An Introduction to the NIST Cybersecurity Framework
What is the NIST Cybersecurity Framework?The Cybersecurity Enhancement Act of 2014 amended the role of the National Institute of Standards and Technology (NIST) to include the identification and development of cybersecurity risk frameworks. Through this act, NIST was tasked with identifying a “prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls…” With language that continues to evolve, the NIST Cybersecurity Framework aims to address and manage cybersecurity risk cost-effectively and without regulatory requirements. The Framework positions cybersecurity risks as a part of the organization’s risk management processes. It also serves as an organizing structure that facilitates many approaches to cybersecurity by aggregating practices, guidelines, and standards that are best-in-class and used today.
What is the key objective of the NIST Cybersecurity Framework?The objective of the NIST Cybersecurity Framework is to identify an approach to cybersecurity that is customized to your organization. This is done methodically with a flexible, systematic approach that leads to a prioritized implementation plan. The Framework also serves as a standard primer for communicating cybersecurity risks, activities, and outcomes.
What are the three components of the NIST Cybersecurity Framework?
Framework CoreDesigned to be an intuitive translation layer that enables communication between teams through non-technical language. Serving as a set of desired cybersecurity activities and outcomes, the core is comprised of three parts: Functions, Categories, and Subcategories.
FunctionsThe NIST Framework Core has five high-level functions: Identity, Protect, Detect, Respond, and Recover. These apply to cybersecurity risk management and overarching risk management strategy.
CategoriesThe next level down parses the five functions into 23 categories. These categories represent cybersecurity objectives for each core function, spanning cyber, physical, and personnel.
SubcategoriesAt the deepest level of abstraction, 108 subcategories serve as outcome-driven statements that provide considerations for creating a new cybersecurity program or strengthening an existing program. Outcome-driven and non-mandated by nature, this suggestive model allows for customized risk-based implementations that match the organization’s needs.
Framework Implementation TiersTiers are a quantitative method for describing how an organization’s cybersecurity risk management practices adhere to Framework-defined characteristics. The ranking system considers the risk management process, program integration, and external participation. Tiers range on a scale of one to four and do not necessarily represent maturity levels.
- Tier 1 – Partial
- Tier 2 – Risk-informed
- Tier 3 – Repeatable
- Tier 4 – Adaptive
Framework ProfilesFramework profiles are used to identify opportunities for improving an organization’s cybersecurity posture. Profiles are analyzed as “current state” and used to identify opportunities through juxtaposition with a target “future state.” Profiles can include business objectives, the threat environment, and requirements that are all considerations for the framework functions. Since the NIST Cybersecurity Framework is non-mandatory, profiles are intended to map out cybersecurity requirements, mission objectives, and operating methodologies. An easy way is to list the subcategories by priority, identify gap size, assign a budget, and set activities to reach those objectives. This turns into a prioritized implementation plan.
How to Use the NIST Cybersecurity FrameworkThe NIST Framework for Improving Critical Infrastructure Cybersecurity provides a seven-step process to create a new cybersecurity program and improve an existing cybersecurity program. This process uses a continuous improvement loop for incremental and constant progress.
- Scope and prioritize – the organization identifies business objectives and high-level priorities.
- Orient – the organization identifies systems, assets, regulatory requirements, and risks to enable the ability to identify threats and vulnerabilities.
- Create a current-state profile – the profile is developed by selecting category and subcategory outcomes listed in the Framework Core that are currently satisfied.
- Conduct a risk assessment – on-premises, cloud, and hybrid environments need to be considered to discern the likelihood of a cybersecurity event and its consequential impact on the organization.
- Create a target profile – an ideal, future state profile is created that focuses on desired cybersecurity outcomes from an assessment of Framework categories and subcategories.
- Determine, analyze, and prioritize cybersecurity gaps – this is where the organization compares the current profile with the target profile and performs a gap analysis to create a prioritized action plan to address those gaps.
- Implement a cybersecurity action plan – the organization determines what actions to take by appointing action items to the prioritized implementation plan.
Working with ATS is a breath of fresh air. ATS takes our information security concerns seriously and advises us how to avoid potential pitfalls with both hardware and software. We are beyond thrilled with ATS and only wish we had selected them a year earlier.
ATS has been our trusted partner in recent upgrades we have made to our IT infrastructure and cyber security. Their account management, project management, and technical teams have all provided top-notch service, guiding us to make informed decisions, managing timelines for multiple projects, and most of all, listening to our needs and making recommendations based on our unique work environment. During the transitions, they have kept us operating smoothly and provided quick and helpful support through their Help Desk.
I just wanted to take a moment to reach out and thank you for the excellent service you and your team have provided with the hosted SEIM solution. AlienVault is great, but the real value comes from your partnership. The appliance would not do nearly as much for us without your monitoring and consulting services. You have always been on top of things and there for us whenever there is an incident. I feel confident in that our network is secure and I am able to report that our board and clients with full assurance.