NIST CSF: What is a Control?

As discussed in other blog posts, there are five pillars, or categories, of the NIST CSF: Identify, Protect, Detect, Respond, and Recover. We have a short blog post on each of these which you can reach by following the links from the names above.

Identify is the step most people just get without much explanation: make a list of all the software, data, devices and job descriptions that need some kind of protection.

Protect is the step most people are most vague about: what does this actually mean? In this context, "protect an asset" means "assign a control to that asset." So what is a control in this context?

Google's AI Overview answers this way, which is fine so far as it goes:

A "NIST CSF control" refers to a specific security practice or guideline outlined within the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which serves as a set of best practices for organizations to manage and mitigate cybersecurity risks by identifying, protecting, detecting, responding to, and recovering from cyber threats; essentially, it's a recommended action an organization can take to improve its cybersecurity posture based on the NIST framework

Where do these "recommended actions" come from? The short answer is NIST Special Publication 800-53. As of this writing (February 22, 2025) the most up-to-date version is here but you will want to check for yourself if you are reading this much after the date of writing.

What are these controls like? I downloaded the latest catalog of controls and here are a couple chosen more or less at random:

Control AC-6 is named "Least Privilege" and is described this way: "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."

This is pretty good advice, albeit a little general.

Control AC-21 is named "Information Sharing" and is described this way: "a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and b. Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions."

The strange part in the middle is a reference to whatever choice your particular organization has made: "[Assignment: organization-defined information sharing circumstances where user discretion is required]"

This is a level formality that many newcomers to formal Cyber Security find off-putting, but more complex situations demand and simpler situations do not require this formality. Making this value judgement is part of  setting up an appropriate and feasible Cyber Security program in your particular environment. Whatever you decide, the act of reviewing the various controls to determine the extent to which they apply to you is very helpful and often clarifying.