National Institute of Standards and Technology (NIST) is a non-regulatory agency that offers guidelines on technology-related matters such as measurement, engineering, information technology, etc. NIST offers many resources that help businesses meet security and privacy standards. The NIST guidelines related to cybersecurity aim to bring a level of uniformity when it comes to improving cybersecurity and limiting cybersecurity risk.
In this blog post, we introduce you to the NIST Cybersecurity Framework, walking you through its various components and elements. More importantly, we also share a step-by-step process for implementing the NIST framework at your organization.
What Is The NIST Cybersecurity Framework?
The NIST Cybersecurity Framework is a security methodology or framework that provides guidance on how an organization can manage and reduce cybersecurity risks. It lists guidance for managing cybersecurity risk based on existing standards, guidelines, and practices.
NIST Cybersecurity Framework helps organizations shift their risk management approach from reactive to proactive. Consequently, it is becoming increasingly popular and is used by a growing number of organizations, businesses, and governments.
A Brief History Of NIST Cybersecurity Framework
In response to the growing threat of cyberattacks, President Barack Obama signed an Executive Order mandating improved standards for critical government and military infrastructure cybersecurity. Led by NIST and developed as a collaboration between public and private sectors, the first version of the document was published in 2014. The security framework soon became a gold standard for cybersecurity in the United States.
In April 2018, the NIST Cybersecurity Framework was made publicly available after a draft version was circulated in 2017 for public comments. The NIST Cybersecurity Framework is being widely adopted as it can be applied to almost any sector and any business size.
What Are The 3 Main Components Of The NIST Cybersecurity Framework?
The NIST Cybersecurity Framework consists of three parts:
1. Framework Core
The “Framework Core” consists of an assortment of activities and desired outcomes. It aims at facilitating communication among the multiple disciplines by using simple non-technical language. It consists of five functions, namely, Identify, Protect, Detect, Respond, and Recover that are used to organize cybersecurity efforts.
The five functions are further split into 23 categories covering topics related to cyber, physical, and personnel. They are drafted to cover the broad range of cybersecurity objectives without being overly detailed but with a focus on business outcomes. The next level down has 108 subcategories, which are outcome-driven statements that reflect on the creation or improvement of an organization’s cybersecurity program.
The functions form the basis of cybersecurity risk management as well as risk management as a whole. The framework is outcome-driven and does not specify how an organization should achieve the desired outcomes. This makes it possible to customize the implementation based on each organization’s risk exposure.
2. Implementation Tiers
The “Implementation Tier” is used to describe how the organization views cybersecurity risk and how its risk management practices align with the characteristics defined in the Framework. The Tiers range from Tier 1 - Partial to Tier 4 - Adaptive, describing an increasing degree of thoroughness and integration of cybersecurity risk into the broader risk management decisions. But they do not represent a progression or a maturity in your cybersecurity risk management level.
Organizations are free to determine the Tier they desire. They only need to ensure that the selected Tier meets their business goals, lowers their cybersecurity risk levels, and of course, the implementation is feasible, financially and operationally.
3. Framework Profile
A “Framework Profile” is a list of outcomes that the organization has chosen from the categories and subcategories. This list of outcomes is based on the business needs, risk appetite, and available resources and so is unique to each organization. The purpose of the Framework Profiles is to help the organization optimize the Cybersecurity Framework to best serve their requirements.
The profiles are often utilized to analyze the current cybersecurity risk management practices and compare them against the desired outcomes of the Framework Core to ascertain the gaps between the two. Creating framework profiles and subsequent gap analysis enables the organization to select effective corrective actions and create an implementation plan that prioritizes critical issues.
For more information, refer to the NIST Cybersecurity Framework Informative References
What Are The 5 Elements Of The NIST Cybersecurity Framework?
As we mentioned earlier, the NIST framework consists of 5 main functions. It is important to understand these functions so that you are able to effectively describe your organization’s cybersecurity objectives and efforts. Here is a brief outline of the five categories:
1. Identify
The Identify function requires an organization to determine its critical assets and possible cybersecurity risks. The purpose of this function is to gather an understanding of the organization’s current risk management practices, critical assets, and security capabilities. This understanding should help you to better manage cybersecurity risks to your systems and assets.
2. Protect
The Protect function is for defining the necessary defenses and safeguards that ensure the delivery of critical infrastructure services. The purpose of this function is to help prioritize the security of the critical systems and assets to minimize the impact of any cybersecurity incident.
3. Detect
The Detect function requires organizations to have continuous monitoring and threat detection measures in place so that occurrence of security incidents can be promptly identified.
