In 2013, the U.S. Federal Government, through Executive Order (EO) 13636 Improving Critical Infrastructure in Cybersecurity, directed the National Institute of Standards and Technology (NIST) to develop a cybersecurity framework (CSF) towards the purpose of protecting the nation’s infrastructure. Since then, the EO has been supported by additional legislation all towards the primary goal of developing a tool to aid businesses across the industrial spectrum in beefing-up their cybersecurity defenses and enhancing cybersecurity resiliency. 1
The NIST CSF, 2 otherwise known as The Framework, is a cross-industry tool based on common cybersecurity technical language. The Framework is easy to understand and easy to use. The tool can be used to accomplish any risk assessment/risk management objectives towards improving your organization’s cybersecurity posture. The objective(s) of the NIST CSF depends on your organization’s size, industry, and purposes. However, in this writer’s opinion, three distinct NIST CSF goals define the entire tool:
- Objective 1 – Accomplishing cybersecurity due diligence.
- Objective 2 - Maintaining cybersecurity readiness and resiliency.
- Objective 3 - Identifying what you need and what you don’t need.
Objective One: Achieving cybersecurity due diligence.
Every year, C-level executives fail to conduct adequate cybersecurity due diligence resulting in a loss of assets to include data breaches, financial costs, reputational damages, and disruption of services to clients and customers. Cybersecurity due diligence failures can also be the result of inadequate budget planning or the misapplication of manpower to ensure that even the most simple risk assessments are conducted. In the form of The Framework, a simple solution can be beneficial to achieving cybersecurity due diligence. This is because NIST CSF can be tailored and scoped according to your organization's size towards fulfilling business needs and meeting regulatory and industry compliance requirements. The Framework can be used across industries and organizations as it shares common terms used to identify security gaps, controls, and processes.
In some cases, an organization can require third parties to comply with or provide evidence of conducting a NIST CSF assessment to continue business dealings. When some organizations consider CSF, they think, “well, I already have to do [HIPAA, PCI, etc.]. I don’t want another requirement.” However, in reality, the CSF can guide organizations toward compliance and regulatory requirements simply by providing specific tasks.
The NIST CSF can be used in terms of satisfying due diligence to help your organization identify and evaluate whether or not the security controls in place are protecting high-risk targets/assets. The Framework can also be used to identify security gaps in doing business with third-parties as related to protections, processes, and classifications of sensitive data. Cybersecurity due diligence can also be met by using the assessment to address business continuity, disaster recovery planning, and resiliency. Any organization of any size can adapt the NIST CSF as an effective risk management tool to demonstrate due diligence has been addressed, thereby providing evidence that risk has been identified, cybersecurity controls have been evaluated, and obtainable actions to mitigate risk(s) have been planned to remediate cybersecurity protection gaps. The benefits of realizing this objective can be avoiding the loss of assets, damage to reputation, consistency in providing services to customers, and the avoidance of fines and or judgments against an organization for compliance failures.
Objective Two: Maintaining cybersecurity readiness and resiliency.
A second primary objective of the NIST CSF (The Framework) is to aid an organization (of any size from any type of critical-infrastructure related industry) in maintaining cybersecurity readiness and resiliency. As a tool, The Framework is designed to help your organization tweak its cybersecurity posture by reviewing three specific risk assessment areas:
- Core functions and the effectiveness of maturity of the cybersecurity controls.
- The tiering level of implementation of the controls.
- Profile overview of your organization’s cybersecurity posture.
Within these three areas are at least five core functional domains: Identify, Protect, Detect, Respond, and Recover. Additional domains can be tailored to the scope of your organization’s size and business needs. For example, if your business relies on vendors, then a functional domain could be added to assess the supply chain or dependency management. Or if your industry is heavily regulated, such as a financial institution, you may consider adding a Governance domain to the assessment.
- Core functions and the effectiveness of maturity of the cybersecurity controls: These “core” functional domains are used to define the highest level or functions of the cybersecurity controls used by the organization. The core functions' goal is to help senior management and the organization as a whole gain an understanding of the overall risk(s), and management needs to mitigate cybersecurity risks. The NIST CSF can help senior management by addressing the following core areas:
- Identify: What are the cybersecurity risks that are targeting business assets, data, and capabilities?
- Protect: How does the organization develop and apply appropriate security controls and safeguards to ensure the continuous availability of services?
- Detect: What is the organization doing to understand and apply security controls and activities to cybersecurity events that have been detected?
- Respond: What types of activities and/or controls are implemented to mitigate or address cybersecurity events?
- Recover: What type of recovery plans and efforts are in place to ensure maintenance and resiliency to recover from a disruptive cybersecurity event?
- The tiering level of implementation of the controls: Tiering levels are short descriptions of the maturity level of the controls in place to address cybersecurity risk. Each control is evaluated as to its overall effectiveness in combination with how the organization has approached implementing the control to mitigate risk. There are four tiers, which provide context on the organization’s overall management of its cybersecurity processes:
- Tier 1 – Partial: The control is partially implemented as in informal practice. Overall, the organization has a limited understanding of why the control is in place or needed, and the relationship of the control to other safeguards is unclear uncoordinated.
- Tier 2 – Risk-Informed: These are controls of which management is aware or has approved, but the implementation remains somewhat inconsistent or unapplied across the organization. Because the control is often a senior-management approved control, it has “top-down” backing and is more likely to be afforded the resources to be applied and maintained. This means the control is likely to be informally shared or at least be working in conjunction with other controls.
- Tier 3 – Repeatable: When control is repeatable, there is an indication of senior management direction to ensure the control has been implemented across the board to meet compliance regulations, security policy, or address cybersecurity mitigation of risk. In these cases, the control has been more formally developed.
- Tier 4 – Adaptive: At this level, senior management would review lessons learned to determine how to implement the control across the organization best, and whether or not to share this information with other industries or similar organizations.
- Profile overview of your organization’s cybersecurity posture: After a NIST CSF assessment has been completed, metrics and data will be available to the organization to determine which cybersecurity risks are most likely to affect the business. The profile can also be used to examine and evaluate the company’s interactions with third-party service providers.
Objective Three: Identifying what you need and what you don’t need.
We’ve come to the final objective of NIST CSF and why you may want to consider utilizing the NIST CSF in your organization. First, as it pertains to budgeting, the NIST CSF can provide clear metrics on which controls are needed and why they are needed. In this way, you pay a reasonable amount for a control worth the cost needed to protect the asset, while not exceeding the actual cost of the asset itself. Second, the NIST CSF can be implemented as a planning tool to reach benchmarks, develop a roadmap to effective risk management, and aid in prioritizing resource use and sharing. Last, the NIST CSF supports tailoring the appropriate auditing processes to the size of the organization.
Cybrary Courses that Align with the NIST CSF
The NIST CSF covers a wide range of responsibilities. Cybrary offers the following courses to be useful if you choose to implement the NIST CSF in your next cybersecurity risk assessment:
- IT Governance and Management
- Chief Information Security Officer (CISO)
- NIST 800-171 Controlled Unclassified Information Course
- CIS Top 20 Critical Security Controls
The White House. (2020, February 12). President Donald J. Trump, Executive Order on Strengthening National Resilience through Responsible Use of Positioning, Navigation, and Timing Services. The White House. Retrieved June 13, 2020, from: https://www.whitehouse.gov/presidential-actions/executive-order-strengthening-national-resilience-responsible-use-positioning-navigation-timing-services
NIST. (n.d.) Cybersecurity Framework. National Institute of Standards and Technology. Retrieved June 3, 2020 from: https://www.nist.gov/cyberframework