What is the NIST Cybersecurity Framework?
Learn what the NIST Cybersecurity Framework is, who it impacts, and how to implement it in Data Protection 101, our series on the fundamentals of information security.
Set forth by the National Institute of Standards and Technology under the United States Commerce Department, the Cybersecurity Framework is a set of guidelines for private sector companies to follow to be better prepared in identifying, detecting, and responding to cyber-attacks. It also includes guidelines on how to prevent and recover from an attack.
Simply put, the NIST Cybersecurity Framework is a set of best practices, standards, and recommendations that help an organization improve its cybersecurity measures. The optional standards were compiled by NIST after former United States President Barack Obama signed an executive order in 2014.
Function of the NIST Cybersecurity Framework
The NIST Cybersecurity Framework seeks to address the lack of standards when it comes to security. There are currently major differences in the way companies are using technologies, languages, and rules to fight hackers, data pirates, and ransomware.
Cyberattacks are becoming more widespread and complex, and fighting these attacks are becoming much more difficult. This is compounded by the lack of a unified strategy among organizations.
The different sets of policies, guidelines, best practices, and technologies used in cybersecurity gives rise to yet another problem: organizations are not able to share information about attacks. If your enterprise experiences a hacking attempt, you can talk to a colleague working for another company who had experienced the same kind of attack before. Keep in mind, though, that what they did may not necessarily work for you.
The NIST Cybersecurity Framework aims to do away with all this. With a uniform set of rules, guidelines, and standards, it is easier to share information between two companies, and easier to get everybody on the same page.
Who Does the NIST Cybersecurity Framework Impact?
Originally intended only as guidelines under then-President Obama's executive order, these standards are now being implemented at government offices under the executive order signed by current U.S. president Donald Trump. However, these guidelines can benefit nongovernmental organizations and businesses as well. Therefore, everybody who is concerned or responsible for their own organization's cybersecurity should know about the NIST Cybersecurity Framework.
In fact, it can be argued that everybody who uses a computer should be thinking about the NIST Cybersecurity Framework. Your IT department would be the ones implementing it, but your other employees would be tasked to follow the new security standards. Business managers and C-level executives would be responsible for making sure it gets done correctly.
A Data-Centric Approach to Federal Government Security
NIST Cybersecurity Framework Implementation
Make no mistake about it, implementing the NIST Cybersecurity Framework is a must. There is no reason not to. For one, it will help protect you from an inevitable cyber attack. Not following the NIST guidelines presents more of a liability. The implementation process may seem cumbersome, but you can be more secure. Not only will your customers trust you more, but your employees will have that security mindset foremost on their minds as they do their own jobs.
In fact, around 7 out of every 10 security professionals and IT experts agree that the NIST framework is a good idea and that implementing it is a best practice.
To make it easier for companies and government offices to implement the guidelines set forth in the Cybersecurity Framework, NIST has several resources available from their website, such as frequently asked questions, industry materials, case studies, and other guidance.
If you work for a government agency, you certainly do not have a choice. The Trump administration has decreed that each agency should have their own implementation plan – ninety days after the executive order was signed in May 2017.
NIST Cybersecurity Framework Summary
The Framework Core
The framework core defines the activities you need to do to attain different cybersecurity results. This is further divided into four different elements:
Functions. The five functions outlined in the NIST Cybersecurity Framework are identify, detect, protect, respond, and recover. These are your most basic cybersecurity tasks.
Categories. For each of the five functions, there are categories that are actually specific challenges or tasks that you must carry out. For instance, in order to protect (function) your systems, you must implement software updates, install antivirus and antimalware programs, and have access control policies in place.
Subcategories. These are the tasks or challenges associated with each category. For instance, in implementing software updates (category), you must be sure that all Windows machines have auto-updates turned on.
Informative sources. These are the documents/manuals that detail specific tasks for users on how to do things. For instance, you should have a document that would detail how auto-updates are enabled for Windows machines.
