Businesses today find themselves asking what are the NIST security standards and how can they be applicable to them?
This should not come as any great surprise—we are currently experiencing a dramatic shift in attitudes towards the threat of cybercrime.
Prior to the pandemic, companies by their own admission were unprepared for cyberattacks, with just 23% of organizations indicating they had an incident response plan applied across their business, according to IBM.
Many companies are simply not ready for the number and severity of modern cyberattacks, and this is no small matter—93% of companies without a disaster recovery plan who suffer a major data disaster go out of business within one year.
Because of the pandemic and the changes it brought, cyberattacks are currently at higher levels than ever, and businesses must respond in order to protect themselves and their customers.
This is where frameworks like NIST come in—companies are looking for guidance on their cybersecurity and hope that standards like NIST can provide it.
In this blog, we’re going to take a look at NIST, break it down, and determine how applicable it is to organizations across the country that want to shore up their business security.
What Is NIST?
The National Bureau of Standards, as it was known until 1988, was founded in 1901 as a non-regulatory agency to provide standards across a range of industries, including manufacturing, environmental science, public safety, nanotechnology, information technology, and more.
Over the years since its founding, the remit of NIST has extended over a growing number of industries, of which cybersecurity (under IT) is just one.
NIST frameworks, including its cybersecurity framework, are intended to be voluntary guidelines for all organizations except those engaging with government contracts, which are required to abide by them.
What Is the NIST Cybersecurity Framework (CSF)?
The NIST Cybersecurity Framework, or CSF for short, was established by executive order in 2013 under President Obama in order to create a framework consensus for approaching cybersecurity with the intention of reducing risk to critical government and public infrastructure systems.
The first version of the CSF was published in 2014, and Congress passed the Cybersecurity Enhancement Act of 2014 shortly thereafter with the following stated purpose:
AN ACT To provide for an ongoing, voluntary public-private partnership to improve cybersecurity, and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness, and for other purposes.
Another executive order was issued by President Trump in 2017, directing all federal agencies to use the framework.
In 2015, an estimated 30% of US businesses used the CSF, with a further rise to 50% in 2020. The success of the framework has led to it being adopted not just in the United States, but across the world, from the United Kingdom to Israel.
Breaking Down the NIST Cybersecurity Framework
The NIST Cybersecurity Framework is broken down into three distinct components: the “Core”, “Implementation Tiers”, and “Profiles”.
The Framework Core is the set of activities that are designed to achieve the best cybersecurity outcomes desired by NIST standards.
These activities are not a checklist, but rather key outcomes identified by stakeholders as significant in managing cybersecurity risk.
What Are the Five Elements of the NIST Cybersecurity Framework?
There are five elements that make up the Framework Core. These are:
- Functions: Functions are some of the most recognizable aspects of the NIST cybersecurity framework. They outline the basic security activities from a high-level perspective and help organizations address the most crucial elements of cybersecurity. The Functions include Identify, Protect, Detect, Respond, and Recover.
- Categories: The Categories are focused on business outcomes and are slightly more in-depth, covering objectives within the core functions.
- Subcategories: Subcategories are the most granular level of abstraction in the Core. There are a total of 108 subcategories, which are typically outcome-driven and designed to provide considerations for establishing or improving a cybersecurity program.
- Informative References: Informative references refers to existing standards, guidelines, and practices relevant to each subcategory.
Categories of the Five Key Functions
As we noted, each of the key Functions are broken down into Categories and Subcategories.
The Categories are as follows:
- Asset Management
- Business Environment
- Risk Assessment
- Risk Management Strategy
- Supply Chain Risk Management
Related Post: What Happens During a Cybersecurity Risk Audit?
- Identity Management and Access Control
- Awareness and Training
- Data Security
- Information Protection Processes & Procedures
- Protective Technology
- Anomalies and Events
- Security Continuous Monitoring
- Detection Processes
- Response Planning
- Recovery Planning
The Framework Implementation Tiers are to help illustrate the extent to which an organization is able to effectively meet the characteristics outlined in the Framework Functions and Categories.
These Implementation Tiers are not considered to be levels of cybersecurity maturity and not intended to be.
However, organizations that meet the standards for the highest tiers will inevitably have many of the characteristics that define cyber-mature companies.
