What Is the Purpose of the NIST Cybersecurity Framework?
Strong cybersecurity is paramount for organizations in every industry – and the best way to implement a robust cybersecurity program (or to strengthen an existing program) is to use an established cybersecurity framework.
An accepted cybersecurity framework will provide useful guidelines and goals to plan, implement, and optimize cybersecurity programs. Such a program can improve an organization’s threat detection, risk mitigation, and incident response capabilities. That, in turn, helps your risk management and regulatory compliance objectives.
Several such frameworks are available. One of the most popular frameworks is the NIST Cybersecurity Framework (NIST CSF). The NIST CSF provides a uniform set of rules, guidelines, and standards that organizations in any industry can use to build an effective cybersecurity program.
What Is the NIST Cybersecurity Framework?
The National Institute of Standards and Technology (NIST) establishes information technology-related frameworks and standards. U.S. federal agencies and private-sector organizations alike use various NIST frameworks for information security management and risk management.
In 2013 the Obama Administration issued Executive Order (EO) 13636, directing NIST to develop a voluntary cybersecurity framework for reducing risks to critical infrastructure in the United States. Based on this EO and the Cybersecurity Enhancement Act of 2014, NIST (official website: www.nist.gov) drafted its CSF in collaboration with industry and government agencies.
The NIST Cybersecurity Framework aims to provide a “prioritized, flexible, repeatable, and cost-effective approach” to cybersecurity risk management. Its tried-and-tested security baselines, guidelines, and best practices enable organizations to manage and mitigate cybersecurity risk.
Any small business or large organization can use the CSF, regardless of industry, size, degree of cybersecurity risk, or cybersecurity program maturity. Your organization can apply its risk management principles and best practices to improve cybersecurity and ultimately to build a more resilient business.
Cybersecurity Framework vs. Cybersecurity Plan
The CSF is not a one-size-fits-all approach to cybersecurity risk management. Despite its focus on standardization and a common cybersecurity “language,” you must customize the framework to meet your organization’s own unique needs and risk profile.
More precisely, the NIST CSF provides a useful way to create your organization’s cybersecurity plan. This plan should cover the security strategy, policies, procedures, and tools you will use to improve cyber risk management and implement a robust security program.
Benefits of the NIST Cybersecurity Framework for Organizations
For private-sector businesses, adopting the NIST CSF is voluntary. You don’t have to comply with its rules, standards, guidelines, and practices; but doing so can benefit your organization in many ways.
For starters, you can better manage and reduce cybersecurity risk. You can also take advantage of the framework’s common language to improve communications about risk management between internal and external stakeholders. The common language can also improve security awareness and understanding among functional units, senior executives, and boards of directors.
Another benefit is that you can determine critical activities for service delivery, and then implement measures to conduct those activities smoothly – activities that can directly affect your business continuity and competitiveness. The framework will also guide security investments to reduce the size of the organization’s threat landscape while maximizing its ROI.
5 Functions in the NIST CSF Core
The NIST CSF, now in Version 1.1 (v1.1), consists of three main components:
- Framework Core
- Implementation Tiers
- Framework Profiles
The Framework Core provides five concurrent and continuous functions that provide a high-level, strategic view of the organization’s cybersecurity risk management lifecycle.
These five Core Functions are:
- Identify: Identify which assets need protection.
- Protect: Implement appropriate safeguards to protect these assets.
- Detect: Implement appropriate safeguards to detect security threats and incidents.
- Respond: Develop techniques to mitigate the impact of these incidents.
- Recover: Implement processes to recover from cyberattacks and restore business-as-usual.
Each Function then includes multiple Categories, Subcategories, and Informative References – known as “elements” – in simple, easy-to-understand, and actionable language. These four elements in the CSF Core apply whether you operate your own assets or outsource operations to another party.
How the four Core elements work together
The Functions organize cybersecurity activities, so you can manage cybersecurity risk by:
- Collecting, organizing, and contextualizing useful information
- Addressing threats before they can cause damage
- Learning from previous activities to continually optimize threat detection and mitigation
The five Functions align with existing incident management methodologies and guide cybersecurity investments. For example, you can assess whether additional investments could improve the timeliness and effectiveness of response and recovery actions, and thus reduce the harm of a security incident on service delivery.
The NIST CSF Core includes Categories that divide a Function into cybersecurity outcomes tied to specific organizational needs and activities. Asset Management, Identity Management and Access Control, and Detection Processes are some of these categories.
