NIST Cybersecurity Framework 2.

0:
Small Business Quick-Start Guide

U.S. Department of Commerce

NIST Special Publication
Gina M. Raimondo, Secretary
NIST SP 1300
National Institute of Standards and Technology https://doi.org/10.6028/NIST.SP.1300
Laurie E. Locascio, NIST Director and Under Secretary of Commerce for Standards and Technology February 2024
 NIST Cybersecurity Framework 2.0:
Small Business Quick-Start Guide Overview
Purpose
This guide provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans EXPLORE MORE CSF
in place, with considerations to kick-start their cybersecurity risk management strategy by using the NIST Cybersecurity
Framework (CSF) 2.0. The guide also can assist other relatively small organizations, such as non-profits, government
2.0 RESOURCES
agencies, and schools. It is a supplement to the NIST CSF and is not intended to replace it.

What is the NIST Cybersecurity Framework? nist.gov/cyberframework

The NIST Cybersecurity Framework is voluntary guidance that helps organizations
—regardless of size, sector, or maturity— better understand, assess, prioritize, and
communicate their cybersecurity efforts. The Framework is not a one-size-fits-all Quickly find what you
approach to managing cybersecurity risks. This supplement and the full CSF 2.0 can help need, including:
organizations to consider and record their own risk tolerances, priorities, threats,
vulnerabilities, requirements, etc.
A suite of NEW Quick
Getting Started with the Cybersecurity Framework Start Guides
The CSF organizes cybersecurity outcomes into six high-level Functions: Govern, Identify, Protect, Detect, Respond, and Implementation
Recover. These Functions, when considered together, provide a comprehensive view of managing cybersecurity risk. The Examples
activities listed for each Function within this guide may offer a good starting point for your business. For specific, action-
oriented examples of how to achieve the listed activities, reference the CSF 2.0 Implementation Examples. If there are Search tools
activities contained within this guide that you do not understand or do not feel comfortable addressing yourself, this guide FAQs
can serve as a discussion prompt with whomever you have chosen to help you reduce your cybersecurity risks, such as a
managed security service provider (MSSP). And much more!
 GOVERN
The Govern Function helps you establish and monitor your business’s cybersecurity risk management strategy, expectations, and policy.

Actions to Consider Getting Started with Cybersecurity Governance

You can use these tables to begin thinking about your cybersecurity governance strategy.
Understand Setting Organizational Context Documenting Cybersecurity Requirements
• Understand how cybersecurity risks can disrupt achievement of your business’s mission. Our business mission List your legal
(GV.OC-01) statement: requirements:
• Understand your legal, regulatory, and contractual cybersecurity requirements. (GV.OC-03)
List your regulatory
• Understand who within your business will be responsible for developing and executing the What cybersecurity risks
requirements:
cybersecurity strategy. (GV.RR-02) may prevent us from
achieving this mission? List your contractual
Assess requirements:

• Assess the potential impact of a total or partial loss of critical business assets and Technical Deep Dive: Staging Cybersecurity Risks for Enterprise Risk Management and
operations. (GV.0C-04) Governance Oversight
• Assess whether cybersecurity insurance is appropriate for your business. (GV.RM-04)
• Assess cybersecurity risks posed by suppliers and other third parties before entering into Questions to Consider
formal relationships. (GV.SC-06) • As our business grows, how often are we reviewing our cybersecurity strategy?
• Do we need to upskill our existing staff, hire talent, or engage an external partner
Prioritize to help us establish and manage our cybersecurity plan?
• Prioritize managing cybersecurity risks alongside other business risks. (GV.RM-03) • Do we have acceptable use policies in place for business and for employee-owned
devices accessing business resources? Have employees been educated on these
Communicate policies?

• Communicate leadership’s support of a risk-aware, ethical, and continually improving Related Resources
culture. (GV.RR-01)
• Communicate, enforce, and maintain policies for managing cybersecurity risks. (GV.PO-01) • Securing Small and Medium-Sized Supply Chains Resource Handbook
• Choosing A Vendor/Service Provider

View all NIST CSF 2.0 Resources Here

 IDENTIFY
The Identify Function helps you determine the current cybersecurity risk to the business.

