Understanding the NIST Cybersecurity Framework

All organizations, regardless of size or industry, can benefit from NIST CSF compliance. Although the framework consists of voluntary standards that are not legally bound to compliance, the framework serves as a solid foundation that any organization—even those with limited people, tools, resources, and financial support—can implement and then mature over time.

Because the NIST CSF framework has implementation tiers, it’s a great resource that can meet you where you are today in relation to your existing cybersecurity risks and business goals, and then provide a way to add additional layers of security to your program as your needs and objectives change, and the cyber risk landscape continues to evolve.

If you’re an organization that provides products and services to the federal government, there may be other NIST standards that your organization must comply with, for example, NIST 800-53 and NIST 800-171. If you’re already using those frameworks, you can crosswalk those controls and map them to the NIST CSF framework, simplifying control management and giving you a better picture of all the ways your organization is committed to reducing cyber risks. If you have not yet implemented those standards, but are expected to do so, the NIST CSF framework can be a great place to start.

To become fully NIST CSF compliant at implementation tier 4, you’ll need to implement all of the framework’s controls and sub-controls, and demonstrate you can effectively respond to a cybersecurity event and are proactively and continuously seeking out risks and effectively remediating them even as your organization and threat landscape evolves and expands.

There are 23 total CSF requirements and each requirement grouping aligns with the cybersecurity lifecycle.

Identify

• 1. Asset management: Identify and consistently manage all data, personnel, devices, systems, and facilities that enable your organization to achieve business purposes as relevant to the importance of your business objectives and risk strategies.
• 2. Business environment: Understand and prioritize your mission, objectives, stakeholders, and activities to inform your cybersecurity roles, responsibilities and risk management decisions.
• 3. Governance: Understand your policies, procedures, and processes used to manage and monitor your regulatory, legal, risk, environmental, and operational requirements and use them to inform your cybersecurity risk management.
• 4. Risk assessment: Understand your cybersecurity risk related to your organization’s operations, such as your functions, mission, reputation, etc.), your assets, and individuals.
• 5. Risk management strategy: Establish and use your organization’s priorities, constraints, risk tolerances, and assumptions to support your operational risk decisions.
• 6. Supply chain risk management: Establish your organization’s priorities, constraints, risk tolerances, and assumptions and use them to support the risk decisions associated with supply chain management, including establishing and implementing processes to identify, assess, and manage your supply chain risks.

Protect

• 7. Identify management, authentication, and access controls: Limit access to physical and virtual assets and associated facilities to authorized users, processes, and devices, and consistently manage in the context of the assessed risk of unauthorized access.
• 8. Awareness and training: Ensure your personnel and partners are provided with cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.
• 9. Data security: Consistently manage your information and records (data) with your organization’s risk strategy to ensure protection of the confidentiality, integrity, and availability of information.
• 10. Information protection processes and procedures: Maintain and use security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures to manage protection of information systems and assets.
• 11. Maintenance: Perform maintenance and repairs of industrial control and information system components consistent with policies and procedures.
• 12. Protective technology: Manage technical security solutions to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

Detect

• 13. Anomalies and events: Detect anomalous activities in a timely manner and understand the potential impact of events.
• 14. Security and continuous monitoring: Monitor your information system and assets at discrete intervals to identify cybersecurity events and verify effectiveness of protective measures.
• 15. Detection processes: Maintain and test detection processes and procedures to ensure awareness of anomalous events.
  Respond
• 16. Response planning: Execute and maintain response processes and procedures to ensure timely response to detected cybersecurity incidents.
• 17. Communications: Coordinate response activities with internal and external stakeholders as appropriate including external support from law enforcement agencies.
• 18. Analysis: Conduct analyses to ensure adequate response and support recovery activities.
• 19. Mitigation: Perform activities to prevent an event’s expansion, mitigate its effects, and resolve the incident.
• 20. Improvements: Improve organizational response activities by incorporating lessons learned from current and previous detection/response activities

Recover

• 21. Recovery planning: Execute and maintain recovery processes to ensure timely restoration of systems or assets affected by cybersecurity incidents
• 22. Improvements: Improve organizational response activities by incorporating lessons learned into future activities.
• 23. Communications: Coordinate restoration activities with internal and external stakeholders such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.