Buckle Up with NIST Cybersecurity Framework (CSF)
Your roadmap to Flexibility, Repeatability, and Clarity.
Your roadmap to Flexibility, Repeatability, and Clarity.
The National Institute of Standards and Technology (NIST) seeks to advance measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. The NIST Cybersecurity Framework is a standard developed and maintained by NIST to do just that, enhance economic security and improve quality of life.
The CSF was developed by the National Institute of Standards and Technology, a United States non-regulatory governmental agency housed under the Department of Commerce. Today, NIST standards are employed in fields from nanotechnology to cybersecurity. In 2013, NIST was tasked with developing a Cybersecurity Framework through an executive order and published version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity in February 2014. Version 1.1 was made available in April 2018. The CSF is one of NIST’s voluntary programs based on existing standards and guidelines and is developed with flexibility to help organizations better manage and reduce cybersecurity risk. The CSF is presented in a 48-page document that details different cybersecurity activities and desired outcomes that organizations can leverage for assessing an organization’s cybersecurity risk, risk maturity, and infrastructure around information security.
What is NIST CSF Used for?
The CSF has three major components — the framework core, implementation tiers, and profiles — designed to help you benchmark your organization’s risk maturity and prioritize actions you need to take to make improvements.
The 3 parts of the framework (Diagram 1)
Framework Core — A set of cybersecurity activities, desired outcomes, and relevant references common across critical infrastructure sectors. It consists of five concurrent and continuous Functions: Identity, Protect, Detect, Respond and Recover. Implementation Tier — Implementation tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework, over a range from Partial (Tier 1) to Adaptive (Tier 4). Framework Profile — A framework profile represents the Core Functions’ Categories and Subcategories prioritized by an organization based on business needs and can measure the organization’s progress toward the Target Profile.
The 5 Core Functions (Diagram 2)
When considered together, the 5 Core Functions provide a strategic view of the lifecycle of an organization’s cybersecurity risk management and should be treated as a critical reference point. Here are the 5 Functions and how to comply with them:
Note: The Core Functions are intuitive and collectively with the Implementation Tiers and Profiles make for an easy-to-grasp blueprint that speeds adoption and provides ongoing guidance.
It is essential to understand that it is not a set of rules, controls, or tools. Instead, it offers a set of processes that can help organizations measure the maturity of their current cybersecurity and risk management policies, procedures, and practices and identify steps to strengthen them. The use of the NIST CSF offers multiple benefits. In particular, it can help you:
Gain a better understanding of your security risks Prioritize the activities that are the most critical Identify mitigation strategies Evaluate potential tools and processes Measure the ROI of cybersecurity investments Communicate effectively with all stakeholders, including IT, business, and executive teams
Adoption of the NIST CyberSecurity Framework provides a common, intuitive, and understandable language of risk-based security. Your technical, sales, customer support, executive, and finance teams will share the same understanding and terminology. NIST CSF enables an integrated risk management approach to cyber security management aligned with business goals. It provides a framework to align efforts across all departments to ensure that the risk management goals are set and met. When all departments understand the risks and work together, you have an organization in an excellent position to achieve its goals.
Cybersecurity risks are present in nearly every aspect of today’s technology-enabled businesses. Trying to keep up with them all and addressing them one by one is a recipe for competing priorities, inefficient allocation of resources, and burnout. The NIST CSF provides a risk-based approach to identify and understand your security landscape and then build a balanced and well-justified security roadmap. This integrated risk management approach enables the development and implementation of a cybersecurity management program aligned with business goals. The result is better communication, more effective decision-making throughout your organization, and well-informed and supported budgets. Adoption develops a common language for business and technical stakeholders alike, facilitating improved buy-in and success throughout the organization. PolicyCo provides a platform where cybersecurity maturity roadmaps for enterprises of all sizes are developed, implemented, monitored, and improved.
Framework for Improving Critical Infrastructure Cybersecurity and related news and information Cybersecurity resources within NIST
Originally published at https://policyco.io on February 1, 2022.