Getting Started with Identifying Current Cybersecurity Risk to Your Business

Actions to Consider
Before you can protect your assets, you need to identify them. Then you can determine the
appropriate level of protection for each asset based upon its sensitivity and criticality to your
Understand business mission. You can use this sample table to get started on your information technology (IT)
• Understand what assets your business relies upon by creating and maintaining an asset inventory. As your business matures, you might consider using an automated asset inventory
inventory of hardware, software, systems, and services. (ID.AM-01/02/04) solution or a managed security service provider to help you manage all your business assets.

Assess Software/ Asset's Asset Identify Is multi-factor Risk to

hardware/ official administrator sensitive data authentication business if
• Assess your assets (IT and physical) for potential vulnerabilities. (ID.RA-01) system/ use: or owner: the asset has required to we lose
• Assess the effectiveness of the business's cybersecurity program to identify areas service access to: access this access to this
that need improvement. (ID.IM-01) asset? asset

Prioritize
Technical Deep Dive: Integrating Cybersecurity and Enterprise Risk Management
• Prioritize inventorying and classifying your business data. (ID.AM-07)
• Prioritize documenting internal and external cybersecurity threats and associated Questions to Consider
responses using a risk register. (ID.RA) • What are our most critical business assets (data, hardware, software, systems, facilities,
services, people, etc.) we need to protect?
Communicate
• What are the cybersecurity and privacy risks associated with each asset?
• Communicate cybersecurity plans, policies, and best practices to all staff and • What technologies or services are personnel using to accomplish their work? Are these
relevant third parties. (ID.IM-04) services or technologies secure and approved for use?
• Communicate to staff the importance of identifying needed improvements to Related Resources
cybersecurity risk management processes, procedures, and activities. (ID.IM)
• NIST Risk Register Template
• Take Stock. Know What Sensitive Information You Have
• Evaluating Your Operational Resilience and Cybersecurity Practices

View all NIST CSF 2.0 Resources Here

 PROTECT
The Protect Function supports your ability to use safeguards to prevent or reduce cybersecurity risks.

Actions to Consider Getting Started with Protecting Your Business

Enabling multi-factor authentication (MFA) is one of the fastest, cheapest ways you can protect
Understand your data. Start with accounts that can access the most sensitive information. Use this checklist to
• Understand what information employees should or do have access to. Restrict give you a head start, but remember your own list will be longer than this:
sensitive information access to only those employees who need it to do their Account MFA Enabled (Y/N)
jobs. (PR.AA-05) Banking Account(s)
Accounting and Tax Account(s)
Assess Merchant Account(s)
• Assess the timeliness, quality, and frequency of your company’s cybersecurity Google, Microsoft, and/or Apple ID Account(s)
training for employees. (PR.AT-01/02) Email Account(s)
Password Manager(s)
Prioritize Website Account(s)
• Prioritize requiring multi-factor authentication on all accounts that offer it and Technical Deep Dive: NIST Digital Identity Guidelines
consider using password managers to help you and your staff generate and
protect strong passwords. (PR.AA-03) Questions to Consider
• Prioritize changing default manufacturer passwords. (PR.AA-01) • Are we restricting access and privileges only to those who need it? Are we removing access
• Prioritize regularly updating and patching software and operating systems. when they no longer need it?
Enable automatic updates to help you remember. (PR.PS-02) • How are we securely sanitizing and destroying data and data storage devices when they’re
• Prioritize regularly backing up your data and testing your backups. (PR.DS-11) no longer needed?
• Prioritize configuring your tablets and laptops to enable full-disk encryption to • Do employees possess the knowledge and skills to perform their jobs with security in mind?
protect data. (PR.DS-01)
Related Resources
Communicate
• Cybersecurity Training Resources
• Communicate to your staff how to recognize common attacks, report attacks or • Multi-Factor Authentication
suspicious activity, and perform basic cyber hygiene tasks. (PR.AT-01/02) • Protecting Your Business from Phishing

View all NIST CSF 2.0 Resources Here

 DETECT
The Detect Function provides outcomes that help you find and analyze possible cybersecurity attacks and compromises.