The Subcategories divide a Category into specific outcomes and support the achievement of these outcomes. Examples include:
- External information systems are inventoried
- Data-at-rest is protected
- Notifications from detection systems are investigated
Informative References are specific sections of cybersecurity standards, guidelines, and practices that illustrate how to achieve the outcomes associated with each Subcategory in the CSF Core.
Five functions in the CSF Core
The NIST CSF is widely accepted as the gold standard for building enterprise cybersecurity programs. One reason for its popularity is that it categorizes all cybersecurity activities into five easy-to-understand functions:
Meaning: Understand cybersecurity risk to enterprise systems, people, assets, and data.
The Identify function lays the foundation for implementing a new cybersecurity program or improving an existing program. Its various activities are essential to understand the business context, critical functions and resources, and their related cybersecurity risks. The outcome Categories under this Function can help you to prioritize risk management efforts in line with business needs.
Some of these Categories are:
- Asset Management: Identify enterprise assets and establish an asset management program.
- Business Environment: Understand the company’s role in the supply chain.
- Governance: Establish governance policies and identify the legal and regulatory requirements for cybersecurity capabilities.
- Risk Assessment: Implement risk assessment and response processes.
- Risk Management Strategy: Identify risk tolerance and implement a supply chain risk management strategy.
Meaning: Implement strong safeguards to maintain service delivery and business continuity.
The Protect function is about limiting the harm of a cybersecurity event and maintaining service delivery during the disruption. Some critical activities in this group include:
- Identity Management and Access Control: Implement physical, digital, and remote access controls.
- Awareness and Training: Improve security awareness through role-based and privileged user training.
- Data Security: Establish controls to protect the confidentiality, integrity, and availability (the “CIA triad”) of information.
- Information Protection Processes and Procedures: Protect sensitive information systems.
- Maintenance: Assure that all assets remain in ideal operational condition.
- Protective Technology: Implement tools and processes to ensure the security and resilience of IT systems.
Meaning: Develop appropriate activities to identify cybersecurity threats and events.
To protect the organization and its assets, you must identify the cybersecurity threats that affect it today or may affect it in future. The CSF Detect Function helps with this goal. Some of its essential activities include:
- Anomalies and Events: Detect anomalous or suspicious behaviors or events, and assess their potential impact.
- Security: Implement protective measures and regularly verify their effectiveness.
- Continuous Monitoring and Detection: Develop capabilities to monitor cybersecurity events.
Meaning: Implement measures to respond to cybersecurity events and minimize damage.
When a cybersecurity event does occur, you must contain its impact to minimize damage. For this, you need to implement measures to respond quickly and appropriately. Examples of outcome Categories in this Function are:
- Response Planning: Implement and execute an incident response process.
- Communications: Keep internal and external stakeholders informed during and after an event.
- Analysis: Perform forensic analysis and impact analysis to accelerate post-incident recovery.
- Mitigation: Perform mitigation activities to resolve a detected cybersecurity incident and contain its impact.
- Improvements: Document lessons learned from detection and response activities to improve the cybersecurity program.
Meaning: Develop measures to restore capabilities after an event.
The Recover function is important because it supports timely recovery and a return to normal operations after a cybersecurity incident. It also identifies appropriate activities to renew and maintain plans for enterprise cybersecurity resilience.
The essential activities under this Function are:
- Recovery Planning: Plan and implement processes and procedures to restore systems impaired by an incident.
- Improvements: Review existing strategies to plan cybersecurity improvements.
- Communications: Coordinate internal and external communications during and after the incident.
Automate and Streamline Cybersecurity Risk Management with Reciprocity ZenRisk
The NIST CSF provides a repeatable and customizable way to implement a strong cybersecurity risk management program. The challenge for CISOs is to coordinate all that activity briskly and efficiently. To help with that effort – to develop actionable insights, automated risk scoring, real-time risk monitoring, and more – you can use Reciprocity ZenRisk.
ZenRisk will help you identify, assess, and mitigate IT and cyber risk with its guided, content-rich approach. With ZenRisk’s fast onboarding and automated workflows, you can quickly start monitoring risk and reduce uncertainty. Goodbye, manual processes and tedious work!
Visualize and quantify your cybersecurity posture to guide strategic, risk-based decisions, risk communications, and risk investments. Stay ahead of threats and optimize security with this integrated cybersecurity risk management solution from cybersecurity experts Reciprocity.
Schedule a demo to see how ZenRisk works for yourself.