The US National Institute of Standards and Technology’s framework defines federal policy, but it can be used by private enterprises, too. Here’s what you need to know.
The tech world has a problem: Security fragmentation. There’s no standard set of rules for mitigating cyber risk—or even language—used to address the growing threats of hackers, ransomware and stolen data, and the threat to data only continues to grow.
President Barack Obama recognized the cyber threat in 2013, which led to his cybersecurity executive order that attempts to standardize practices. President Donald Trump’s 2017 cybersecurity executive order went one step further and made the framework created by Obama’s order into federal government policy.
The framework isn’t just for government use, though: It can be adapted to businesses of any size.
TechRepublic’s cheat sheet about the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) is a quick introduction to this new government recommended best practice, as well as a “living” guide that will be updated periodically to reflect changes to the NIST’s documentation.
Obama signed Executive Order 13636 in 2013, titled Improving Critical Infrastructure Cybersecurity, which set the stage for the NIST Cybersecurity Framework that was released in 2014. The CSF’s goal is to create a common language, set of standards and easily executable series of goals for improving cybersecurity and limiting cybersecurity risk.
The CSF standards are completely optional—there’s no penalty to organizations that don’t wish to follow its standards. That doesn’t mean it isn’t an ideal jumping off point, though—it was created with scalability and gradual implementation so any business can benefit and improve its security practices and prevent a cybersecurity event.
The framework itself is divided into three components: Core, implementation tiers, and profiles.
SEE: Why ransomware has become such a huge problem for businesses (TechRepublic)
The core is “a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.” It is further broken down into four elements: Functions, categories, subcategories and informative references.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
There are four tiers of implementation, and while CSF documents don’t consider them maturity levels, the higher tiers are considered more complete implementation of CSF standards for protecting critical infrastructure.
Profiles are both outlines of an organization’s current cybersecurity status and roadmaps toward CSF goals for protecting critical infrastructure. NIST said having multiple profiles—both current and goal—can help an organization find weak spots in its cybersecurity implementations and make moving from lower to higher tiers easier.
Profiles also help connect the functions, categories and subcategories to business requirements, risk tolerance and resources of the larger organization it serves. Think of profiles as an executive summary of everything done with the previous three elements of the CSF.
The cybersecurity world is incredibly fragmented despite its ever-growing importance to daily business operations. Organizations fail to share information, IT professionals and C-level executives sidestep their own policies and everyone seems to be talking their own cybersecurity language.
NIST’s goal with the creation of the CSF is to help eliminate the chaotic cybersecurity landscape we find ourselves in, and it couldn’t matter more at this point in the history of the digital world.
Cybersecurity threats and data breaches continue to increase, and the latest disasters seemingly come out of nowhere and the reason why we’re constantly caught off guard is simple: There’s no cohesive framework tying the cybersecurity world together.
As time passes and the needs of organizations change, NIST plans to continually update the CSF to keep it relevant. Updates to the CSF happen as part of NIST’s annual conference on the CSF and take into account feedback from industry representatives, via email and through requests for comments and requests for information NIST sends to large organizations.
“If NIST learns that industry is not prepared for a new update, or sufficient features have not been identified to warrant an update, NIST continues to collect comments and suggestions for feature enhancement, bringing those topics to the annual Cybersecurity Risk Management Conference for discussion, until such a time that an update is warranted,” NIST said.
The CSF affects literally everyone who touches a computer for business. IT teams and CXOs are responsible for implementing it; regular employees are responsible for following their organization’s security standards; and business leaders are responsible for empowering their security teams to protect their critical infrastructure.
The degree to which the CSF will affect the average person won’t lessen with time either, at least not until it sees widespread implementation and becomes the new standard in cybersecurity planning.
If it seems like a headache it’s best to confront it now: Ignoring the NIST’s recommendations will only lead to liability down the road with a cybersecurity event that could have easily been avoided. Embrace the growing pains as a positive step in the future of your organization.
President Obama instructed the NIST to develop the CSF in 2013, and the CSF was officially issued in 2014. President Trump’s cybersecurity executive order signed on May 11, 2017 formalized the CSF as the standard to which all government IT is held and gave agency heads 90 days to prepare implementation plans.
Private sector organizations still have the option to implement the CSF to protect their data—the government hasn’t made it a requirement for anyone operating outside the federal government.
In 2018, the first major update to the CSF, version 1.1, was released. Most of the changes came in the form of clarifications and expanded definitions, though one major change came in the form of a fourth section designed to help cybersecurity leaders use the CSF as a tool for self-assessing current risks.
While brief, section 4.0 describes the outcomes of using the framework for self-assessment, breaking it down into five key goals:
The NIST’s Framework website is full of resources to help IT decision-makers begin the implementation process. It contains the full text of the framework, FAQs, reference tools, online learning modules and even videos of cybersecurity professionals talking about how the CSF has affected them.
Of particular interest to IT decision-makers and security professionals is the industry resources page, where you’ll find case studies, implementation guidelines, and documents from various government and non-governmental organizations detailing how they’ve implemented or incorporated the CSF into their structure.
There’s no better time than now to implement the CSF: It’s still relatively new, it can improve the security posture of organizations large and small, and it could position you as a leader in forward-looking cybersecurity practices and prevent a catastrophic cybersecurity event.