What is the NIST Cybersecurity Framework?
NIST stands for the National Institute of Standards and Technology (NIST). NIST is a non-regulatory federal agency within the U.S. Department of Commerce as well as a physical science lab.
The NIST Cybersecurity Framework is a guidance standard built to empower internal and external stakeholders of organizations to better manage and decrease cybersecurity risk.
The cybersecurity framework lays out customizable activities and protocols that organizations can tailor to manage their own unique exposures to cybersecurity risk.
Overview of the NIST Cybersecurity Framework
In addition to helping organizations manage and reduce risks, the cybersecurity framework was built to encourage collaboration and communication between both internal and external organizational stakeholders. The Cybersecurity Framework consists of three primary elements: the core, implementation tiers, and profiles.
The Core Tier
The framework core offers a group of cybersecurity activities for organizations to implement in plain language that is easy to follow. This section is meant to guide organizations as they begin to implement cybersecurity management into their existing risk management processes.
The Implementation Tier
The implementation tier was designed to help businesses by supplying the context on how they should view cybersecurity risk management so they can implement the right level of rigor for their organization.This includes facets such as risk appetite, main priorities, and risk management budget.
The Profiles Tier
The profiles tier is aimed towards helping an organization align their organizational requirements and business rules to their risk management objectives, appetite, and budget established in the previous two tiers.
What are the requirements of the NIST CF?
In addition to the Core, Implementation, and Profiles tiers, the NIST cybersecurity framework also provides five domains, each with their own requirements, to help a business create a holistic cybersecurity program.
The five domains are: Identify, Protect, Detect, Respond, and Recover.
1. Identify
- Environment: Define the business’s mission, goals, operational activities, and stakeholders.
- Asset management: Identify the systems, devices, data, and facilities used to execute business’s core operations.
- Governance: The protocols, procedures, and policies required to manage and monitor the organization’s regulatory, operational, and risk management needs.
- Risk assessment: Identifying the unique cybersecurity risks facing the organization, it’s assets, employees, and operations.
- Risk management: Defining the organization’s risk tolerance and priority risks, and using that data to support key operational decision-making.
2. Protect
- Access Controls: Limit user access to your systems, network, and assets to only what’s absolutely necessary for a user to do his/her job.
- Training: Provide educational resources on cybersecurity awareness and training to empower employees to perform their job with information security and compliance in mind.
- Data security: Managing and handling the company’s sensitive data based in alignment with your risk management best practices to maintain confidentiality, integrity, and availability of critical information.
- Information security: The procedures and policies employed to safeguard the organization’s information systems and data assets.
- Maintenance: Maintaining and repairing information systems according to the organization’s risk management policies and procedures.
- Technology: Employing a combination of automation and tools to ensure information security.
3. Detect
- Detecting anomalies: Ensuring security events or anomalies are identified and remedies quickly.
- Continuous monitoring: Tracking data continuously so that any attempted theft or unauthorized access or use is discovered and remedied rapidly.
- Detection processes: Maintaining detection methods over time to ensure they are reliable and functioning correctly when needed.
4. Respond
- Response: Ensure response to security events is timely.
- Communication: Ensure that the appropriate internal and external stakeholders are alerted to and aware of response activities.
- Analysis: Reviewing response activities as they are occurring to ensure they are being done correctly and according to predetermined best practices.
- Risk mitigation: This refers to the damage control activities that prevent a cybersecurity event from continuing and/or getting worse.
- Improvement: Finding areas for improvement after any response activities, whether they be in the processes around cybersecurity or the response activities themselves.
5. Recover
- Recovery planning: Organizing a company’s recovery activities based on their priority.
- Improvements: Reviewing response and recovery events to make improvements to the recovery strategy.
- Communication: Coordinating with stakeholders to facilitate the restoration of mission critical systems and services.
Who does the NIST CF affect?
NIST applies to federal agencies, such as the Department of Defense (DOD), as well as any company, service provider, or sub-contractor that provides products or services to a federal agency supply chain. NIST CSF isn’t enforceable unless it is contractually mandated by an organization of its service/technology providers. However, ignoring NIST guidelines could result in reputational damage, financial penalties, and the loss of valuable government contracts.
How to Implement NIST CF Best Practices
For those new to the cybersecurity framework, we recommend the following checklist of tips to help you to get started implementing NIST CF standards.
- Determine your cybersecurity goals
- Create a detailed risk profile
- Identify your current position against risk
- Identify any gaps in your existing cybersecurity risk management plan
- Implement mitigation to address your gaps
- Document everything including your current plan, gaps, and mitigation efforts
- Take advantage of NIST resources
- Work with a NIST expert to ensure you’ve covered all of your bases
Key Takeaways
- NIST (The National Institute of Standards and Technology) was developed by the U.S. Department of Commerce.
- The NIST cybersecurity framework provides guidelines to help federal agencies and any company, service provider, or subcontractor that provides services to a federal agency secure their information systems.
- It impacts federal agencies and any company doing business with a federal agency.
- While it does not require attestation, NIST guidelines are extremely important to those businesses that must achieve compliance with FISMA and related regulations.
- NIST provides a number of guidelines through its Special Publication series and FIPS to help federal agencies protect sensitive data and proactively combat cybersecurity risk.