,"episki":2262},"Pricing model","Custom pricing, typically starting around $10,000–$15,000\u002Fyr","Custom pricing, typically starting around $8,000–$12,000\u002Fyr","Flat $500\u002Fmo or $5,000\u002Fyr with unlimited seats",{"feature":2264,"competitorA":2265,"competitorB":2265,"episki":2266},"Framework coverage","SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and 15+ frameworks","SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF, and custom frameworks",{"feature":2268,"competitorA":2269,"competitorB":2270,"episki":2271},"Automation depth","Automated evidence collection with real-time compliance dashboards","Automated monitoring with continuous evidence collection and alerts","AI-assisted drafting and structured workflows with manual evidence uploads",{"feature":2273,"competitorA":2274,"competitorB":2275,"episki":2276},"Integration count","100+ integrations covering major cloud and SaaS platforms","150+ integrations covering cloud, identity, HR, and developer tools","Growing integration library with focus on structured evidence reuse",{"feature":2278,"competitorA":2279,"competitorB":2280,"episki":2281},"Auditor collaboration","Auditor-facing portal with read-only access and evidence downloads","Auditor-ready evidence rooms with structured access controls","Built-in auditor portal with scoped access and Q&A threads",{"feature":2283,"competitorA":2284,"competitorB":2285,"episki":2286},"AI features","AI-assisted control mapping and compliance recommendations","AI-driven compliance recommendations and automated risk scoring","AI drafts policies, narratives, remediation steps, and questionnaire answers",{"feature":2288,"competitorA":2289,"competitorB":2290,"episki":2291},"Implementation time","1–3 weeks with self-serve setup and optional guided onboarding","2–3 weeks with guided onboarding and compliance expertise","Same-day setup with self-serve onboarding and optional demo",{"feature":2293,"competitorA":2294,"competitorB":2295,"episki":2296},"Support model","In-app chat, email support, and dedicated CSM for larger accounts","Dedicated compliance managers, email, and in-app support","Direct founder access, in-app chat, and shared Slack channels",{"feature":2298,"competitorA":2299,"competitorB":2300,"episki":2301},"Free trial","Demo-based sales process, limited free trial availability","Demo-based sales process, no public free trial","14-day free trial with full access, no credit card required","Drata","Secureframe",{"title":2305,"description":2306},"Skip the comparison. Try episki free.","14-day trial with full access. No credit card required.",{"headline":2308,"title":2309,"description":2310,"links":2311},"Drata vs Secureframe","Similar features, different approaches to compliance automation","Compare Drata and Secureframe across pricing, onboarding, and compliance workflows. Two closely matched platforms with subtle but important differences for your team.",[2312,2314],{"label":2313,"icon":2126,"to":1187},"Try episki free",{"label":2128,"icon":2315,"color":2130,"variant":2131,"to":1194,"target":2132},"i-lucide-message-circle",{},"\u002Fcompare\u002Fvs\u002Fdrata-vs-secureframe",{"title":2319,"description":2320},"Drata vs Secureframe (2026): Pricing, Features & Honest Comparison","Drata vs Secureframe compared on pricing, onboarding, framework coverage, and compliance automation. See which platform fits your team — or why neither might be the best choice.","drata-vs-secureframe","drata","secureframe","7.compare\u002Fvs\u002Fdrata-vs-secureframe",{"chooseA":2326,"chooseB":2327,"chooseEpiski":2328},"Choose Drata if you value self-serve speed and visual compliance dashboards. Drata gets you operational faster and provides the clearest real-time view of your compliance posture — ideal for teams with in-house compliance knowledge.","Choose Secureframe if you want more hands-on guidance from dedicated compliance managers. Secureframe's human-led onboarding is better for teams running their first audit without experienced GRC staff.","Choose episki if you want transparent pricing, a writing-first editor, and the flexibility to structure programs your way. episki is for teams that want to own their compliance narrative without paying enterprise prices.","-9bT-xU4uDSMSn9zCOtrDaYtPz87mkvNHS5pQ2bXDTw",{"id":2331,"title":2302,"advantages":2332,"body":2354,"comparison":2405,"competitor":2302,"cta":2432,"description":87,"extension":96,"hero":2435,"lastUpdated":2133,"meta":2444,"navigation":99,"path":2445,"seo":2446,"slug":2322,"stem":2449,"__hash__":2450},"compare\u002F7.compare\u002Fdrata.md",[2333,2340,2347],{"title":2334,"description":2335,"bullets":2336},"One flat price for everything","episki includes unlimited frameworks, teammates, and portals for a single monthly or annual fee. No tiers, no negotiations.",[2337,2338,2339],"Add