Introduction to the NIST CSF

Overview

The National Institute of Standards and Technology (NIST) provides a robust, risk-based cybersecurity assessment tool, known as the NIST Cybersecurity Framework (NIST CSF); or, simply as “The Framework.”¹ The original intent of the NIST CSF is to provide a cybersecurity risk-based assessment tool, to protect the nation’s sixteen critical infrastructure (CI) sectors. The Framework is also a voluntary activity between the private industry and the federal government, which works towards improving the cybersecurity protections of not only CI but also individual privacy and civil liberties.² The NIST CSF is an adaptable tool to any size organization. Some of the benefits of The Framework are establishing a common cybersecurity language across industries, reducing the costs associated with conducting cybersecurity assessments and improving cybersecurity protection across various threat-landscapes.

What is the NIST Cybersecurity Framework?

The first step to understanding the NIST Cybersecurity Framework (NIST CSF) is understanding the functions of a framework. The Business Dictionary defines a framework as a “Broad overview, outline, or skeleton of interlinked items, which supports a particular approach to a specific objective, and serves as a guide that can be modified as required by adding or deleting items.”³ In short, a framework can be a theoretical or conceptual model used to give structure to the overall planning, design, management, testing, and final production of a product or service. In terms of cybersecurity, the NIST CSF can be used to design, plan, and run assessments, to improve an organization’s overall maturity of cybersecurity controls.

The Origins of the NIST CSF

The NIST CSF intends to protect any number of industries that can be considered Critical Infrastructure (CI).⁴ Three foundational documents⁵ outlines the Tiers of what is considered CI: (1) Presidential Executive Order (EO) 13636; (2) The Cybersecurity Enhancement Act of 2014; and (3) Presidential Policy Directive 21 (PPD-21).

The Framework consists of three parts: Core, Profile, and Implementation Tiering. If your organization falls into any of the CI categories, at the very least, your due diligence may include a review of the NIST CSF as part of your cybersecurity assessment processes. The NIST CSF affects most, if not all, organizations legally required to conduct any type of governmental reporting on cybersecurity readiness and resiliency.

Using The Framework

First, the “Core” of The Framework consists of activities aimed at assessing cybersecurity protections in the five primary areas of cybersecurity (risk-governance, risk-identification, risk-detection, and risk-response, and risk-recovery) from cyber-attacks. Within each Core activity, the risk-assessment reviews what protections are in place and how they are in use. Meaning an actual review of how security controls are in place and whether or not the controls are appropriate, effective, need improvement, or are ineffective. Anything requiring a cybersecurity control would be reviewed at the Core level of these five NIST CSF categories.

An example of how the NIST CSF “Core” activities could be implemented would possibly include a review of an organization’s cybersecurity policies. Such a review could determine whether or not access controls are in place for protecting sensitive data. The analysis would assess if the access controls are in place, appropriate, effective, and aligned to the organization’s security policy towards meeting regulatory or industry compliance objectives.

Next, the NIST CFS “Implementation Tiers” category is used to identify whether or not your organization meets the standards of being “critical infrastructure.” In this case, the maturity levels of the organization’s security controls are reviewed, or “Tiered,” to determine if the controls are ad hoc (Tier 1: Partial implementation), still in development (Tier 2: Risk informed), developed and consistently in use (Tier 3: Repeatable), or if the controls are proactive to deter threats (Tier 4: Adaptive).

An example of an organization’s tiering level process would be ranking a large telecom with cybersecurity controls in place that is effective in detecting, accurately identifying, deterring, and then mitigating cybersecurity attacks. Another example could be a smaller organization, such as a water-treatment plant, in a rural town setting. In both situations, the Implementation Tiering should reflect “the current risk-management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.” ⁶

Last, the Framework’s “Profile” process is rooted in an organization’s business needs and objectives. Specifically, the assessment reviews how the business processes and goals are in alignment with standards, guidelines, and practices of the industry and regulatory requirements.

