Using the NIST Cybersecurity Framework to Build Your Cybersecurity Program
The NIST Cybersecurity Framework (CSF) is a prudent model for businesses when it comes to cybersecurity. As an industry-agnostic approach to cybersecurity, the Framework is often the basis for assessing the cybersecurity posture of commercial and public entities.
What is NIST?
The National Institute of Standards and Technology (NIST) was created in 1901 with the passage of the National Standardization Act. Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
NIST does this by developing measurement science, standards, and technology that underpin the U.S. economy and improve our quality of life. NIST also works to strengthen the nation’s cybersecurity posture through research and development in information technology, mathematical sciences, materials science, and physical measurement science and engineering. NIST has multiple laboratories located around the country that conduct research in these areas.
Why was the NIST CSF Created?
In February 2018, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. EO 13636 called on NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure. The result is the NIST Cybersecurity Framework, which provides a prioritized, flexible, repeatable, and cost-effective approach to managing cybersecurity-related risk
Main Components of NIST Cybersecurity Framework
The Framework consists of three main components: the Framework Core, Framework Implementation Tiers, and Framework Profile.
- The Framework Core consists of activities to achieve cybersecurity outcomes and references that can be used to achieve the outcomes.
- The Framework Implementation Tiers, also known as just “Tiers,” provide an organizational backdrop with views on cybersecurity risk and how that risk is managed through increasing levels of rigor and sophistication.
- The Framework Profile or “Profile” is based on the Framework Categories and Subcategories that businesses choose based on their specific cybersecurity needs.
NIST Framework Core
At a high level, the NIST Framework Core contains five categories:
- Identify
- Protect
- Detect
- Respond
- Recover
The core provides a common language for understanding, managing, and expressing cybersecurity risk both internally and externally. Within the five core categories are 108 sub-categories that encompass the entire NIST Framework at a more granular level.
NIST Framework Implementation Tiers Explained
The NIST Framework has created a set of tiers to help organizations measure their cybersecurity preparedness. The tiers range from Partial (Tier 1) to Adaptive (Tier 4) and are determined based on an organization’s risk management needs. The Framework Implementation Tiers consider organizations’ risk management practices, threats, compliance requirements, and constraints before developing a cybersecurity implementation strategy. The Tiers provide insight into how well the outcomes are achieved by describing the degree of rigor and sophistication in an organization’s cybersecurity risk management practices.
NIST CSF Profiles Explained
Framework profiles show how the Framework Functions, Categories, and Subcategories align with the organization’s business requirements, risk tolerance and resources Within the NIST Framework, current and target profiles are set to determine the best implementation of a cybersecurity strategy. Current profiles are known within the NIST Framework as the ‘as is’ state of security system cybersecurity. On the other hand, target profiles are the desired outcome, or ‘to be’ state of cybersecurity implementation.
In other words, the Framework Profile is what an organization will need to implement within its cybersecurity strategy to identify opportunities for improvement to move from their “as is” current state of risk to a “to be” Target Profile that aligns with the organization’s mission and risk assessment outcomes.
How to use the NIST Cybersecurity Framework to Foster a Culture of Cybersecurity
NIST’s Framework provides an integrated approach to cybersecurity risk management that can be used by entities across sectors, associations, and organizations. It supports the creation of standard Profiles to align policy with business needs while helping identify potential actions within your organization’s scope in order to manage cybersecurity risk.
The Framework Core imparts a set of activities to achieve specific cybersecurity outcomes and references examples from the guidance that can help you with those goals. SCA helps organizations follow a proven process when establishing a cybersecurity program and reviewing previously existing cybersecurity programs to determine how they measure up.
The process begins with determining priorities and scope by identifying important systems and assets. Then, organizations should identify vulnerabilities and threats to the focus systems and assets. Following those initial processes, a current profile is developed to show what aspects of the NIST Framework Core are currently being achieved. Then, a risk assessment should analyze the organization’s operational environment to determine the likelihood of cybersecurity events and their related impact to create a target profile. The last two steps include determining, analyzing, and prioritizing any gaps between the current and target profiles. This step involves determining what needs to be done to bridge those gaps and in what order, while maintaining alignment with the initial scope and priorities.
Why does the NIST Cybersecurity Framework matter?
The NIST Cybersecurity Framework is a cost-effective way for organizations to approach cybersecurity and foster an enterprise-wide conversation around cyber risk and compliance. The framework is flexible and adaptable to your organization’s needs and compliance requirements. By complying with NIST best practices, you ensure that the systems, data, and networks of your organization and your customers are protected from cybersecurity attacks. This helps you save significant time and avoid expenses you may have in the future due to these attacks.
How Can the NIST Cybersecurity Framework Be Applied?
By applying the NIST Cybersecurity Framework, companies can organize information to enable better risk management decisions, address cybersecurity threats, and improve their overall cybersecurity strategy. Using the NIST Cybersecurity Framework, organizations can benchmark their cybersecurity effectiveness against industry standards in a measurable and meaningful way.
The NIST Cybersecurity Framework can serve as a key part of organizations’ systematic processes for identifying and managing cybersecurity risk. The Framework is NOT meant to replace any existing processes but rather to identify where gaps exist and help organizations develop roadmaps to improve their cybersecurity risk management. The Framework can help cybersecurity teams set priorities for implementing systematic change to address major risks first when developing a plan for improvement.
How SCA Can Help you Meet NIST Standards
SCA has a proven system to evaluate your cybersecurity posture against the NIST CSF. We conduct a comprehensive review of your organization’s current profile and provide a baseline for existing practices using the NIST Cybersecurity Framework, industry standards, and SCA best practices. From there, we perform the required risk assessment, work with you to define your target profile, and create a roadmap to help you achieve your goals.
Contact us today to learn more about how to meet NIST standards.