frameworks without upgrading to a higher tier","Invite auditors, customers, and stakeholders at no extra cost","Predictable billing that does not scale with headcount",{"title":2341,"description":2342,"bullets":2343},"Connected programs and assessments","episki treats compliance as connected work. Programs, assessments, controls, tasks, and issues link together so nothing falls through the cracks.",[2344,2345,2346],"Run recurring programs and one-time assessments side by side","Tasks inherit context from parent controls and programs","Evidence attaches once and stays available across every framework",{"title":2348,"description":2349,"bullets":2350},"Fast, keyboard-driven workspace","episki is built for people who spend hours in the tool. Keyboard shortcuts, global search, and a rich editor make daily compliance work feel fast.",[2351,2352,2353],"Navigate between programs, controls, and evidence without lifting your hands","Inline editing for policies, narratives, and response drafts","Dark mode and responsive layout for any screen",{"type":7,"value":2355,"toc":2400},[2356,2360,2363,2366,2386,2390,2393,2397],[10,2357,2359],{"id":2358},"why-teams-evaluate-drata-alternatives","Why teams evaluate Drata alternatives",[15,2361,2362],{},"Drata has built a comprehensive compliance automation platform with strong automated evidence collection and a wide library of supported frameworks. It works well for organizations that want continuous monitoring with minimal manual intervention.",[15,2364,2365],{},"Some teams look for alternatives when they need:",[24,2367,2368,2374,2380],{},[27,2369,2370,2373],{},[30,2371,2372],{},"Simpler pricing"," — Drata's tiered pricing based on framework count and company size can make budgeting unpredictable, especially for organizations running multiple frameworks or growing quickly.",[27,2375,2376,2379],{},[30,2377,2378],{},"Unified program management"," — teams managing overlapping compliance programs want controls, evidence, and tasks connected across frameworks in a single workspace rather than managed as separate compliance tracks.",[27,2381,2382,2385],{},[30,2383,2384],{},"A daily-use workspace"," — compliance teams that spend significant time writing, reviewing, and collaborating want an editor and navigation experience that feels productive rather than transactional.",[10,2387,2389],{"id":2388},"when-drata-might-be-the-better-fit","When Drata might be the better fit",[15,2391,2392],{},"Drata is a strong choice for teams that prioritize automated continuous monitoring and need a platform with deep integration coverage across cloud, identity, HR, and development tools. If your primary concern is automating evidence collection and you operate in a well-defined framework like SOC 2 or ISO 27001, Drata's automation depth is compelling.",[10,2394,2396],{"id":2395},"when-episki-shines","When episki shines",[15,2398,2399],{},"episki is designed for teams that view compliance as ongoing, cross-functional work rather than a monitoring dashboard. If you run multiple programs, collaborate with auditors directly in the tool, and want a workspace that feels as fast as your engineering tools, episki delivers a different kind of compliance experience.",{"title":87,"searchDepth":88,"depth":88,"links":2401},[2402,2403,2404],{"id":2358,"depth":88,"text":2359},{"id":2388,"depth":88,"text":2389},{"id":2395,"depth":88,"text":2396},[2406,2408,2409,2413,2417,2420,2424,2428],{"feature":2259,"episki":2262,"competitor":2407},"Tiered pricing based on framework count and company size",{"feature":2264,"episki":2266,"competitor":2265},{"feature":2410,"episki":2411,"competitor":2412},"Control management","Linked control graph with cross-framework reuse and ownership","Control library with automated testing and monitoring",{"feature":2414,"episki":2415,"competitor":2416},"Evidence collection","Manual uploads with structured ownership and reuse across frameworks","Automated evidence collection with 100+ integrations",{"feature":2418,"episki":2286,"competitor":2419},"AI assistance","AI-powered compliance automation",{"feature":2421,"episki":2422,"competitor":2423},"Risk management","Risk registers with remediation tracking tied to controls","Built-in risk management with scoring and treatment plans",{"feature":2425,"episki":2426,"competitor":2427},"Editor experience","Notion-like rich text editor with inline editing","Structured forms and workflow-based interface",{"feature":2429,"episki":2430,"competitor":2431},"Collaboration","Built-in auditor portal, customer portals, and team workspaces","Auditor-facing dashboards and team collaboration features",{"title":2433,"description":2434},"Try episki side by side with Drata","Start a free trial with all features enabled. Import your controls and see the