What is the NIST Cybersecurity Framework & How Does SOC 2 Map to It?

What is the NIST CSF - Mapping it to SOC 2
NIST 800-53, ISO 27001, PCI, HITRUST, HIPAA, SOC 1, SOC 2, GDPR, CCPA…who needs another compliance framework? It’s an acronym soup, and who can keep them all straight anyway? I’m here to make the case that you may just have room for one more – the NIST Cybersecurity Framework (CSF), particularly if you’re seeking SOC 2 compliance. For one, it’s a practical framework meant to address and manage cybersecurity risk, and it’s easily tailored to any organization’s needs. Beyond that, the NIST CSF maps nicely to the SOC 2 Criteria, making it a compatible framework if you are looking for a “how-to” guide for implementing SOC 2 controls.

What is the Difference Between the NIST Cybersecurity Framework & NIST 800-53?

The National Institute of Standards and Technology (NIST) is a federal agency whose mission is to “develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. NIST is also responsible for establishing computer- and information technology-related standards and guidelines for federal agencies to use. Many private sector organizations have made widespread use of these standards and guidelines voluntarily for several decades, especially those related to information security.”

I used to perform NIST 800-53 audits and eventually learned to appreciate the structure and rigor that the 800-53 framework brought to federal information systems and entities. However, it is not widely adopted by commercial entities, particularly those smaller companies or entities just starting their IT compliance journey. Enter NIST CSF.

According to NIST, the Cybersecurity Framework was “Created through collaboration between industry and government” with the goal of defining “standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.”


Cybersecurity framework functions


 Image Source: https://www.nist.gov/cyberframework

A Closer Look at NIST Cybersecurity Framework Version 1.1

When choosing a cybersecurity framework, it’s important to consider your organization’s strategic objectives, risk profile, and applicable laws and regulations. While the leading industry information security frameworks share common objectives and controls, the requirements and level of effort to implement each varies. For example, NIST 800-53 is one of the most robust and prescriptive frameworks, with 18 control families and over 900 controls. The NIST CSF is a subset of NIST 800-53, sharing certain requirements and criteria, while omitting many of the controls more relevant to federal agencies.

The NIST CSF is scalable and aligns with industry best practices for cybersecurity, making it an attractive option for commercial entities, especially those that are just starting to implement cybersecurity policies and controls. Key framework attributes include:

  • Common and accessible language
  • Adaptable to many technologies, lifecycle phases, sectors, and uses
  • Risk-based
  • Based on international standards
  • Living document
  • Guided by many perspectives – private sector, academia, public sector

What are the Main Components of the NIST Cybersecurity Framework? How Many Controls are in the NIST CSF?

Officially released in 2014 with an updated version in 2018, the Framework Core is organized into 5 functions and 23 “categories”.  Each category contains a number of subcategories, totaling 108 across the 5 functions and 23 categories. The subcategories are essentially the stated control activities.


Framework Core's Functions and Categories

NIST CSF v1.1 Functions & Categories

Image Source: https://www.nist.gov/cyberframework/online-learning/components-framework

While streamlined, the NIST CSF is prescriptive and clearly stated in “plain English” such that organizations are able to interpret the standards and requirements with relative ease. You’ve likely read various frameworks and were left wondering if a translator was available.  On the contrary, the NIST CSF is written in a more concise, user-friendly manner.

For example, the below table highlights the CSF’s identity and access management principles, with clear subcategories suggesting how to implement controls that would achieve the stated principle/requirement:

NIST CSF Components
Protect (PR) Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
PR.AC-2: Physical access to assets is managed and protected
PR.AC-3: Remote access is managed
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

(See Table Source Here)

When establishing the CSF, NIST attempted to strike a balance of addressing the full lifecycle of cybersecurity without being overly detailed or too prescriptive. As a result, the subcategories were intentionally written as outcome-driven statements to foster risk-based decision-making, enabling organizations to implement policy and control solutions tailored to their environment.


SOC 2 mapping to NIST CSF

Mapping the SOC 2 Criteria to the NIST Cybersecurity Framework

Part of NIST’s vision with the CSF was to design a framework that logically aligned and mapped to other leading industry frameworks. Within the NIST CSF, you will find Informative References that tie each of the CSF subcategories to their industry counterparts, including the following:

Beyond that, you can readily find NIST CSF mappings to SOC 2 (TSC mappings), PCI, and HIPAA on the internet.

