NIST CSF supporting concepts

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of NIST CSF supporting concepts

    This content explains key concepts underpinning the NIST Cybersecurity Framework (CSF) as applied within the ServiceNow® Governance, Risk, and Compliance (GRC) environment, specifically for Use Case Accelerators. These concepts help organizations structure, assess, and improve their cybersecurity posture in alignment with NIST CSF guidelines.

    Show full answer Show less

    Key Concepts

    • Target: The foundational entity in NIST CSF Use Case Accelerators representing critical assets or systems. Targets link to profiles and encapsulate attributes important for cybersecurity evaluations within ServiceNow GRC.
    • Critical Infrastructure: Vital physical or virtual systems that significantly impact cybersecurity, national security, or public safety.
    • Implementation Tiers: Levels that help organizations assess their cybersecurity risk management maturity. NIST CSF applications use the Tier attribute on Targets to evaluate cybersecurity posture.
    • Cybersecurity Activity: Defined as a combination of a Target, Function, and Category. Activities represent specific cybersecurity policies and requirements drawn from the ServiceNow GRC Policy and Compliance Management application. They allow detailed assessment of gaps, non-compliance, risks, issues, failed indicators, and action plans, facilitating improved security compliance.
    • Functions: High-level groupings of cybersecurity activities—Identify, Protect, Detect, Respond, Recover, and Govern—that organize outcomes and support risk management decisions.
    • Categories and Subcategories: Categories break down Functions into groups of cybersecurity outcomes (e.g., Asset Management, Identity Management). Subcategories further specify technical and management outcomes, enabling precise evaluation and policy definition.
    • Implementation State: Tracks whether a cybersecurity activity is currently implemented or planned, supporting progress monitoring.
    • Gaps: Control objectives without any existing controls for a given Target profile, highlighting areas needing attention.
    • Non-compliant Controls: Controls that fail to meet implementation standards for the Target, signaling compliance issues.
    • Risks, Issues, and Failed Indicators: These elements relate to vulnerabilities, control weaknesses, and monitoring failures identified within the Target’s cybersecurity activities.
    • Action Plans: Structured remediation steps addressing issues discovered in controls or risks for the Target.

    Key Outcomes

    By understanding and applying these concepts within ServiceNow GRC, customers can:

    • Map cybersecurity policies and controls directly to critical assets (Targets) for targeted risk management.
    • Assess cybersecurity maturity and compliance status using Implementation Tiers and detailed activity evaluations.
    • Identify and prioritize gaps, non-compliance, risks, and issues efficiently.
    • Develop actionable remediation plans to improve overall cybersecurity posture.
    • Leverage the structured NIST CSF framework (Functions, Categories, Subcategories) to organize and communicate cybersecurity outcomes.

    These capabilities enable organizations to strengthen cybersecurity practices, ensure regulatory compliance, and enhance risk-informed decision-making within the ServiceNow platform.

    Familiarize yourself with these concepts, developed from the NIST CSF guidance.

    Concept Description
    Target The target is the foundation of the NIST Cybersecurity Framework (CSF) Use Case Accelerator and all related concepts.

    The target is a shared table between the ServiceNow® GRC products and several Use Case Accelerators. They are similar to the concept of entities in the core GRC applications. They are optionally linked to profiles, but are used for any attributes that are specific to the Use Case Accelerators.
    Critical infrastructure (or critical in NIST CSF application usage) Vital physical or virtual systems and assets that have a serious impact on cybersecurity, national economic security, and national public health or safety.
    Implementation tiers Helps an organization view cybersecurity risks and the processes they use to manage those risks.

    Tiers are prioritized for achieving cybereecurity objectives. With the NIST CSF applications, organizations can evaluate targets from the implementation tier view, which uses the Tier attribute on Target table.
    Cybersecurity activity Cybersecurity policies and requirements are found in the ServiceNow® GRC Policy and Compliance Management application. The application provides guidelines for understanding cybersecurity outcomes that need to be achieved to strengthen cybersecurity practices and enhance security compliance.

    These activities in the NIST CSF application as are a combination of a Target, Function, and Category. NIST CSF activities evaluate cybersecurity requirements for Targets, which provides detailed insights into gaps, non-compliant controls, risks, issues, failed indicators, and action plans and when they are addressed. Also, they help organizations strengthen their security compliance position.
    Functions Functions organize basic cybersecurity activities at their highest level. These Functions are Identify, Protect, Detect, Respond, Recover, and Govern. They help an organization by organizing information, enabling risk management decisions, addressing threats, and learning from previous activities to improve its management of cybersecurity risk.

    In NIST CSF, functions select relevant cybersecurity outcomes for activities and organize them.
    Category Categories are the subdivisions of functions that are broken into groups of cybersecurity outcomes. Examples of categories include: Asset Management, Identity Management and Access Control, and Detection Processes.

    Subcategories are used to divide a category into specific outcomes of technical and management activities. They provide a set of results that can help support achievement of the outcomes in each category. Examples of subcategories include: External information systems are cataloged, Data-at-rest is protected, and Notifications from detection systems are investigated.

    The Framework Core identifies underlying categories and subcategories for each function as cybersecurity policies and their details as policy statements. The NIST CSF categories define the cybersecurity activities for targets and uses the associated subcategories to evaluate cybersecurity requirements to provide additional insight.
    Implementation state State of the cybersecurity activity, whether implemented or planned for the future. It is possible to document the implementation state of a cybersecurity activity.
    Gaps Control objectives of the cybersecurity policy that do not have any controls in-place for the target's profile identified in the cybersecurity activity.
    Non-compliant controls Cybersecurity controls that are considered non-compliant because of implementation issues and have been found for the target's entity, which is identified in the cybersecurity activity.
    Risks Risks associated with the controls implemented for the target's entity, which is identified in the cybersecurity activity.
    Issues Issues with controls and risks for the target's entity, which are identified in the cybersecurity activity.
    Failed indicators Failed indicators of controls and risks implemented for the target's entity, which is identified in the cybersecurity activity.
    Action plans Action plans for issues for the target's entity, which are identified in the cybersecurity activity.