difference.",{"headline":2436,"title":2437,"description":2438,"links":2439},"episki vs Drata","How episki compares to Drata for compliance teams","A head-to-head on pricing, workflow design, and framework flexibility. See why teams that want a faster, more collaborative compliance workspace switch from Drata to episki.",[2440,2442],{"label":2441,"icon":2126,"to":1187},"Start free trial",{"label":2443,"icon":2315,"color":2130,"variant":2131,"to":1194,"target":2132},"See a live demo",{},"\u002Fcompare\u002Fdrata",{"title":2447,"description":2448},"episki vs Drata (2026): Pricing, Flexibility & Why Teams Switch","Compare episki and Drata on pricing, workflow design, and framework flexibility. See why compliance teams switch from Drata to episki.","7.compare\u002Fdrata","cEQX4ERRc-uB7nEUxB1Uik-1ODue4boobvNZiV8Xrvk",{"id":2452,"title":2453,"api":1533,"authors":2454,"body":2460,"category":2595,"date":2596,"description":2597,"extension":96,"features":1533,"fixes":1533,"highlight":1533,"image":2598,"improvements":1533,"meta":2600,"navigation":99,"path":2601,"seo":2602,"stem":2603,"__hash__":2604},"posts\u002F3.now\u002Ftips.md","Tips for Building a Strong Security Culture",[2455],{"name":2456,"to":2457,"avatar":2458},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":2459},"\u002Fimages\u002Fjustinleapline.png",{"type":7,"value":2461,"toc":2587},[2462,2465,2468,2471,2474,2478,2481,2484,2487,2491,2494,2506,2509,2513,2516,2519,2522,2526,2529,2532,2535,2539,2542,2545,2548,2552,2555,2558,2561,2566,2575,2582],[15,2463,2464],{},"You can have the best firewall on the market, a mature vulnerability management program, and a SOC running 24\u002F7 — and still be one phishing email away from a serious incident.",[15,2466,2467],{},"Not because your tools failed. Because your people weren't part of the security equation.",[15,2469,2470],{},"Security culture is the difference between an organization where employees see security as someone else's job and one where they actively contribute to it. Building that culture is one of the hardest things a security leader can do — and one of the most valuable.",[15,2472,2473],{},"Here's what actually works.",[10,2475,2477],{"id":2476},"start-with-leadership-not-policy","Start With Leadership, Not Policy",[15,2479,2480],{},"Security culture doesn't start with a training video or an acceptable use policy. It starts at the top.",[15,2482,2483],{},"When executives treat security as a business priority — when they ask about risk posture in board meetings, when they model good security behavior, when they make it clear that security matters — that signal travels through the organization. When they treat it as an IT problem that lives in a different department, that signal travels too.",[15,2485,2486],{},"CISOs who want to build strong security cultures spend time educating and engaging their executive peers, not just their own teams. They make security visible at the leadership level — not as a compliance obligation, but as a business value. That top-down commitment creates the permission structure that everything else depends on.",[10,2488,2490],{"id":2489},"make-security-relevant-to-each-teams-work","Make Security Relevant to Each Team's Work",[15,2492,2493],{},"One of the most common mistakes in security awareness programs is treating every employee the same. A developer, a finance analyst, and a customer service rep face completely different security risks in their day-to-day work — and generic training that doesn't acknowledge those differences gets tuned out quickly.",[15,2495,2496,2497,2501,2502,2505],{},"Effective security culture programs meet people where they are. They connect security concepts to the specific tasks, tools, and risks each team encounters. They explain not just ",[2498,2499,2500],"em",{},"what"," the policy says, but ",[2498,2503,2504],{},"why"," it matters in the context of that person's actual job. When a finance employee understands why wire transfer verification procedures exist — because of the real attacks that target exactly their role — the procedure stops feeling like bureaucracy and starts feeling like protection.",[15,2507,2508],{},"Relevance drives retention. Generic awareness drives compliance theater.",[10,2510,2512],{"id":2511},"reward-the-right-behaviors","Reward the Right Behaviors",[15,2514,2515],{},"Most security programs are designed to catch and punish failures — the employee who clicked the phishing link, the team that bypassed the approval process, the contractor who shared credentials. Consequence is a necessary part of any security program, but it's a poor foundation for culture.",[15,2517,2518],{},"Organizations with strong security cultures also celebrate the behaviors they want to see more of. They recognize employees who report suspicious emails, who raise security concerns in