NIST CYBERSECURITY FRAMEWORK

WHAT IS IT?

The NIST Cybersecurity Framework was published in February 2014, following a collaborative process involving industry, academia and government agencies, as directed by a presidential executive order. It is a set of optional standards, best practices, and recommendations for improving cybersecurity at the organizational level.

The framework itself is divided into three components: core, implementation tiers, and profiles.

Framework core

The core is "a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes." It is further broken down into four elements: functions, categories, subcategories, and informative references.

Functions: There are five functions used to organize cybersecurity efforts at the most basic level: identify, protect, detect, respond, and recover. Together these five functions form a top-level approach to securing systems and responding to threats—think of them as your basic incident management tasks.
Categories: Each function contains categories used to identify specific tasks or challenges within it. For example, the protect function could include access control, regular software updates, and anti-malware programs.
Subcategories: These are further divisions of categories with specific objectives. The regular software updates category could be divided into tasks like making sure wake on LAN is active, that Windows updates are configured properly, and manually updating machines that are missed.
Informative references: Documentation, steps for execution, standards, and other guidelines would fall into this category. A prime example in the manual Windows update category would be a document outlining steps to manually update Windows PCs.

Implementation tiers

There are four tiers of implementation, and while CSF documents don't consider them maturity levels, the higher tiers are considered more complete implementation of CSF standards.

Tier 1: Called partial implementation, organizations at Tier 1 have an ad-hoc and reactive cybersecurity posture. They have little awareness of organizational risk and any plans implemented are often done inconsistently.
Tier 2: Risk informed organizations may be approving cybersecurity measures, but implementation is still piecemeal. They are aware of risks, have plans, and have the proper resources to protect themselves but haven't quite gotten to a proactive point.
Tier 3: The third tier is called repeatable, meaning that an organization has implemented CSF standards company-wide and are able to repeatedly respond to crises. Policy is consistently applied, and employees are informed of risks.
Tier 4: Called adaptive, this tier indicates total adoption of the CSF. Adaptive organizations aren't just prepared to respond to threats—they proactively detect threats and predict issues based on current trends and their IT architecture.

Profiles

Profiles are both outlines of an organization's current cybersecurity status and roadmaps toward CSF goals. NIST said having multiple profiles—both current and goal—can help an organization find weak spots in its cybersecurity implementations and make moving from lower to higher tiers easier.

Profiles also help connect the functions, categories, and subcategories to business requirements, risk tolerance, and resources of the larger organization it serves. Think of profiles as an executive summary of everything done with the previous three elements of the CSF.

KEY BENEFITS OF THE NIST CYBERSECURITY FRAMEWORK

Effective collaboration

For most organizations, whether they are owners, operators, or suppliers for critical infrastructure, the NIST Cybersecurity Framework may be well worth adopting solely for its stated goal of improving risk-based security. The framework will deliver ancillary benefits that include effective collaboration and communication of security posture with executives and industry organizations, as well as potential future improvements in legal exposure and even assistance with regulatory compliance.

Business Requirement for third party suppliers

The framework can be used as a business requirement for companies that provide services to critical infrastructure owners, operators, and providers. For example, an organization deemed to be a critical infrastructure provider that adopts the framework shall require that its vendors and suppliers achieve the same Implementation Tier ranking. Doing so will help the organization protect itself from a potential weak link in its supply chain. An organization may conduct self-assessments based on the framework to better understand their risk-based cybersecurity posture in order to be prepared should future requests for proposals (RFPs) and partnerships require some level of implementation with the Framework.

Maintain Regulatory Compliance

Many organizations are required to meet multiple regulations with overlapping and conflicting requirements. In order to avoid penalties and additional fees from regulatory bodies, many operators are forced to maintain several compliance documents describing how the organization is complying with each requirement. The standard developed by the framework enables auditors to evaluate cybersecurity programs and controls in one standard format eliminating the need for multiple security compliance documents.

Spend Security Budgets Efficiently

In an environment where cyber threat information is not readily available, organizations struggle with understanding how much security is enough security, leading to organizations implementing unnecessary cybersecurity protections. Through the use of the NIST Framework, standards for care can be established for each critical infrastructure. Organizations can leverage these standards to determine the appropriate level of security protections required, ensuring efficient utilization of security budgets.

Demonstrate Due Care

Organizations that adopt the framework at the highest possible risk-tolerance level will be better positioned to comply with future cybersecurity and data privacy regulations. Adoption of the Framework, therefore, is seen as an exercise of due care, and organizations should understand that their corporate security officers and boards may have a fiduciary obligation to comply with the guidelines.

Vetted by Industry

The Framework is also beneficial because it meets industry-vetted criteria. According to the Information Technology Industry Council (ITI), a high-tech trade association based in Washington, D.C., an effective cybersecurity effort should:

Leverage public-private partnerships and build upon existing initiatives and resource commitments
Reflect the borderless, interconnected, and global nature of today’s cyber environment
Be able to adapt rapidly to emerging threats, technologies, and business models
Be based on effective risk management
Focus on raising public awareness
Focus on bad actors and their threats

Many organizations are required to meet multiple regulations with overlapping and conflicting requirements. In order to avoid penalties and additional fees from regulatory bodies, many operators are forced to maintain several compliance documents describing how the organization is complying with each requirement. The standard developed by the framework enables auditors to evaluate cybersecurity programs and controls in one standard format eliminating the need for multiple security compliance documents.

Spend Security Budgets Efficiently

In an environment where cyber threat information is not readily available, organizations struggle with understanding how much security is enough security, leading to organizations implementing unnecessary cybersecurity protections. Through the use of the NIST Framework, standards for care can be established for each critical infrastructure. Organizations can leverage these standards to determine the appropriate level of security protections required, ensuring efficient utilization of security budgets.

Demonstrate Due Care

Organizations that adopt the framework at the highest possible risk-tolerance level will be better positioned to comply with future cybersecurity and data privacy regulations. Adoption of the Framework, therefore, is seen as an exercise of due care, and organizations should understand that their corporate security officers and boards may have a fiduciary obligation to comply with the guidelines.

Vetted by Industry

The Framework is also beneficial because it meets industry-vetted criteria. According to the Information Technology Industry Council (ITI), a high-tech trade association based in Washington, D.C., an effective cybersecurity effort should:

Leverage public-private partnerships and build upon existing initiatives and resource commitments
Reflect the borderless, interconnected, and global nature of today’s cyber environment
Be able to adapt rapidly to emerging threats, technologies, and business models
Be based on effective risk management
Focus on raising public awareness
Focus on bad actors and their threats