We’ve written a lot on the CYREBRO blog about U.S. cybersecurity laws–rules that businesses in specific sectors such as financial services and healthcare are obligated to follow. Today we’d like to introduce a related but different topic: cybersecurity standards, namely the U.S. National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).

A standard is a guideline approved by a recognized body–usually after a period of public consultation–that specifies best practices in regard to certain services, products, or disciplines. Unlike laws, which are mandatory, compliance with standards is voluntary. However, there are benefits to complying with standards such as the NIST CSF, as we will explain.

What is the NIST Cybersecurity Framework?

The National Institute of Standards and Technology (NIST) has published many standards (or frameworks) dealing with information technology and cybersecurity, some pertaining to federal agencies and the public sector and others to the private sector. The most important from a private sector perspective is the NIST Cybersecurity Framework, which was first published in February 2014 and then updated in April 2018.

The NIST Cybersecurity Framework helps organizations manage and mitigate cybersecurity risks (threats, vulnerabilities, impacts) based on existing standards, guidelines, and practices. Initially intended for U.S. private sector owners and operators of critical infrastructure, this NIST framework is seeing increasing adoption across a range of private sector organizations in the United States and worldwide.

The NIST CSF contains five core functions: Identify, Protect, Detect, Respond, and Recover.

Identify (ID) – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

• Asset Management (ID.AM) – Data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
• Business Environment (ID.BE) – the organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
• Governance (ID.GV) – The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
• Risk Assessment (ID.RA) – The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
• Risk Management Strategy (ID.RM) – The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
• Supply Chain Risk Management (ID.SC) – The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

Protect (PR) – Develop and implement appropriate safeguards to ensure delivery of critical services.

• Identity Management, Authentication and Access Control (PR.AC) – Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.
• Awareness and Training (PR.AT) – The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.
• Data Security (PR.DS) – Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
• Information Protection Processes and Procedures (PR.IP) – Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
• Maintenance (PR.MA) – Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.
• Protective Technology (PR.PT) – Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

Detect (DE) – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

• Anomalies and Events (DE.AE) – Anomalous activity is detected and the potential impact of events is understood.
• Security Continuous Monitoring (DE.CM) – The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.
• Detection Processes (DE.DP) – Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.

Respond (RS) – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

• Response Planning (RS.RP) – Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.
• Communications (RS.CO) – Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies).
• Analysis (RS.AN) – Analysis is conducted to ensure effective response and support recovery activities.
• Mitigation (RS.MI) – Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.
• Improvements (RS.IM) – Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.

Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore and capabilities or services that were impaired due to a cybersecurity incident.

• Recovery Planning (RC.RP) – Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.
• Improvements (RC.IM) – Recovery planning and processes are improved by incorporating lessons learned into future activities.
• Communications (RC.CO) – Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).

Are there other NIST frameworks?

As a non-regulatory agency of the United States Department of Commerce, NIST has published thousands of standards, frameworks, and guidelines for use in information technology, engineering, nanoscale science and technology, and various other disciplines.

Other notable cybersecurity-related frameworks found in the NIST database include:

• NIST Privacy Framework – a tool for improving privacy through Enterprise Risk Management. It is intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. It has caught on quickly in the private and public sectors.

• NIST Cyber Supply Chain Risk Management (C-SCRM) – a set of tools, metrics, guidelines and case studies developed in collaboration with public- and private-sector stakeholders that helps organizations mitigate risks in the cyber supply chain.

• NIST Risk Management Framework (NIST RMF) – a process that integrates security and risk management activities into the system development lifecycle. The framework is targeted at federal agencies and is only rarely used in the private sector.

What are the benefits to NIST Cybersecurity Framework compliance?

The NIST Cybersecurity Framework is designed to help your organization understand, manage, and reduce its cybersecurity risks. With that said, it is guidance, and should not be implemented step-by-step. Instead, it should be customized to suit your organization’s unique threats, vulnerabilities, and risk tolerance.

NIST does not offer certifications, although it does share industry resources and case studies that demonstrate real-world applications and benefits of the framework.

If you’re after NIST Cybersecurity Framework certification or a NIST Cybersecurity Framework maturity assessment, then there are a range of third-party organizations that provide this (for a fee, of course). After completing a NIST certification program, individuals should be able to understand their organization’s cybersecurity capabilities and design a NIST CSF-compatible program to strengthen their organization’s cybersecurity posture.

Bottom Line

The NIST Cybersecurity Framework is not mandatory, but it can play a role in building a healthy cybersecurity posture. Although it was designed for U.S. private sector owners and operators of critical infrastructure, the NIST CSF has proved useful to organizations in different sectors in the United States and around the globe. The great thing about a voluntary standard like the Cybersecurity Framework is that it can be customized to your organization’s unique threats and needs – no matter whether you are a Fortune 500 company or a small or medium-sized business.