Now that we’re neck-deep in compliance acronym soup, you are likely asking yourself again why you should care about another framework. I like to think of the NIST CSF as a great foundation for developing your policy statements and standards that form your internal controls, which can then be mapped to the relevant Trust Services Criteria to support your SOC 2 compliance journey.

Take our earlier NIST Subcategory example, and note how it maps to the Trust Services Criteria (note, use the mapping spreadsheet referenced above to easily search by NIST Subcategory reference or SOC 2 Criteria reference):

SOC 2 mapping to NIST CSF (example)
Protect (PR) Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes

CC6.1: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.

  • Manages Credentials for Infrastructure and Software: New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use.
CC6.2: Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

  • Controls Access Credentials to Protected Assets: Information asset access credentials are created based on an authorization from the system’s asset owner or authorized custodian.
  • Removes Access to Protected Assets When Appropriate: Processes are in place to remove credential access when an individual no longer requires such access.
  • Reviews Appropriateness of Access Credentials: The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials.

As you can see from this example, the NIST CSF subcategory statement is written in a concise, but comprehensive, manner that could be used to form a policy statement or control activity. That singular control activity could then be mapped to multiple SOC 2 Criteria, not to mention other leading industry frameworks.



NIST Cybersecurity Framework vs SOC 2 Audits

Now you may be asking, “If the NIST CSF is so efficient, why do I need a SOC 2? And how do I become NIST certified?” Valid questions. You likely still need a SOC 2 Report because it’s the leading industry standard used by service organizations to convey assurance over system and organization controls. This is done by an independent auditor who issues a report attesting to the service organization’s compliance with the Trust Services Criteria.

On the contrary, there is no such attestation available for the NIST CSF. According to NIST, “NIST has no plans to develop a conformity assessment program. NIST encourages the private sector to determine its conformity needs, and then develop appropriate conformity assessment programs.” Additionally, “The Framework was created with the current regulatory environment in mind, and does not replace or augment any existing laws or regulations. The Framework leverages industry best practices and methods for cybersecurity risk management, which are often used in regulation.

In other words, the NIST CSF is intended to be a useful tool for organizations looking to design and implement cybersecurity policies and controls that will satisfy multiple regulatory and compliance requirements. If you are a service organization, chances are you still need that SOC 2 report, but the NIST CSF can help you interpret the foreign language that is the Trust Services Criteria and be the “how-to” you’ve been looking for.


How SOC 2 relates to NIST CSF

What is a SOC 2+ and How Does it Relate to the NIST CSF?

Still not convinced there’s a way to bring all these acronyms together? In fact, the governing body for SOC 2 audits, the American Institute of Certified Public Accountants (AICPA), has developed an option that allows a service organization to obtain a “SOC 2+”. The SOC 2+ is a SOC 2 examination that “Addresses Additional Subject Matters and Additional Criteria”. In this case, the service auditor identifies the additional subject matter being reported on or the additional criteria (e.g., the NIST CSF Subcategories) being used to evaluate the subject matter and report on the additional subject matter.

Other examples of this reporting option are those reports that include information on a service organization’s ability to meet the requirements of HITRUST, HIPAA, or the Cloud Security Alliance’s Cloud Control Matrix. The auditor will include additional tests of controls that achieve the additional criteria, and may include a mapping between the criteria in order to demonstrate the service organization’s alignment between the compliance frameworks. This may or may not be a value-add to your organization, but it’s a relatively low level of effort that may be worth it if you operate in an industry that expects compliance with other frameworks beyond SOC 2. As with all audit-related decisions, it’s best to discuss the options and potential benefits of each with your service auditor.

In Conclusion…

Still drowning in acronym soup? Curious how your organization may benefit from the NIST CSF, a SOC 2 Report, or even a SOC 2+ Report? At Linford & Company, we live and breathe the audit and compliance world and are happy to discuss how to best align your compliance activities with your organization’s strategic objectives, risk profile, and applicable laws and regulations. You are not in this alone – contact us today!