Every cybersecurity conversation eventually circles back to two frameworks: NIST and CIS. For small and mid-sized businesses, the standard advice is to "align with NIST" or "implement CIS Controls." What the advice rarely includes is a clear answer to the obvious follow-up question: which parts?
Both frameworks were originally designed with large enterprises in mind. Taken in full, they describe hundreds of controls across dozens of categories — far more than most SMBs can meaningfully implement. The result is that many small businesses either ignore the frameworks entirely or attempt a compliance exercise that generates documentation without reducing actual risk.
Neither outcome is acceptable. Here is how to think about these frameworks at the SMB scale.
Understanding What NIST and CIS Are Actually Doing
The NIST Cybersecurity Framework (CSF) is a risk management structure. It organizes security activities into five functions: Identify, Protect, Detect, Respond, and Recover. It does not tell you what specific technical controls to implement — it tells you what categories of activity should exist in your security program.
CIS Controls (formerly Critical Security Controls) are more prescriptive. They provide a prioritized list of specific actions, organized into three implementation groups (IG1, IG2, IG3). IG1 is explicitly designed for organizations with limited resources and represents basic cyber hygiene. It covers 56 safeguards across 18 control families.
For most SMBs, IG1 is the right starting point — not the full CIS Controls list, not the NIST CSF in its entirety.
What IG1 Actually Covers
CIS IG1 focuses on the controls with the highest risk reduction value relative to implementation effort. The core families include:
Inventory and control of enterprise assets. You cannot protect systems you do not know exist. This means maintaining an accurate inventory of all devices connected to your network — servers, workstations, laptops, mobile devices, cloud instances.
Inventory and control of software assets. Unauthorized or unpatched software is one of the most common initial access vectors. IG1 requires knowing what software is running and ensuring it is authorized.
Data protection. Identifying where sensitive data lives, controlling access to it, and ensuring it is encrypted at rest and in transit. For SMBs, this frequently uncovers that sensitive files are stored in locations with far broader access than necessary.
Secure configuration of enterprise assets and software. Out-of-box configurations on most systems are not secure by default. IG1 requires applying hardened configurations and disabling unused services.
Account management. Controlling who has access to what, ensuring accounts are disabled when employees leave, and maintaining records of privileged access assignments.
Access control management. Limiting access to the minimum necessary for each role. Least privilege is the concept; consistent implementation is the work.
Continuous vulnerability management. Scanning systems for known vulnerabilities on a defined schedule and prioritizing remediation based on risk.
Audit log management. Collecting logs from critical systems so that if an incident occurs, you have evidence to reconstruct what happened.
Email and web browser protections. Filtering malicious content at the email gateway and browser level — this is where most attacks begin.
Malware defenses. Endpoint detection and response tools deployed and actively monitored.
Data recovery. Tested backups of critical systems and data, with verified restoration procedures.
Network infrastructure management. Documented network architecture, segmentation between critical systems and general user environments.
Network monitoring and defense. Detecting anomalous activity on the network before it becomes a breach.
How NIST CSF Adds Strategic Context
Where CIS IG1 tells you what to do technically, NIST CSF helps you understand why and how to organize the effort. The five functions (Identify, Protect, Detect, Respond, Recover) map roughly to:
- Identify: Know your assets, risks, and obligations. This is the foundation before any technical controls.
- Protect: The majority of IG1 lives here — hardening, access controls, training, data protection.
- Detect: Logging, monitoring, anomaly detection.
- Respond: Incident response plan, communication procedures, defined roles.
- Recover: Backup and recovery, business continuity, post-incident review.
For SMBs presenting their security posture to clients, insurers, or auditors, the NIST CSF language provides a common vocabulary that technical and non-technical stakeholders can both use.
Where SMBs Consistently Fall Short
In practice, most small businesses are reasonably strong on protection controls (they have antivirus, they patch sometimes, they use MFA for Office 365) and weak on the supporting activities that make protection controls meaningful.
Asset inventory is almost universally incomplete. Shadow IT — cloud tools and devices adopted outside of IT approval — creates blind spots that protection controls cannot address.
Logging and detection is frequently absent or exists only in theory. Logs are turned on but never reviewed, and no alerting is configured. This means breaches that should be detected in hours go undetected for weeks.
Incident response planning is the most commonly missing element. Most SMBs have no documented procedure for what to do when something goes wrong. When an incident occurs, the absence of a plan guarantees a worse outcome.
Backup verification is the control that fails most visibly. Organizations assume their backups work until they need them. Testing backup restoration on a scheduled basis is simple and almost no one does it consistently.
A Practical Starting Point
If you have no formal security program and are starting from zero, here is a defensible prioritization:
- Complete a basic asset inventory (devices, software, cloud services, data).
- Enforce MFA across all accounts — email, cloud services, financial systems, remote access.
- Implement a patch management process with a defined cadence.
- Harden configurations on critical systems (disable unused services, change default credentials).
- Establish least-privilege access controls and review privileged accounts.
- Deploy EDR on all endpoints.
- Configure logging on critical systems (authentication events, configuration changes, network access).
- Write a one-page incident response plan that documents who to call and what to do in the first 24 hours of a potential breach.
- Test your backup restoration at least quarterly.
This is not exhaustive. It is a foundation that addresses the controls most commonly exploited in SMB attacks.
When Frameworks Become Compliance Theater
The failure mode to avoid is implementing frameworks as documentation exercises. A risk register that is never reviewed, a policy library that no one follows, an asset inventory that is immediately out of date — these create the appearance of a security program without delivering the substance.
Frameworks are useful when they organize real activity. They are not useful as substitutes for it.
If you are working through NIST or CIS alignment and want an honest assessment of where your organization actually stands versus where your documentation claims it stands, a Digital Fortress Audit provides that baseline with prioritized findings and a clear remediation path.
The goal is not to score well on a framework checklist. The goal is to make a breach less likely and less damaging when it happens.