The US National Institute of Standards and Technology’s framework defines federal policy, but it can be used by private enterprises, too. Here’s what you need to know.
The tech world has a problem: Security fragmentation. There’s no standard set of rules for mitigating cyber risk—or even language—used to address the growing threats of hackers, ransomware and stolen data, and the threat to data only continues to grow.
President Barack Obama recognized the cyber threat in 2013, which led to his cybersecurity executive order that attempts to standardize practices. President Donald Trump’s 2017 cybersecurity executive order went one step further and made the framework created by Obama’s order into federal government policy.
The framework isn’t just for government use, though: It can be adapted to businesses of any size.
TechRepublic’s cheat sheet about the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) is a quick introduction to this new government recommended best practice, as well as a “living” guide that will be updated periodically to reflect changes to the NIST’s documentation.
- What is the NIST Cybersecurity Framework? The NIST CSF is a set of optional standards, best practices, and recommendations for improving cybersecurity and risk management at the organizational level. NIST wrote the CSF at the behest of Obama in 2014.
- Why does the NIST Cybersecurity Framework matter? As cyberattacks become more complex, repelling them becomes more difficult, especially without a single cohesive strategy for information security and private sector organizations. The CSF aims to standardize practices to ensure uniform protection of all US cyber assets.
- Who does the NIST Cybersecurity Framework affect? The CSF affects anyone who makes decisions about cybersecurity and cybersecurity risks in their organizations, and those responsible for implementing new IT policies.
- When is the NIST Cybersecurity Framework happening? Obama called for the creation of the CSF in an executive order issued in 2013, and NIST released the guidelines a year later. Trump’s 2017 cybersecurity executive order made it federal government policy, and in 2018 NIST released an updated version of the CSF, version 1.1.
- How can I implement the NIST Cybersecurity Framework? NIST has thorough documentation of the CSF on its website, along with links to FAQs, industry resources and other information necessary to ease enterprise transition into a CSF world.
What is the NIST Cybersecurity Framework?
Obama signed Executive Order 13636 in 2013, titled Improving Critical Infrastructure Cybersecurity, which set the stage for the NIST Cybersecurity Framework that was released in 2014. The CSF’s goal is to create a common language, set of standards and easily executable series of goals for improving cybersecurity and limiting cybersecurity risk.
The CSF standards are completely optional—there’s no penalty to organizations that don’t wish to follow its standards. That doesn’t mean it isn’t an ideal jumping off point, though—it was created with scalability and gradual implementation so any business can benefit and improve its security practices and prevent a cybersecurity event.
The framework itself is divided into three components: Core, implementation tiers, and profiles.
SEE: Why ransomware has become such a huge problem for businesses (TechRepublic)
The core is “a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.” It is further broken down into four elements: Functions, categories, subcategories and informative references.
- Functions: There are five functions used to organize cybersecurity efforts at the most basic level: Identify, protect, detect, respond and recover. Together these five functions form a top-level approach to securing systems and responding to threats—think of them as your basic incident management tasks.
- Categories: Each function contains categories used to identify specific tasks or challenges within it. For example, the protect function could include access control, regular software updates and anti-malware programs.
- Subcategories: These are further divisions of categories with specific objectives. The regular software updates category could be divided into tasks like making sure wake on LAN is active, that Windows updates are configured properly and manually updating machines that are missed.
- Informative references: Documentation, steps for execution, standards and other guidelines would fall into this category. A prime example in the manual Windows update category would be a document outlining steps to manually update Windows PCs.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
There are four tiers of implementation, and while CSF documents don’t consider them maturity levels, the higher tiers are considered more complete implementation of CSF standards for protecting critical infrastructure.
- Tier 1: Called partial implementation, organizations at Tier 1 have an ad-hoc and reactive cybersecurity posture to protect their data. They have little awareness of organizational cybersecurity risk and any plans implemented are often done inconsistently.
- Tier 2: Cybersecurity risk-informed organizations may be approving cybersecurity measures, but implementation is still piecemeal. They are aware of risks, have plans and have the proper resources to protect themselves from data breach but haven’t quite gotten to a proactive point.
- Tier 3: The third tier is called repeatable, meaning that an organization has implemented CSF standards company-wide and are able to repeatedly respond to cyber crises. Policy is consistently applied, and employees are informed of risks.
