The NIST Cybersecurity Framework (NIST CSF) is a set of guidelines, best practices, and standards developed by the National Institute of Standards and Technology (NIST). Its purpose is to help organizations develop, improve and maintain their cybersecurity strategy.
The NIST CSF also includes recommendations for how to detect, respond and recover from security incidents. The NIST Cybersecurity Framework is generally considered to be the most trusted, and comprehensive security framework to date.
Benefits and Purpose of the NIST Cybersecurity Framework
Adhering closely to the NIST CSF will give organizations assurance that there are no (or at least few) unseen risks and vulnerabilities. It will also help them maintain an accurate and up-to-date inventory of their critical assets, and determine which of those assets are a security risk. The NIST CSF will offer guidance on which tools are available to help organizations keep their critical assets secure.
5 Functions of the NIST Cybersecurity Framework
The 5 functions of the NIST CSF are as follows:
The purpose of this function is to enable organizations to identify both digital and physical assets, including existing policies, and regulatory and legal documentation. Likewise, organizations must identify any supply chain risks and other external threats.
The Protect function is to ensure that organizations have implemented the appropriate safeguards to protect their critical infrastructure and assets. It focuses on Identity Access Management (IAM), which includes implementing robust authentication and authorization protocols to protect the confidentiality, integrity, and availability of sensitive data. This function also includes security awareness training, penetration testing, and any other relevant activities.
This function focuses on detecting potential or actual security threats in a timely manner, as well as gaining an understanding of their potential impact. It also includes continuously monitoring all systems and data for anomalous activities, and a means by which to monitor the effectiveness of the access controls in place.
The respond function describes the procedures and protocols for responding to security incidents. This includes developing and testing an incident response plan, communicating the incident to the relevant parties, conducting a forensic analysis to determine the cause of the incident, and carrying out mitigation activities to prevent the threat from reoccurring. The final stage of the response function is to document all relevant details, including a section about the lessons learned from the incident.
The recover function specifies the activities that should be performed in the aftermath of a security incident. Such activities include implementing the procedures for restoring systems to their operational state, reviewing existing strategies to ensure that they are fit for purpose, and ensuring that the incident was properly communicated to the relevant parties.
NIST Cybersecurity Framework Implementation Tiers
The NIST Cybersecurity Framework is broken down into four implementation tiers, which are used to classify organizations according to how well their risk management strategies have been implemented. These four tiers are as follows:
Tier 1: Partial
Organizations that fall into this tier are considered to have an ineffective risk management strategy. The risk management processes are performed with little to no foresight or prioritization, and the organization in question lacks a deep understanding of its position in the supply chain, and the security relationships they have with its business associates.
Tier 2: Risk Informed
Tier 2 organizations have an information risk management strategy. While their risk management procedures are usually approved by management, they are not standardized across the whole organization, periodically tested, or treated as a top priority. Organizations in Tier 2 tend not to be open about the information they receive, nor are they likely to act on it.
Tier 3: Repeatable
Organizations that fall into Tier 3 have a formally approved risk management strategy, supported by a range of policies. These policies are regularly reviewed and updated when requirements change, or when there are changes to the threat landscape. Organizations in Tier 3 have a broad understanding of the threats they face, including threats associated with their supply chains. They also share information regularly with their business associates and even sign written agreements with them to ensure that they are aware of their risk management methods, and how they are enforced.
Tier 4: Adaptive
Tier 4 organizations have a cybersecurity program that is able to adapt according to new information, including the lessons learned from previous incidents. They are able to incorporate advanced cybersecurity technologies and practices, and budget for new and improved technologies as they emerge. Tier 4 organizations are able to monitor their systems in real-time and communicate risks effectively with all relevant stakeholders. They will have a comprehensive set of policies that specify how threats should be treated before, during, and after they unfold.
NIST Cybersecurity Framework Profiles
A Framework Profile is the customized adoption of the NIST CSF by an organization. It is essentially a tool that helps organizations align their current cybersecurity “profile”, with the requirements of the NIST CSF. By comparing their current profile against a target profile, they can identify gaps in their cybersecurity posture and identify areas that need improvement.