Tier 1 (Partial)
Risk Management Process: Risk management practices are not formalized and risk is managed in an ad hoc fashion.
Integrated Risk Management Program: Limited awareness of cybersecurity risk at the organizational level.
External Participation: Organization doesn’t collaborate with other entities or understand its role in the larger ecosystem.
Tier 2 (Risk Informed)
Risk Management Process: Risk management practices are approved by management and prioritized according to organizational risk objectives.
Integrated Risk Management Program: Awareness of cybersecurity risk at the organizational level, but lacking a company-wide approach to managing this risk.
External Participation: The organization recognizes its role in the business ecosystem with respect to its dependencies or dependents, but not both. Some collaboration, but may not act consistently or formally on risks presented.
Tier 3 (Repeatable)
Risk Management Process: Risk management practices are formally approved and expressed through policy. Cybersecurity practices are regularly updated based on the application of the formal risk management process.
Integrated Risk Management Program: Organization-wide approach to security risk management in place, and personnel possess the knowledge and skills to manage security risks.
External Participation: The organization’s role in the larger ecosystem is understood as it pertains to other companies and it may contribute to the community’s broader understanding of risks. Collaborates with and receives information from others regularly.
Tier 4 (Adaptive)
Risk Management Process: Cybersecurity practices are adapted and developed based on previous and current activities, as well as predictive indicators. Continuous improvement of processes through the incorporation of advanced technologies and practices is expected.
Integrated Risk Management Program: The relationship between security risk and organizational objectives is understood clearly. Security risk management is part of the organizational culture and changes to how risk management is approached is communicated quickly and effectively.
External Participation: Organization fully understands its role in the larger ecosystem and contributes to the community’s understanding of risks. Receives, generates, and prioritizes information that informs constant analysis of risks. Real-time data analysis is leveraged, and communication is proactive as it pertains to risks associated with the products and services used.
The Framework Profile refers to the overall alignment of Functions, Categories, and Subcategories with the organization’s business requirements, risk tolerance, and resources.
Because different businesses have different priorities, no two profiles will be the same, and so determining the unique Framework Profile that best fits the company is the final key aspect of the NIST standards.
Current Profile vs. Target Profile
When businesses establish profiles for the cybersecurity standards, a common and effective way of understanding where they are and where they want to be is to create two profiles: the current profile and the target profile.
The current profile is created by assessing the organization’s ability to carry out subcategory activities.
Examples of subcategories include things like, “Physical devices and systems within the organization are inventoried” (ID.AM-1), and, “Data-in-transit is protected” (PR.DS-2)”.
These are just two examples of the 108 total Subcategories, but give an indication of the kinds of activities that are assessed.
Once the current profile has been established by ranking the company’s ability to fulfill each subcategory, it is then time to create the target profile.
The target profile is effectively where the company should be with its cybersecurity in order to meet the desired risk management goals and priorities.
Once the target profile has been created, the organization can then compare the two and get a clear understanding of where the business meets their risk management goals and where improvements need to be made.
Who Uses the NIST Cybersecurity Framework?
As we’ve noted, NIST is designed first and foremost as a framework aimed at those companies in the federal supply chain, whether it’s prime contractors, subcontractors, or another entity required to be compliant with NIST.
NIST’s standards, however, are applicable to virtually any business and an extremely valuable source for determining a company’s current cybersecurity activities and their ability to carry them out to an acceptable standard—in addition to uncovering new and unknown priorities.
The ultimate goal of NIST is to provide a framework not just for federally associated organizations, but for the business world at large.
To this end, NIST plans to continually update the cybersecurity framework to keep it fresh and applicable to anyone, whether they specifically need NIST CSF compliance or not.
While NIST CSF compliance is not necessary for organizations not contracted by the government or subcontracted by a government contractor, many of its activities and protocols apply to many other compliance regulations that must be followed, like HIPAA, PCI, PII.
For compliance with these regulations (and many others), it is suggested to use a governance risk and compliance (GRC) solution so that activities can be accurately monitored and maintained.
At Impact, we offer such a solution, with options for hybrid or full management of GRC from our experts, who will perform and risk assessment and make sure that your cybersecurity policies are exactly where they need to be to remain compliant.
For more information, take a look at our Compliance Services page and connect with a specialist to see how Impact can get your organization’s compliance on track today.