The year is 2013: The Obama administration just signed Executive Order 13636, calling for the sharing of cybersecurity risk information and a framework for reducing such risk. It was then that the National Institute of Standards and Technology (NIST) was tasked with creating what would become the NIST Cybersecurity Framework (NIST CSF, aka the Framework).
The purpose of NIST CSF, set forward by the executive order, is to “maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” But since it’s conceptualization in the US, NIST CSF has become an internationally used risk-based framework that provides a common language and foundation for understanding, managing, and indicating cybersecurity risk.
What is NIST CSF?
In NIST’s words, “The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.” The Framework consists of three components: the Core, Implementation Tiers, and Profiles. For the purpose of this post, we’ll focus on the Core.
The 5 Core Functions of the NIST Framework
- Identify: Gain an understanding of the organization’s business context to manage cybersecurity risk – including systems, assets, people, data, and capabilities. This foundational function helps organizations prioritize efforts in parallel with its risk management needs.
- Protect: Ensure delivery of critical services by developing and implementing proper defenses. This function supports organizational effort to mitigate potential cybersecurity risk.
- Detect: Take measures to identify cybersecurity events. The key to this function is continuous monitoring to ensure timely discovery.
- Respond: Develop a response plan to follow once an event occurs. It’s no longer if, but when a cybersecurity event will occur; organizations with a plan in place will have an easier time recovering from an incident.
- Recover: Restore capabilities or services affected by the incident for a timely return to normal operations.
Why Choose the NIST CSF Framework?
NIST CSF provides organizations with a common language and foundation for understanding, managing, and indicating cybersecurity risk to stakeholders. Not only does the Framework prevent organizations from having to reinvent the wheel, but it also serves as a point of reference for how organizations prioritize and manage their cybersecurity risk.
It’s an adaptable framework that foments cybersecurity risk and supports automated risk management in its entirety to protect critical organization assets. Simply put, a successful implementation of the Framework is one that can be automated and continuously assessed.
However, the best laid plans to implement NIST CSF often go awry due to budget concerns and competing organizational priorities. Besides ongoing assessment, another hurdle is the fact that NIST CSF isn't a compliance requirement. It falls in the category of best practice. To make the case for funding a NIST CSF framework, make sure you have cross-functional teams in Information Security and IT risk backed by an executive to help sway executive management’s decision to fund the implementation.
Risk managers can use these principles and standards to build a sound cybersecurity program by identifying overlaps and gaps to better determine program goals. Successful NIST CSF programs help integrate, communicate and prioritize cybersecurity efforts across the entire business. Such programs also help in complying with cybersecurity regulations like HIPAA, Homeland Security, GLBA, and NYDFS. And training on cybersecurity is always a good idea.
The Role of Self-assessments in NIST CSF
The key to maintaining an effective and successful NIST CSF program is regular self-assessment. What’s working? What isn’t? Do your efforts reach all relevant corners of the organization? Do you have the right visibility when you need it, continuously? Assessment responses are intended to measure the gap between the current and desired state. Conduct self-assessments on a schedule that suits your organization – annually, periodically, or continuously.
Regularly performing self-assessments for comparison to NIST CSF is considered a best practice but creating and implementing the assessment process can prove difficult to manage.
NIST CSF 7 Years Later
If necessity is the mother of invention, the Obama administration had the right idea in 2013 instructing the National Institute of Standards and Technology (NIST) to create the NIST Cybersecurity Framework. Today, increased computing power, AI and Dark Web tools are equipping cyber attackers to launch sophisticated and destructive attacks. Business must evolve. Fortunately, executive leadership and the board are starting to see the threat to operations and the bottom line.
It means the time is right to approach management about the security necessity for NIST CSF and any resources your team will need to support it.
Overcome Cybersecurity Skill Shortage with a Solution Designed for NIST CSF
Ask any IT security professional: Cybersecurity skillsets are in high demand. You can compensate for a lack of expertise in-house by utilizing a technology platform that can manage multiple frameworks, including NIST CSF with all its tasks and requirements.
When making the case for adopting NIST CSF, it’s not hard to demonstrate how a NIST CSF technology platform gives leadership direct access to IT risk and threat data, resulting in more strategic decisions.