NIST and CIS Cybersecurity Frameworks: A Practical Guide for Utah Businesses

If you run a business in Utah, cybersecurity probably isn’t the first thing you think about in the morning. You’re focused on customers, operations, payroll, and growth. But at some point — maybe after a close call with a phishing email, a conversation with your insurance broker, or a compliance audit — the question comes up: “Are we actually secure?” The honest answer for most small and mid-sized businesses is: “We’re not sure.” You might have antivirus software, a firewall, and strong passwords. But do you have a plan? A way to measure where you stand? A roadmap for what to improve next? That’s what cybersecurity frameworks are for. They take the guesswork out of security and replace it with a structured approach that’s been tested and refined by thousands of organizations. Two frameworks dominate the conversation for businesses our size: the NIST Cybersecurity Framework (CSF) and the CIS Controls. Let’s break down what each one does, how they’re different, and how Utah businesses can use them without hiring a full-time security team.

What Is a Cybersecurity Framework?

A cybersecurity framework is a set of guidelines, best practices, and standards that help organizations manage their security posture. Think of it as a blueprint. Instead of randomly buying security tools and hoping they cover your gaps, a framework gives you a structured way to assess your current state, identify what matters most, and prioritize improvements. Frameworks don’t tell you which specific products to buy. They tell you what capabilities you need — things like asset inventory, access control, incident response, and backup verification. You then choose the tools and processes that fit your budget and environment. The most important thing a framework does is shift your thinking from reactive to proactive. Instead of waiting for something bad to happen and then scrambling, you build defenses systematically and measure your progress over time.

NIST Cybersecurity Framework (CSF 2.0)

The National Institute of Standards and Technology released the original CSF in 2014. The updated version — CSF 2.0, released in early 2024 — expanded the framework to apply more broadly to organizations of all sizes, not just critical infrastructure. NIST CSF 2.0 is organized around six core functions: Govern. This is the new addition in 2.0. It covers the organizational context for cybersecurity — policies, roles, risk management strategy, and oversight. In practical terms: does your business have someone responsible for security? Is there a documented policy? Do you review your security posture regularly? Identify. Know what you have. This means maintaining an inventory of hardware, software, data, and users. You can’t protect assets you don’t know exist. For Utah businesses, this often starts with discovering how many devices, cloud accounts, and third-party services are actually in use. Protect. Put safeguards in place. This includes access controls (MFA, role-based permissions), employee security training, data encryption, endpoint protection, and secure configuration of systems. Detect. Monitor for threats. This function covers security monitoring, log analysis, and threat detection capabilities. For most small businesses, this means having some form of managed detection — whether it’s a SIEM, an EDR solution, or a managed security service that watches for anomalies. Respond. Have a plan for when things go wrong. Incident response planning, communication procedures, and containment strategies all fall here. The key question: if you discovered a breach tomorrow morning, does your team know what to do in the first 60 minutes? Recover. Get back to normal. This covers backup restoration, disaster recovery, and communication with affected parties. Testing your backups regularly is the most important thing most businesses neglect in this function.

CIS Controls v8

The Center for Internet Security (CIS) takes a different approach. While NIST provides a high-level framework for thinking about security, CIS gives you a prioritized checklist of specific things to do. CIS Controls v8 includes 18 control categories, each broken into individual safeguards. The controls are organized into three Implementation Groups based on organizational size and risk: Implementation Group 1 (IG1) — the essential cyber hygiene baseline. This is where most small businesses should start. It covers 56 safeguards that address the most common attack vectors. If you implement IG1 fully, you’re ahead of the majority of businesses your size. Implementation Group 2 (IG2) — adds 74 more safeguards for organizations with moderate risk or compliance needs. This is where businesses handling sensitive data (healthcare, financial services, government contractors) typically operate. Implementation Group 3 (IG3) — the full set of 153 safeguards. This level is for organizations facing sophisticated threats or operating in highly regulated industries. The first five CIS Controls — the ones that address the vast majority of breaches — are: 1. Inventory and control of enterprise assets (know your hardware) 2. Inventory and control of software assets (know your software) 3. Data protection (classify and protect sensitive data) 4. Secure configuration of enterprise assets and software (harden your systems) 5. Account management (control who has access to what) These five controls alone, implemented consistently, would prevent most of the breaches that affect small businesses. They’re not glamorous. There’s no advanced AI threat detection involved. It’s basic blocking and tackling — and it works.

NIST vs. CIS: Which One Should You Use?

This is a common question, and the answer is: they’re complementary, not competing. NIST CSF is a strategic framework. It helps you think about your overall security program, communicate with leadership, and align security with business objectives. It’s great for answering the question: “What does a mature security program look like for our business?” CIS Controls are tactical. They tell you exactly what to implement and in what order. They’re great for answering the question: “What should we do next to improve our security?” Many organizations — including the ones Brivy IT works with — use both. NIST CSF provides the big picture and the language for discussing security at the business level. CIS Controls provide the implementation roadmap and the specific checklist of actions.

How Utah Businesses Can Get Started

Adopting a cybersecurity framework doesn’t mean hiring a CISO or building a security operations center. Here’s a practical starting point for a Utah small or mid-sized business: Run a baseline assessment. Score your current security posture against CIS Controls IG1 or NIST CSF core functions. Identify the biggest gaps. Brivy IT does this as part of our security assessments for Utah businesses. Prioritize by risk. You can’t fix everything at once. Focus on the controls that address your highest risks first. For most businesses, that means: asset inventory, MFA enforcement, endpoint protection, backup verification, and employee security training. Document your policies. Even simple written policies — acceptable use, password requirements, incident response steps — satisfy the Govern and Protect functions and demonstrate due diligence to auditors, insurers, and regulators. Automate what you can. Use tools like Microsoft 365 security policies, RMM platforms, and managed detection services to enforce controls automatically. Manual processes are the enemy of consistent security. Review quarterly. Security isn’t a project — it’s a program. Review your control implementation every quarter, update your risk assessment annually, and adjust your priorities as your business evolves.

Why This Matters for Compliance and Insurance

If your business needs to comply with HIPAA, PCI DSS, CMMC, or Utah’s data breach notification laws, frameworks make compliance dramatically easier. Most compliance standards map directly to NIST CSF or CIS Controls, so implementing one framework often satisfies multiple regulatory requirements simultaneously. Cyber insurance is another practical motivator. Insurance carriers increasingly want to see evidence of a security framework in place before issuing or renewing policies. Having CIS Controls IG1 implemented — with documentation to prove it — can mean lower premiums, fewer exclusions, and faster claims processing.

How Brivy IT Uses Frameworks for Our Clients

At Brivy IT, we don’t treat cybersecurity as a product you buy. We treat it as a program you build. Our approach for Utah businesses is framework-driven: We start with a security assessment mapped to CIS Controls and NIST CSF. We identify gaps, prioritize remediation, and build an implementation roadmap that fits your budget and timeline. Then we handle the technical work — deploying endpoint protection, configuring MFA, hardening Microsoft 365, setting up monitoring, and documenting everything. The result is a security program you can explain to your board, your insurance broker, and your auditors. Not a collection of random tools, but a measured, documented, continuously improving program built on proven frameworks.