The National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) is a series of standards, guidelines, and practices that organizations can follow to improve cybersecurity management and reduce the risk of security breaches and other incidents.
NIST CSF is meant to be flexible enough to work for virtually any organization in any industry. It also provides organizations with a solid jumping-off point to implement more robust cybersecurity risk management protocols.
We manage all areas of NIST CSF compliance as your outsourced cybersecurity department so you don’t have to.
Our NIST CSF Security Program includes everything you need to meet NIST CSF’s criteria items. This includes the following:
NIST CSF came about as a response to Executive Order 13636, titled “Improving Critical Infrastructure Cybersecurity,” which was issued on February 12, 2013.
After the issuance of this order, NIST began working with the country’s private sector to compile a set of standards and best practices into a centralized cybersecurity framework. The result was NIST CSF Version 1.0.
In 2014, the Cybersecurity Enhancement Act (or CEA) expanded NIST’s efforts to develop a more extensive Cybersecurity Framework. Nearly a decade later, this set of guidelines is still one of the most widely used frameworks across all industries countrywide.
All United States federal government agencies must comply with the NIST CSF. However, it can also be utilized by organizations across the country, regardless of their size or type, to increase cybersecurity resilience.
Organizations that adopt the framework laid out in the NIST CSF can gain an advantage over their competitors by demonstrating a commitment to cybersecurity and giving more credibility to their business. These advantages, in turn, can lead to fewer financial losses, more significant revenues, and improved returns on future investments.
In the case of federal agencies, failure to comply with NIST CSF increases their risk of being charged under the Federal Acquisition Regulation (or FAR). Organizations that work with these agencies could also lose federal contracts if they don’t comply (they may also struggle to win new contracts in the future).
While federal government agencies are the only organizations that must comply with NIST CSF, prioritizing compliance can protect other businesses from security issues and the reputational and financial consequences associated with them.
The NIST Cybersecurity Framework is divided into functions, categories, subcategories, and informative references.
NIST CSF’s functions provide a general overview of security protocols and best practices. Functions are meant to be performed “concurrently and continuously” to create a culture committed to dynamic cybersecurity risk management.
Categories and subcategories include more concrete action plans that specific departments within an organization can follow.
Below are some examples of how functions and categories work together:
For protection against cyberattacks, a cybersecurity team must thoroughly understand the organization’s most important assets and resources. This function includes categories like asset management, governance, business environment, risk assessment, supply chain risk management, and risk management strategy.
This function covers many of the technical and physical security controls for developing and implementing safeguards and protecting critical infrastructure. Categories associated with the Protect function include identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.
This function implements measures to alert an organization of cyberattacks. Its categories include anomalies and events, security continuous monitoring, and detection processes.
The Respond function ensures appropriate response to cyberattacks and other events. This function’s categories include response planning, communications, analysis, mitigation, and improvements.
The Recover function includes the implementation of plans for cyber resilience and ensures business continuity if a cyberattack, security breach, or other cybersecurity event occurs. The Recoger categories are recovery planning improvements and communications.
In addition to the categories mentioned above, there are also several subcategories that help with further organization and more specific action plans. Here are some examples of NIST CSF subcategories and compliance recommendations associated with them:
Recommendations include establishing and maintaining a list of devices used by employees on-premises and through the cloud.
Recommendations include a formal risk assessment methodology that is used periodically to document and analyze asset vulnerabilities and their potential impacts.
Recommendations include limiting access based on privilege to reduce insider threat potential.
Recommendations include implementing robust access control mechanisms to mitigate the threat of a breach.
Recommendations include the implementation of intrusion detection and prevention systems to establish baseline user activity, execute vulnerability scans, and pick up on anomalies right away.
Recommendations include sustained monitoring to prevent data breaches.
Recommendations include documenting and analyzing vulnerabilities to develop further resilience.
Informative references draw direct correlations between functions, categories, subcategories, and other frameworks’ specific security controls. Examples of such frameworks include:
NIST SP 800-53 Rev. 4
Center for Internet Security (CIS) Controls®
COBIT 5
International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC 27001:2013)
International Society of Automation (ISA) 62443-2-1:2009
ISA 62443-3-3:2013
The NIST CSF provides a checklist of tasks that must be completed. An organization can develop its own method for performing the inventory and checking off the items on that list.
The CSF also offers a lot of freedom to pick and choose the tools that best suit the cybersecurity risk management needs of an organization.
The NIST Cybersecurity Framework includes the following four implementation tiers, which help private sector companies measure progress:
In this tier, an organization is familiar with the NIST CSF. It may also have implemented some control elements. At this point, the implementation has been reactive rather than planned. The organization also likely has minimal awareness of its cybersecurity risks and lacks resources or processes to ensure information security.
At this point, the organization has a greater awareness of cybersecurity risks and informally shares information related to those risks. However, the organization still lacks a risk management process that is planned, repeatable, and proactive.
At this point, the organization and its senior executives are well aware of cybersecurity risks. They have also implemented a risk management plan that is repeatable and applicable organization-wide. The cybersecurity team has also developed an action plan that can help them monitor and respond to cyberattacks
At this point, the organization is cyber-resilient and is using the lessons learned before, along with relevant predictive indicators, to reduce the risk of cyberattacks. The cybersecurity team continually works to improve and advance the organization’s cybersecurity technologies. It also practices and adapts to changes quickly. An organization-wide approach has also been implemented, allowing for informed decision-making, policies, and procedures. Adaptive organizations incorporate cybersecurity risk management into their budget decisions and organizational culture, too.
The NIST Cybersecurity Framework recommends taking the following steps to develop and implement an effective risk management program:
Organizations should develop a clear understanding of the scope of the project and create a list of priorities. They should also establish high-level objectives, clarify business needs, and determine the organization’s current risk tolerance level.
Next, organizations should take stock of their assets and systems and then identify applicable regulations, risk approaches, and specific threats to which the organization could be exposed.
The next step is for organizations to create a current profile, which is a snapshot demonstrating how the organization currently manages risk based on the categories and subcategories of NIST CSF.
After creating a current profile, organizations should conduct a thorough risk assessment and evaluate the operational environment to identify the probability of cybersecurity events that could impact the company, as well as the potential severity of those events.
Next, the organization should identify the gaps between its current profile and target profile. With this information in mind, the information security team can then create an action plan that includes specific, measurable milestones, as well as the resources needed to fill in the gaps (such as people, budget, time, etc.).
Finally, the organization should implement the action plan developed in the previous step. They should regularly review the action plan as well to ensure its effectiveness and make adjustments as needed to protect the organization and maintain its resilience.
Although it was initially created for federal government agencies, compliance with NIST CSF is an excellent starting point for organizations of all types, sizes, etc.
Abiding by the guidelines laid out in the framework can help companies like yours expand their cybersecurity protocols, protect sensitive data, and gain more credibility.
Do you need more help establishing and implementing a NIST CSF risk management program? If so, Bluesteel Cybersecurity offers resources and solutions for you.
Reach out today for more information on our compliance preparation services.
Table of Contents Understanding HIPAA and HITECH Ensuring HIPAA HITECH compliance certification is vital for healthcare organizations to protect patient
HITRUST certification is a crucial process for organizations, especially in this digital world. Data security and privacy are things any
In the dynamic realm of Information Technology, BlueSteel Cybersecurity has emerged as a distinguished leader, earning prestigious recognition from Clutch,
Reach us Monday through Friday
8am – 6pm