4. Respond
The Respond function is all about developing and implementing security measures against detected cybersecurity incidents. The aim is to enhance the organization’s ability to contain and mitigate security incidents.
5. Recover
The final function is Recover, which aims at developing and implementing measures to restore any functions or services damaged as a consequence of a cybersecurity incident. Implementing a disaster recovery and business continuity plan is an example of an outcome of this function.
Is NIST Cybersecurity Framework Mandatory?
Compliance with the NIST Cybersecurity Framework is mandatory for federal agencies and their contractors. Which standards they have to comply with depends on the goods and services they provide. However, special publications such as the NIST 800-53 standard for privacy and data security controls are usually required for all contractors. For private sector businesses that don’t work with government agencies, compliance with NIST standards is not mandatory.
Nevertheless, implementing the NIST cybersecurity framework is still a good idea. Modern businesses face a wide variety of cyber threats coupled with the adoption of new technologies, cybersecurity is becoming more complex every day. The NIST framework provides you with a single coherent strategy for cybersecurity across business sectors and organizations. It aims at standardizing security practices to ensure uniform protection of cyber assets across the US.
How To Implement The NIST Cybersecurity Framework?
The NIST Cybersecurity Framework has a seven-step process to help implement a new cybersecurity program or improve the existing one. The usual implementation process involves developing a “Current Profile”, which gives a picture of the current cybersecurity risk management practices. You then create a “Target Profile” where you want your cybersecurity program to be and then define steps to transition from your current profile to the target profile.
Here is the seven-step process to implement the NIST Cybersecurity Framework:
Step1: Prioritize and Scope
Your first step is to identify your organization’s business objectives and high-level priorities. This information helps you define the scope of the systems and assets that will support the business processes as well as make strategic decisions concerning cybersecurity implementations. It is crucial that you identify all of your critical systems and assets so that their protection is prioritized.
Step 2: Orient
After defining the scope of the cybersecurity program, be it for a business process or the entire organization, you need to identify the associated systems and assets, regulatory requirements, and the overall risk approach.
Next, you have to identify the threats and vulnerabilities relevant to the systems and assets identified in the scope. For example, for a predominantly IT-related scope, risk and vulnerability assessments and threat modeling will get more importance.
Step 3: Create a Current Profile
The next step in the process requires you to develop a “Current Profile” indicating all the existing security controls and the corresponding outcomes being achieved. You need to use the Categories and Subcategories as described in the Framework core to define which outcomes are being fully or partially achieved. This baseline will help you plan the next steps towards fulfilling the business objectives.
Step 4: Conduct a Risk Assessment
Once you have created your current profile, you need to conduct a Cybersecurity risk assessment to analyze your environment and identify the likelihood of cybersecurity events and the potential impact they could have on your organization. Previous risk assessments can be used as a starting point.
Step 5: Create a Target Profile
After you have completed steps 1 through 4, you should be able to create a Target Profile, i.e., the desired state of your cybersecurity program. It is advisable to be cautious in your approach and focus on the Categories and Subcategories that describe your desired cybersecurity outcomes based on your organization’s risk appetite.
Step 6: Determine, Analyze and Prioritize Gaps
In this step, you identify the gaps between your Current and Target Profiles. The identified gaps must be analyzed to create a prioritized action plan based on the organizational goals, cost-benefit, and risks to achieve the outcomes of the Targeted Profile. In this step, you also need to determine the resources required to address the gaps. All the steps completed so far should help you to implement cost-effective, targeted improvements.
Step 7: Implement Action Plan
After determining the gaps that need to be addressed, you need to define and carry out the steps necessary to address the identified gaps. Existing cybersecurity systems and processes may need to be adjusted or new ones implemented to achieve the Target Profile.
This is an iterative process and your organization can repeat individual steps as many times as necessary to continuously improve your cybersecurity.
Conclusion
Implementing the NIST cybersecurity framework is completely voluntary for private sector businesses that do not work with any government agencies. In addition, it can be a real challenge to implement. Nevertheless, the framework is still a worthwhile investment as it will improve the security posture of your organization, no matter the level it is currently in.
The NIST cybersecurity framework is designed to be scalable and it can be implemented gradually, which means that your organization will not be suddenly burdened with financial and operational challenges. Since it is based on outcomes and not on specific controls, it helps build a strong security foundation. This will make it easier for your organization to achieve compliance and keep you prepared for new regulations as they emerge.
Are you happy with the security posture of your organization? Are your security systems able to keep up with the changing threat landscape and regulatory changes? If your answer is no or if you are unsure, reach out to us by clicking the button below to learn how Jones IT can help improve your security posture cost-effectively.
If you liked the blog, please share it with your friends