What is the NIST Cybersecurity Framework?
The Cybersecurity Enhancement Act of 2014 amended the role of the National Institute of Standards and Technology (NIST) to include the identification and development of cybersecurity risk frameworks. Through this act, NIST was tasked with identifying a “prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls…” With language that continues to evolve, the NIST Cybersecurity Framework aims to address and manage cybersecurity risk cost-effectively and without regulatory requirements.
The Framework positions cybersecurity risks as a part of the organization’s risk management processes. It also serves as an organizing structure that facilitates many approaches to cybersecurity by aggregating practices, guidelines, and standards that are best-in-class and used today.
What is the key objective of the NIST Cybersecurity Framework?
The objective of the NIST Cybersecurity Framework is to identify an approach to cybersecurity that is customized to your organization. This is done methodically with a flexible, systematic approach that leads to a prioritized implementation plan. The Framework also serves as a standard primer for communicating cybersecurity risks, activities, and outcomes.
What are the three components of the NIST Cybersecurity Framework?
Designed to be an intuitive translation layer that enables communication between teams through non-technical language. Serving as a set of desired cybersecurity activities and outcomes, the core is comprised of three parts: Functions, Categories, and Subcategories.
The NIST Framework Core has five high-level functions: Identity, Protect, Detect, Respond, and Recover. These apply to cybersecurity risk management and overarching risk management strategy.
The next level down parses the five functions into 23 categories. These categories represent cybersecurity objectives for each core function, spanning cyber, physical, and personnel.
At the deepest level of abstraction, 108 subcategories serve as outcome-driven statements that provide considerations for creating a new cybersecurity program or strengthening an existing program. Outcome-driven and non-mandated by nature, this suggestive model allows for customized risk-based implementations that match the organization’s needs.
Framework Implementation Tiers
Tiers are a quantitative method for describing how an organization’s cybersecurity risk management practices adhere to Framework-defined characteristics. The ranking system considers the risk management process, program integration, and external participation.
Tiers range on a scale of one to four and do not necessarily represent maturity levels.
- Tier 1 – Partial
- Tier 2 – Risk-informed
- Tier 3 – Repeatable
- Tier 4 – Adaptive
An organization should determine its goal tier as feasible to adopt, fiscally aligned, geared towards organizational goals, and having reduced cybersecurity risk to the level acceptable to the organization.
Framework profiles are used to identify opportunities for improving an organization’s cybersecurity posture. Profiles are analyzed as “current state” and used to identify opportunities through juxtaposition with a target “future state.” Profiles can include business objectives, the threat environment, and requirements that are all considerations for the framework functions.
Since the NIST Cybersecurity Framework is non-mandatory, profiles are intended to map out cybersecurity requirements, mission objectives, and operating methodologies. An easy way is to list the subcategories by priority, identify gap size, assign a budget, and set activities to reach those objectives. This turns into a prioritized implementation plan.
How to Use the NIST Cybersecurity Framework
The NIST Framework for Improving Critical Infrastructure Cybersecurity provides a seven-step process to create a new cybersecurity program and improve an existing cybersecurity program. This process uses a continuous improvement loop for incremental and constant progress.
- Scope and prioritize – the organization identifies business objectives and high-level priorities.
- Orient – the organization identifies systems, assets, regulatory requirements, and risks to enable the ability to identify threats and vulnerabilities.
- Create a current-state profile – the profile is developed by selecting category and subcategory outcomes listed in the Framework Core that are currently satisfied.
- Conduct a risk assessment – on-premises, cloud, and hybrid environments need to be considered to discern the likelihood of a cybersecurity event and its consequential impact on the organization.
- Create a target profile – an ideal, future state profile is created that focuses on desired cybersecurity outcomes from an assessment of Framework categories and subcategories.
- Determine, analyze, and prioritize cybersecurity gaps – this is where the organization compares the current profile with the target profile and performs a gap analysis to create a prioritized action plan to address those gaps.
- Implement a cybersecurity action plan – the organization determines what actions to take by appointing action items to the prioritized implementation plan.