The Value of Using NIST CSF

If you are in the Senior Executive Management role, chances are your concerns revolve around using cost-effective cybersecurity controls to protect your organization’s valuable assets. The NIST CSF can be tailored to conduct specific assessments. For example, a NIST CSF assessment can help clarify the organizational risk, as it aligns with mission priorities, risk appetite, and budgetary changes. The NIST CSF can also be used in terms of reporting documentary evidence to support cybersecurity audit findings towards risk assessment, risk mitigation, and reduction of an organization’s cybersecurity threat landscape. Furthermore, The Framework should also be used by middle management and business process-level managers focused on securing assets that may fall within the tiering levels of critical infrastructure.

Examples of Organization using the NIST CSF

Many types of organizations, across every industry, use the NIST CSF to assess and address cybersecurity vulnerabilities, risks, and mitigations. Some have referred to the NIST CSF as a type of “cheat sheet”⁷ for cybersecurity professions, due to the general lack of a standardized language or methodology to address cybersecurity threats. In truth, The Framework is less of a cheat sheet and more of recommended best practices. That will eventually become the foundation for the development and refinement of industry-specific assessment tools.

The Benefits of Using the NIST CSF

The immediate benefits of using the framework are that it provides a common terminology between and across industries. Using a common language also allows businesses within the same industry to share experiences towards improving cybersecurity protections. One of the most notable benefits is the reduction in cost in terms of manpower. This is possible as The Framework is designed to work in conjunction with any industry-specific cybersecurity assessment tool, to reduce the number of questions needed to perform an accurate risk-based assessment.

Implement NIST Framework Aligned Training Plans

For security team leaders looking to align training to the NIST Cyber Security Workforce Framework, all of Cybrary’s content is mapped by Categories (7), Specialty Areas (33), and Work Roles (52). Cybrary for Teams offers pre-made templates enabling your team to adopt and engage with the content quickly. Also you will gain access to NIST’s newest mapping framework by Competency Area (60).

As a Cybrary for Teams customer, you work directly with a dedicated customer success manager to build, customize and implement training plans across your team. Request a demo of Cybrary for Teams today!

Cybrary helps organizations close the cybersecurity skills gap and build a workforce capable of tackling the challenges of today, and tomorrow. Request your demo of Cybrary for Teams to get started.

References

1. (2020). NIST Cybersecurity Framework. National Institute of Standards and Technology. Retrieved May 18, 2020 from: https://www.nist.gov/cyberframework
2. (2014, February 12). Framework for Improving Critical Infrastructure Cybersecurity, v.1.0. National Institute of Standards and Technology (NIST). Retrieved May 17, 2020, from: https://www.nist.gov/system/files/documents/cyberframework/cybersecurity-framework-021214.pdf
3. (2020). Business Dictionary. Framework. WebFinance Inc., online. Retrieved May 12, 2020 from: http://www.businessdictionary.com/definition/framework.html
4. (2013, March 5). Critical Infrastructure Sectors. Cybersecurity & Infrastructure Security Agency, U.S. Department of Homeland Security. Retrieved May 17, 2020, from: https://www.cisa.gov/critical-infrastructure-sectors
5. (2013, March). Executive Order 13636 Improving Critical Infrastructure Cybersecurity; Presidential Policy Directive -21 (PPD-21), Critical Infrastructure Security and Resilience. U.S. Department of Homeland Security. Retrieved May 12, 2020 from: https://www.cisa.gov/sites/default/files/publications/eo-13636-ppd-21-fact-sheet-508.pdf
6. Vigliarolo, B. (2017, May 19). NIST Cybersecurity Framework: A cheat sheet for cybersecurity professionals. Tech Republic. Retrieved May 17, 2020, from: https://www.techrepublic.com/article/nist-cybersecurity-framework-the-smart-persons-guide/
7. (2014, February 12). Framework for Improving Critical Infrastructure Cybersecurity, v.1.0. National Institute of Standards and Technology (NIST). Retrieved May 17, 2020, from: https://www.nist.gov/system/files/documents/cyberframework/cybersecurity-framework-021214.pdf