Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Take A Tour! NIST Cybersecurity Framework 2.0: Small Business Quick Start Guide

SMB Quick Start Guide Cover
Credit: NIST

The U.S. Small Business Administration is celebrating National Small Business Week from April 28 - May 4, 2024. This week recognizes and celebrates the small business community’s significant contributions to the nation. Organizations across the country participate by hosting in-person and virtual events, recognizing small business leaders and change-makers, and highlighting resources that help the small business community more easily and efficiently start and scale their businesses. 

To add to the festivities, this NIST Cybersecurity Insights blog showcases the NIST Cybersecurity Framework 2.0 Small Business Quick Start Guide, a new resource designed to help the small and medium-sized business (SMB) community begin to manage and reduce their cybersecurity risks. You’ve worked hard to start and grow your business. Are you taking the steps necessary to protect it? As small businesses have become more reliant upon data and technology to operate and scale a modern business, cybersecurity has become a fundamental risk that must be addressed alongside other business risks. This Guide is designed to help. 

Understanding the NIST Cybersecurity Framework (CSF) 

Let us first take a step back. Before we talk about the CSF 2.0 Small Business Quick Start Guide, it is important to first understand its foundation. The CSF is voluntary guidance that helps organizations​—regardless of size, sector, or maturity— better understand, assess, prioritize, and ​communicate their cybersecurity efforts (those stages of understand, assess, prioritize, and communicate are going to come back into focus in just a moment). 

The CSF describes what desirable cybersecurity outcomes an organization can aspire to achieve. And because every organization is different, the CSF does not prescribe outcomes nor how they may be achieved. The framework is flexible so that each organization can tailor their implementation to meet their own unique needs, mission, resources, and risks.  It is particularly useful for fostering internal or external communication by creating a common vocabulary for discussing cybersecurity risk management. 

First published in 2014, the CSF recently underwent a significant revision. CSF 2.0 was published on February 26, 2024. Along with the updated document, NIST published new supplementary materials meant to help different audiences better understand and put the CSF 2.0 into action. 

Introducing the CSF 2.0 Small Business Quick Start Guide 

The Guide provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the CSF 2.0. 

The CSF is often discussed in terms of transportation— “Travel through the CSF 2.0” or “Journey to the CSF.” Why? Because cybersecurity is a continuous journey. Consider the SMB Quick Start Guide as an on-ramp to that journey. 

SMB On-Ramp Journey
Credit: NIST

The information included within this Guide is not all encompassing or prescriptive; it is meant to offer a good starting point for a small or medium-sized business. The Guide is also not meant to replace the CSF. It is meant to be an introduction to it. Or, as mentioned earlier, an on-ramp to it. 

How is the SMB Quick Start Guide Organized? 

The Guide is organized by Function—1 page per Function. What is a CSF Function, you may ask? These are categorizations of cybersecurity outcomes (what you want to achieve) at their highest levels. They are: Govern, Identify, Protect, Detect, Respond and Recover. These Functions, when considered together, provide a comprehensive view of managing cybersecurity risk. 

  • Govern: The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored
  • Identify: The organization’s current cybersecurity risks are understood
  • Protect: Safeguards to manage the organization’s cybersecurity risks are used.
  • Detect: Possible cybersecurity attacks and compromises are found and analyzed.
  • Respond: Actions regarding a detected cybersecurity incident are taken
  • Recover: Assets and operations affected by a cybersecurity incident are restored.

On each page of the Guide, readers can expect to find information to help you better understand the Function and put it into action. Each page is organized into four primary sections: Actions to Consider, Getting Started, Questions to Consider, and Additional Resources. Let’s explore each section in more depth: 

1. Actions to Consider: As mentioned earlier, the CSF helps organizations better understand, assess, prioritize, and communicate their cybersecurity efforts. That is why the Guide’s “Actions to Consider” are organized into those stages.

  • The Understand and Assess sections provide actions to help readers understand the current or target cybersecurity posture of part or all of an organization, determine gaps, and assess progress toward addressing those gaps. 
  • The Prioritize section will include actions to help readers Identify, organize, and prioritize actions for managing cybersecurity risks that align with the organization’s mission, legal and regulatory requirements, and risk management and governance expectations.
  • The Communicate section provides actions for communicating inside and outside the organization about cybersecurity risks, capabilities, needs, and expectations. 

Following each Action to Consider is a parenthetical (see image below), which documents what part of the Cybersecurity Framework Core the action referencing. The Core is a set of cybersecurity outcomes arranged by Function, Category, and Subcategory. In the case shown below (GV.OC-01) “GV” is the Function (Govern), “OC” is the Category (Organizational Context), and “01” is the Subcategory designation. Every Action to Consider ties back to the Cybersecurity Framework Core.

SMB actions to consider
Credit: NIST

2. Getting Started: This area drills down into a specific concept within the Function. For instance, as shown in the image below, two planning tables are provided to help businesses begin thinking through documenting their governance strategy. Businesses will, of course, need to customize these tables to meet their own needs, but these provide a reference point for getting started. 

SMB Getting started with govern
Credit: NIST

 For those who want to delve deeper into NIST guidance on a specific topic, a Technical Deep Dive is also included on every page. These resources are an important component because this SMB Quick Start Guide is not intended to be the final destination on a business’ journey to improved cybersecurity risk management. As a business grows, as their needs change, and as their reliance upon connectivity and technology increases, their approach to cybersecurity risk management will need to become more sophisticated. These resources can help in that journey.  

3. Questions to Consider: This section is included on every page to encourage readers to engage with the content and begin thinking through important questions related to cybersecurity risk management. They aren’t all the questions a company should be asking themselves, but provide a starting point for discussion. These questions, and the Guide as a whole, can also serve as a discussion prompt between a business owner and whomever they have chosen to help them reduce their cybersecurity risks, such as a managed security service provider (MSSP). 

SMB Questions to Consider
Credit: NIST

4. Related Resources: This final section provides a few additional resources for continued exploration of the topic. Each resource was chosen because it specifically expands upon the content on the page or adds additional insights or tools that are actionable. All resources are from NIST or other federal agencies and are tailored specifically to the small business community. 

Want to learn more? 

Get Engaged in our NIST SMB Cybersecurity Work

About the author

Daniel Eliot

Daniel Eliot is the lead for small business engagement within the National Institute of Standards and Technology’s Applied Cybersecurity Division. In this role, he works across NIST's cybersecurity and privacy program to advise and support development of cybersecurity resources, communication materials, and collateral tailored for use by small businesses. He also regularly works directly with the small business community and their advocates through external outreach and engagement. 

Related posts

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.