- Tier 4: Called adaptive, this tier indicates total adoption of the CSF. Adaptive organizations aren’t just prepared to respond to cyber threats—they proactively detect threats and predict issues based on current trends and their IT architecture.
Profiles are both outlines of an organization’s current cybersecurity status and roadmaps toward CSF goals for protecting critical infrastructure. NIST said having multiple profiles—both current and goal—can help an organization find weak spots in its cybersecurity implementations and make moving from lower to higher tiers easier.
Profiles also help connect the functions, categories and subcategories to business requirements, risk tolerance and resources of the larger organization it serves. Think of profiles as an executive summary of everything done with the previous three elements of the CSF.
Why does the NIST Cybersecurity Framework matter?
The cybersecurity world is incredibly fragmented despite its ever-growing importance to daily business operations. Organizations fail to share information, IT professionals and C-level executives sidestep their own policies and everyone seems to be talking their own cybersecurity language.
NIST’s goal with the creation of the CSF is to help eliminate the chaotic cybersecurity landscape we find ourselves in, and it couldn’t matter more at this point in the history of the digital world.
Cybersecurity threats and data breaches continue to increase, and the latest disasters seemingly come out of nowhere and the reason why we’re constantly caught off guard is simple: There’s no cohesive framework tying the cybersecurity world together.
As time passes and the needs of organizations change, NIST plans to continually update the CSF to keep it relevant. Updates to the CSF happen as part of NIST’s annual conference on the CSF and take into account feedback from industry representatives, via email and through requests for comments and requests for information NIST sends to large organizations.
“If NIST learns that industry is not prepared for a new update, or sufficient features have not been identified to warrant an update, NIST continues to collect comments and suggestions for feature enhancement, bringing those topics to the annual Cybersecurity Risk Management Conference for discussion, until such a time that an update is warranted,” NIST said.
Who does the NIST Cybersecurity Framework affect?
The CSF affects literally everyone who touches a computer for business. IT teams and CXOs are responsible for implementing it; regular employees are responsible for following their organization’s security standards; and business leaders are responsible for empowering their security teams to protect their critical infrastructure.
The degree to which the CSF will affect the average person won’t lessen with time either, at least not until it sees widespread implementation and becomes the new standard in cybersecurity planning.
If it seems like a headache it’s best to confront it now: Ignoring the NIST’s recommendations will only lead to liability down the road with a cybersecurity event that could have easily been avoided. Embrace the growing pains as a positive step in the future of your organization.
When is the NIST Cybersecurity Framework happening?
President Obama instructed the NIST to develop the CSF in 2013, and the CSF was officially issued in 2014. President Trump’s cybersecurity executive order signed on May 11, 2017 formalized the CSF as the standard to which all government IT is held and gave agency heads 90 days to prepare implementation plans.
Private sector organizations still have the option to implement the CSF to protect their data—the government hasn’t made it a requirement for anyone operating outside the federal government.
In 2018, the first major update to the CSF, version 1.1, was released. Most of the changes came in the form of clarifications and expanded definitions, though one major change came in the form of a fourth section designed to help cybersecurity leaders use the CSF as a tool for self-assessing current risks.
While brief, section 4.0 describes the outcomes of using the framework for self-assessment, breaking it down into five key goals:
- Examining organizational cybersecurity to determine which target implementation tiers are selected,
- Determining current implementation tiers and using that knowledge to evaluate the current organizational approach to cybersecurity,
- Establish outcome goals by developing target profiles,
- Assessing current profiles to determine which specific steps can be taken to achieve desired goals,
- Using the CSF’s informative references to determine the degree of controls, catalogs and technical guidance implementation.
How can I implement the NIST Cybersecurity Framework?
The NIST’s Framework website is full of resources to help IT decision-makers begin the implementation process. It contains the full text of the framework, FAQs, reference tools, online learning modules and even videos of cybersecurity professionals talking about how the CSF has affected them.
Of particular interest to IT decision-makers and security professionals is the industry resources page, where you’ll find case studies, implementation guidelines, and documents from various government and non-governmental organizations detailing how they’ve implemented or incorporated the CSF into their structure.
There’s no better time than now to implement the CSF: It’s still relatively new, it can improve the security posture of organizations large and small, and it could position you as a leader in forward-looking cybersecurity practices and prevent a catastrophic cybersecurity event.