Actions to Consider Getting Started with Detecting Incidents

Some common indicators of a cybersecurity incident are:
Understand
• Loss of usual access to data, applications, or services
• Understand how to identify common indicators of a cybersecurity incident. • Unusually sluggish network
(DE.CM) • Antivirus software alerts when it detects that a host is infected with malware
• Multiple failed login attempts
Assess
• An email administrator sees many bounced emails with suspicious content
• Assess your computing technologies and external services for deviations from • A network administrator notices an unusual deviation from typical network traffic flows
expected or typical behavior. (DE.CM-06/09)
Technical Deep Dive: NIST Computer Security Incident Handling Guide
• Assess your physical environment for signs of tampering or suspicious activity.
(DE.CM-02)
Questions to Consider
Prioritize
• Do devices that are used for our business, whether business-owned or employee-owned,
• Prioritize installing and maintaining antivirus and anti-malware software on all have antivirus software installed?
business devices—including servers, desktops and laptops. (DE.CM-09) • Do employees know how to detect possible cybersecurity attacks and how to report them?
• Prioritize engaging a service provider to monitor computers and networks for • How is our business monitoring its logs and alerts to detect potential cyber incidents?
suspicious activity if you don't have the resources to do it internally.
(DE.CM) Related Resources
• Ransomware Protection and Response
Communicate
• Detecting a Potential Intrusion
• Communicate with your authorized incident responder, such as an MSSP, about • Cybersecurity Training Resources
the relevant details from the incident to help them analyze and mitigate
it. (DE.AE-06/07)

View all NIST CSF 2.0 Resources Here

 RESPOND
The Respond Function supports your ability to take action regarding a detected cybersecurity incident.

Actions to Consider Getting Started with an Incident Response Plan Contact Phone
Before an incident occurs, you want to be ready with a basic response Business
plan. This will be customized based on the business but should include: Leader:
Understand
 A business champion: Someone who is responsible for developing Technical
• Understand what your incident response plan is and who has authority and Contact:
responsibility for implementing various aspects of the plan. (RS.MA-01) and maintaining your incident response plan.
 Who to call: List all the individuals who may be part of your State
Assess incident response efforts. Include their contact information, Police:
• Assess your ability to respond to a cybersecurity incident. (RS.MA-01) responsibilities, and authority.
Legal:
• Assess the incident to determine its severity, what happened, and its root cause.  What/when/how to report: List your business's
(RS.AN-03, RS.MA-03) communications/reporting responsibilities as required by laws, Bank:
regulations, contracts, or policies.
Insurance:
Prioritize Technical Deep Dive: NIST Computer Security Incident Handling Guide

• Prioritize taking steps to contain and eradicate the incident to prevent further Questions to Consider
damage. (RS.MI)
• Do we have a cybersecurity incident response plan? If so, have we practiced it to see if it is
Communicate feasible?
• Communicate a confirmed cybersecurity incident with all internal and external • Do we know who the key internal and external stakeholders and decision-makers are who
stakeholders (e.g., customers, business partners, law enforcement agencies, will assist if we have a confirmed cybersecurity incident?
regulatory bodies) as required by laws, regulations, contracts, or policies. Related Resources
(RS.CO-02/03)
• Incident Response Plan Basics
• FBI’s Internet Crime Complaint Center
• Data Breach Response: A Guide for Business
• Best Practices for Victim Response and Reporting of Cyber Incidents

View all NIST CSF 2.0 Resources Here

 RECOVER
The Recover Function involves activities to restore assets and operations that were impacted by a cybersecurity incident.