project planning, who push back on shortcuts that introduce risk. They create safe channels for people to admit mistakes without fear of blame, because transparency about near-misses is infinitely more valuable than silence about them.",[15,2520,2521],{},"Psychological safety is a security control. When people are afraid to report problems, problems don't get reported — they get discovered later, when they're much more expensive.",[10,2523,2525],{"id":2524},"integrate-security-into-existing-workflows","Integrate Security Into Existing Workflows",[15,2527,2528],{},"Security culture erodes when security is experienced as friction — a separate process, an additional approval, a tool that slows things down. It strengthens when security is built into how work already gets done.",[15,2530,2531],{},"This means embedding security checkpoints into product development cycles, not bolting them on at the end. It means making secure defaults the easy defaults, so the path of least resistance is also the more secure path. It means involving security early in new business initiatives, not bringing them in after decisions are already made.",[15,2533,2534],{},"The goal isn't to make security invisible — it's to make it natural. When a developer automatically considers threat modeling as part of design, or when a procurement team reflexively asks about vendor security as part of due diligence, culture is working.",[10,2536,2538],{"id":2537},"measure-what-matters-and-be-honest-about-it","Measure What Matters — and Be Honest About It",[15,2540,2541],{},"Security culture is notoriously hard to measure, which leads many organizations to measure the wrong things — training completion rates, phishing simulation click rates, policy acknowledgment counts. These metrics are easy to collect and tell you almost nothing about actual cultural change.",[15,2543,2544],{},"More meaningful signals include: How quickly do employees report suspicious activity? Are security concerns being raised earlier in project lifecycles? Is the volume of policy exception requests going up or down — and why? Are teams coming to security proactively, or only when required?",[15,2546,2547],{},"These measures require more effort to collect, but they reflect something real. And being honest about what the data shows — including the parts that reveal cultural gaps — is what allows leaders to make targeted interventions rather than repeat the same awareness programs and hope for different results.",[10,2549,2551],{"id":2550},"build-for-the-long-game","Build for the Long Game",[15,2553,2554],{},"Security culture isn't built in a quarter. It's built over years of consistent messaging, visible leadership commitment, relevant education, and reinforcement of the right behaviors. It erodes just as slowly — through apathy, through leadership turnover, through programs that go stale, through a security team that becomes adversarial rather than collaborative.",[15,2556,2557],{},"The organizations with the strongest security cultures treat it as an ongoing investment, not a one-time initiative. They revisit and refresh their programs regularly. They measure progress honestly. And they understand that every interaction between the security team and the rest of the business is an opportunity to either build or undermine the culture they're trying to create.",[15,2559,2560],{},"Technology protects systems. Culture protects organizations.",[15,2562,2563],{},[30,2564,2565],{},"Ready to build a security culture that actually sticks?",[15,2567,2568,2569,2574],{},"At ",[81,2570,2573],{"href":2571,"rel":2572},"https:\u002F\u002Fepiski.com",[1189],"Episki",", we help security leaders go beyond policies and awareness programs to build the organizational habits and leadership alignment that make security a shared value. If you're ready to make culture a core part of your security strategy, we'd love to talk.",[15,2576,2577],{},[81,2578,2581],{"href":2579,"rel":2580},"https:\u002F\u002Fepiski.com\u002Fcontact",[1189],"Let's talk →",[15,2583,2584],{},[2498,2585,2586],{},"Tools protect systems. Culture protects organizations.",{"title":87,"searchDepth":88,"depth":88,"links":2588},[2589,2590,2591,2592,2593,2594],{"id":2476,"depth":88,"text":2477},{"id":2489,"depth":88,"text":2490},{"id":2511,"depth":88,"text":2512},{"id":2524,"depth":88,"text":2525},{"id":2537,"depth":88,"text":2538},{"id":2550,"depth":88,"text":2551},"craft","2026-05-11","Security tools and policies only go so far. The organizations that are truly resilient are the ones where security is part of how everyone thinks — not just what the security team does.",{"src":2599},"\u002Fimages\u002Fblog\u002FTips.jpg",{},"\u002Fnow\u002Ftips",{"title":2453,"description":2597},"3.now\u002Ftips","LtzuWX4I6GxP-GCS8QRdhlQQW0iHXTak5_7evvpUeK8",1778494676086]