What is the NIST Cybersecurity Framework?
The National Institute of Standards and Technology (NIST) frameworks are a set of voluntary controls and balances to help operators of critical infrastructure organizations – like banks, hospitals, and utilities – manage cybersecurity risk. NIST itself is a federal agency within the US Chamber of Commerce that spans manufacturing, quality control, and information security, among other industries.
The agency collaborated with security industry experts, other government agencies, and academics to establish the frameworks which are now leveraged by many organizations to manage and reduce risks that could impact their environment and their customers.
When people in information security refer to the NIST frameworks, they're likely referring to three specific NIST documents on cybersecurity best practices:
- NIST Cybersecurity Framework: This framework focuses on industries vital to national and economic security, including energy, banking, communications, and the defense industrial base.
- NIST 800-53: This framework is primarily relevant to federal agencies as they work to become and stay compliant with the Federal Information Security Management Act (FISMA), and is best known for providing a deep dive into each of the act’s high-level requirements.
- NIST 800-171: This framework is directly related to 800-53, and provides guidance on security practices and controls that federal agencies must implement. It typically focuses on a narrow subset of organizations that handle Controlled Unclassified Information (CUI).
Two of these three documents specify required controls for either US federal agencies or any organizations which work with US federal government data. However, all three documents contain best practices helpful for any cybersecurity organization to use as a baseline in its security operations.
NIST Cybersecurity Framework Goals
NIST provides industry-agnostic guidance to help organizations achieve ideal security-related levels of competence and compliance. The depth and breadth of advice within the NIST framework documents are a great resource for federal agencies or organizations working with the US federal government.
What are the Main Components of the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework is in place to help organizations determine what processes and controls are most relevant to their unique challenges, and how best to implement and test the efficacy of the security measures they put in place. The framework classifies its key points into six components:
- Identify: This component is all about identifying what needs to be protected. Gain visibility on what is being managed and how, and what needs to be added to the list of manageable functions.
- Protect: This component stipulates what capabilities and technology will be leveraged in protecting the identified functionalities or minimizing the impact resulting from a breach or other incident.
- Detect: This component centers on detection capabilities within the security organization and their relative strength in picking up anomalous signatures that could indicate a threat.
- Respond: This component ensures an organization has in place the capability to prioritize a threat or incident and aptly respond so that potential fallout and disruption to operations is minimized.
- Recover: This component brings in line a security operation center’s (SOC’s) ability to recover from an incident in a timely manner. Reporting is a critical subcomponent here, so that learnings can be implemented and playbooks for similar attack paths can be followed in the future.
- Govern: The newest component to NIST’s framework, the govern component asks – according to NIST – “how an organization ensures responsible governance and how a governance system reviews and achieves accountability,” here speaking directly to the area of cybersecurity and the systems in place to ensure a SOC is operating at optimal posture.
How to Get Started with the NIST Cybersecurity Framework
There are certain prescribed steps a SOC must take to align to the particulars of the NIST Cybersecurity Framework, but each organization will also have its own unique challenges. Let’s review some higher-level steps on getting started.
The NIST Tiered Approach
There are a total of four “tiers” that an organization can research at length and use to assess its security posture and determine how to move forward. According to the NIST Cybersecurity Framework 2.0 Quick-Start Guide for Using the CSF Tiers, using them “can help provide context on how an organization views cybersecurity risks and the processes in place to manage those risks. The Tiers can also be valuable when reviewing processes and practices to determine needed improvements and monitor progress made through those improvements.” The tiers are:
- Partial: Businesses aligning with this tier have very little knowledge of cybersecurity practices and wouldn’t know how to respond in the case of a security event.
- Risk-Informed: Businesses aligning with this tier have an idea of the major categories of security events, but do not possess a security operations center from which to create or strategize cybersecurity best practices.
- Repeatable: Businesses aligning with this tier are beginning to implement some cybersecurity best practices and are striving to create repeatable processes that a team can leverage in detection and response protocols.
- Adaptive: Businesses aligning with this tier have incorporated advanced security concepts into their daily operations and are able to adapt to most security events as well as enact proactive capabilities to seek out the next threat and extinguish it.
These tiers help define how agile an organization’s response to risk is at the current moment and would – in theory – provide a roadmap of sorts to help a security organization achieve a strong level of cybersecurity risk management. The Quick-Start Guide goes on to state that “when selecting tiers, consider the following aspects of the organization:
- Current risk management practices
- Threat environment
- Legal and regulatory requirements
- Information sharing practices
- Business and mission objectives
- Supply chain requirements
- Oganizational constraints, including resources"
Read More About Regulations and Compliance
Compliance: Latest News from the Blog