The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

What is the NIST Cybersecurity Framework?

by Chris Brook on Tuesday December 4, 2018

Contact Us
Free Demo
Chat

Learn what the NIST Cybersecurity Framework is, who it impacts, and how to implement it in Data Protection 101, our series on the fundamentals of information security.

Set forth by the National Institute of Standards and Technology under the United States Commerce Department, the Cybersecurity Framework is a set of guidelines for private sector companies to follow to be better prepared in identifying, detecting, and responding to cyber-attacks. It also includes guidelines on how to prevent and recover from an attack.

Simply put, the NIST Cybersecurity Framework is a set of best practices, standards, and recommendations that help an organization improve its cybersecurity measures. The optional standards were compiled by NIST after former United States President Barack Obama signed an executive order in 2014.

Function of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework seeks to address the lack of standards when it comes to security. There are currently major differences in the way companies are using technologies, languages, and rules to fight hackers, data pirates, and ransomware.

Cyberattacks are becoming more widespread and complex, and fighting these attacks are becoming much more difficult. This is compounded by the lack of a unified strategy among organizations. 

The different sets of policies, guidelines, best practices, and technologies used in cybersecurity gives rise to yet another problem: organizations are not able to share information about attacks. If your enterprise experiences a hacking attempt, you can talk to a colleague working for another company who had experienced the same kind of attack before.  Keep in mind, though, that what they did may not necessarily work for you.

The NIST Cybersecurity Framework aims to do away with all this. With a uniform set of rules, guidelines, and standards, it is easier to share information between two companies, and easier to get everybody on the same page.

Who Does the NIST Cybersecurity Framework Impact?

Originally intended only as guidelines under then-President Obama's executive order, these standards are now being implemented at government offices under the executive order signed by current U.S. president Donald Trump. However, these guidelines can benefit nongovernmental organizations and businesses as well. Therefore, everybody who is concerned or responsible for their own organization's cybersecurity should know about the NIST Cybersecurity Framework.

In fact, it can be argued that everybody who uses a computer should be thinking about the NIST Cybersecurity Framework. Your IT department would be the ones implementing it, but your other employees would be tasked to follow the new security standards. Business managers and C-level executives would be responsible for making sure it gets done correctly.

whitepaper

A Data-Centric Approach to Federal Government Security

NIST Cybersecurity Framework Implementation

Make no mistake about it, implementing the NIST Cybersecurity Framework is a must. There is no reason not to. For one, it will help protect you from an inevitable cyber attack. Not following the NIST guidelines presents more of a liability.  The implementation process may seem cumbersome, but you can be more secure. Not only will your customers trust you more, but your employees will have that security mindset foremost on their minds as they do their own jobs.

In fact, around 7 out of every 10 security professionals and IT experts agree that the NIST framework is a good idea and that implementing it is a best practice. 

To make it easier for companies and government offices to implement the guidelines set forth in the Cybersecurity Framework, NIST has several resources available from their website, such as frequently asked questions, industry materials, case studies, and other guidance.

If you work for a government agency, you certainly do not have a choice. The Trump administration has decreed that each agency should have their own implementation plan – ninety days after the executive order was signed in May 2017.

NIST Cybersecurity Framework Summary

The Framework Core

The framework core defines the activities you need to do to attain different cybersecurity results. This is further divided into four different elements:

Functions. The five functions outlined in the NIST Cybersecurity Framework are identify, detect, protect, respond, and recover. These are your most basic cybersecurity tasks.

Categories. For each of the five functions, there are categories that are actually specific challenges or tasks that you must carry out. For instance, in order to protect (function) your systems, you must implement software updates, install antivirus and antimalware programs, and have access control policies in place.

Subcategories. These are the tasks or challenges associated with each category. For instance, in implementing software updates (category), you must be sure that all Windows machines have auto-updates turned on.

Informative sources. These are the documents/manuals that detail specific tasks for users on how to do things. For instance, you should have a document that would detail how auto-updates are enabled for Windows machines.

Implementation Tiers

The NIST Cybersecurity Framework specifies four implementation tiers. This would help you know at what level of compliance you are in. The higher the tier, the more compliant you are.

Profiles

Profiles under the NIST Cybersecurity Framework relate to both the current status of your organization's cybersecurity measures and the roadmaps you have towards being NIST Cybersecurity Framework compliant. NIST suggests that having these profiles would allow organizations to see their weak spots every step of the way. Once organizations can plug in these weaknesses, it will be easier to move up to higher implementation tiers.

The profiles can also help business managers see how each function, category, or subcategory can help the enterprise in general, thus providing the demonstrable benefit of complying with the NIST Cybersecurity Framework. 

You can liken profiles to an executive summary of everything an organization has done for the NIST Cybersecurity Framework.

Should You Implement the NIST Cybersecurity Framework?

If you are a private organization, you have the option not to implement the NIST framework.  There is no legal or regulatory mandate for you to do so.

Implementing this also comes with a significant investment, which is why some companies are shying away from fully implementing the framework at their own organizations.

Nevertheless, the cost of a security breach is almost certain to be a whole lot higher. The average cost of a data breach in 2017 exceeded $3.6 million. And as if the financial costs aren’t high enough, it’s impossible to place a value on the loss of customer trust and your organization’s reputation.

Tags: Data Protection 101, Compliance

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.