The NIST Cybersecurity Framework specifies four implementation tiers. This would help you know at what level of compliance you are in. The higher the tier, the more compliant you are.
Profiles under the NIST Cybersecurity Framework relate to both the current status of your organization's cybersecurity measures and the roadmaps you have towards being NIST Cybersecurity Framework compliant. NIST suggests that having these profiles would allow organizations to see their weak spots every step of the way. Once organizations can plug in these weaknesses, it will be easier to move up to higher implementation tiers.
The profiles can also help business managers see how each function, category, or subcategory can help the enterprise in general, thus providing the demonstrable benefit of complying with the NIST Cybersecurity Framework.
You can liken profiles to an executive summary of everything an organization has done for the NIST Cybersecurity Framework.
Should You Implement the NIST Cybersecurity Framework?
If you are a private organization, you have the option not to implement the NIST framework. There is no legal or regulatory mandate for you to do so.
Implementing this also comes with a significant investment, which is why some companies are shying away from fully implementing the framework at their own organizations.
Nevertheless, the cost of a security breach is almost certain to be a whole lot higher. The average cost of a data breach in 2017 exceeded $3.6 million. And as if the financial costs aren’t high enough, it’s impossible to place a value on the loss of customer trust and your organization’s reputation.
Frequently Asked Questions
What is the NIST Cybersecurity Framework?
The National Institute of Standards and Technology (NIST) is a U.S. government agency whose role is to promote innovation and competition in the science and technology fields. The non-regulatory agency accomplishes this goal by developing technology, metrics, and standards.
The NIST Cybersecurity Framework (CSF) was developed in early 2004 by the NIST along with private-sector and government experts. The Framework consolidates industry standards and best practices to guide organizations in managing their cybersecurity risks. It helps companies reduce cybersecurity threats as well as respond to and recover from incidents.
What are the five elements of the NIST Cybersecurity Framework?
The following are the five elements or core functions of the NIST Cybersecurity Framework:
1) Identify - This function helps organizations identify their assets that may make an attractive target for cybercriminals. This includes identifying hardware and software assets and assessing their potential vulnerabilities.
2) Protect - The protect function directs companies to evaluate existing cybersecurity procedures and processes to ensure they can safeguard the organization’s assets.
3) Detect - This element of the CSF encourages companies to perform an evaluation to determine if their cybersecurity measures are capable of detecting threats to the organization’s computing environment.
4) Respond - This core function instructs companies to assess their cybersecurity standing to verify there is a plan to respond to a cyberattack.
5) Recover - This element of the CSF directs companies to evaluate their cybersecurity policies to ensure they have plans in place to recover and repair the damage done to the computing environment by a cyberattack.
What is the difference between ISO 27001 and NIST?
There are several differences between NIST and ISO 27001, including:
1) Cost - The NIST CSF is free. Companies are charged a fee to access the ISO 27001 documentation.
2) Certification - The NIST CSF is a self-certified framework with no outside certification. ISO 27001 offers globally-recognized certification based on a third-party audit.
3) Usage scenarios - The NIST CSF is a good choice for organizations just developing a cybersecurity strategy or addressing specific vulnerabilities or data breaches. ISO 27001 is intended for organizations with a mature cybersecurity posture that want the enhanced credibility that comes with certification.
How is the NIST Cybersecurity Framework used?
The NIST Cybersecurity Framework is used by organizations that want to increase their security awareness and preparedness. It’s a flexible framework that can be used to enhance security in multiple ways, including:
1) Creating a profile to determine an organization’s current level of cybersecurity preparedness.
2) Identifying new standards and policies to improve cybersecurity measures.
3) Developing new cybersecurity initiatives and requirements.
4) Communicating the new requirements throughout the organization.
Is there a NIST cybersecurity certification?
There is no NIST cybersecurity certification. It is a self-certified framework that is not certified by third-party auditors. There is, however, a NIST cybersecurity implementation certification. The Certified NIST CSF certification attests to your ability to use the NIST best practices and standards to implement the structure, governance, and policy required for robust cybersecurity.