Actions to Consider Getting Started with a Recovery Playbook

A playbook typically includes the following critical elements:

Understand  A set of formal recovery processes

 Documentation of the criticality of organizational resources (e.g., people, facilities,
• Understand who within and outside your business has recovery responsibilities. technical components, external services)
(RC.RP-01)  Documentation of systems that process and store organizational information, particularly
Assess key assets. This will help inform the order of restoration priority
 A list of personnel who will be responsible for defining and implementing recovery plans
• Assess what happened by preparing an after-action report—on your own or in  A comprehensive recovery communications plan
consultation with a vendor/partner—that documents the incident, the response
and recovery actions taken, and lessons learned. (RC.RP-06) Technical Deep Dive: NIST Guide for Cybersecurity Event Recovery
• Assess the integrity of your backed-up data and assets before using them for
restoration. (RC.RP-03) Questions to Consider
• What are our lessons learned? How can we minimize the chances of a cybersecurity
Prioritize
incident happening in the future?
• Prioritize your recovery actions based on organizational needs, resources, and • What are our legal, regulatory, and contractual obligations for communicating to internal
assets impacted. (RC.RP-02) and external stakeholders about a cybersecurity incident?
• How do we ensure that the recovery steps we are taking are not introducing new
Communicate vulnerabilities to our business?
• Communicate regularly and securely with internal and external stakeholders.
Related Resources
(RC.CO)
• Cybersecurity Training Resources
• Communicate and document completion of the incident and resumption of
• Creating an IT Disaster Recovery Plan
normal activities. (RC.RP-06)
• Backup and Recover Resources

View all NIST CSF 2.0 Resources Here

 Profiles and Additional Resources
Using Organizational Profiles to Implement the Cybersecurity Framework
A CSF Organizational Profile describes an organization’s current and/or target cybersecurity posture in terms of the CSF Core’s cybersecurity outcomes. Every Organizational Profile includes
one or both of the following:
1. A Current Profile specifies the desired outcomes an organization is currently achieving (or attempting to achieve) and characterizes how or to what extent each outcome is being
achieved.
2. A Target Profile specifies the outcomes an organization has selected and prioritized for achieving its cybersecurity risk management objectives.
• You can also use a Community Profile as the basis for your Target Profile. A Community Profile is a baseline of targeted outcomes for a particular sector, technology, threat
type, or other use case.
• You can also choose to use the CSF Tiers to inform your Profile creation. Tiers characterize the current or targeted rigor of an organization’s practices by CSF Function or
Category. See the Quick-Start Guide for Using the CSF Tiers for more information on Tiers and their use.

View the Quick-Start Guide for Creating and Using Organizational Profiles for more detailed information on how to get started creating Current and Target Profiles for your organization.

Additional Resources
The NIST Cybersecurity Framework Reference Tool allows users to explore the full CSF 2.0 Core in human and machine-readable versions (in JSON and Excel), while also maintaining
resources with information to help you achieve your desired outcomes, such as:
• Mapping: Informative references are mappings indicating relationships between the CSF 2.0 and various standards, guidelines, regulations, and other content. They help inform
how an organization may achieve the Core’s outcomes.
• Implementation examples provide illustrations of concise, action-oriented steps to guide organizations in achieving the CSF outcomes. The examples are not a comprehensive
list of all actions that could be taken by an organization, nor are they a baseline of required actions; they are a set of helpful examples to get organizations thinking about
concrete steps.
NIST Cybersecurity and Privacy Reference Tool (CPRT) provides a simple way to access reference data from various NIST cybersecurity and privacy standards, guidelines, and Frameworks–
downloadable in common formats (XLSX and JSON).
NIST SP 800-53 provides a catalog of security and privacy controls you can choose from. The controls are flexible, customizable, and implemented as part of an organization-wide process to
manage risk. View and export from the Cybersecurity and Privacy Reference Tool (CPRT).
The Workforce Framework for Cybersecurity (NICE Framework) helps employers achieve the outcomes in the CSF 2.0 by assisting them to identify critical gaps in cybersecurity staffing and
capabilities; determine and communicate position responsibilities and job descriptions; and provide staff training and career pathways.