Understanding the NIST Cybersecurity Framework

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework, commonly referred to as NIST CSF is a set of industry-recognized best practices for cybersecurity. Overseen by the National Institute of Standards and Technology (NIST), the CSF framework creates a foundation from which your organization can measure and manage your cybersecurity risk. Essentially, it’s a way to manage and mitigate cyber threats in a way that’s beneficial to your overall business goals.

NIST CSF is often used by organizations that operate critical infrastructure as well as other private-sector businesses, but the best practices are applicable to a range of organizations of varying sizes across all industries.

In this NIST CSF knowledgebase, we’ll help you better understand the framework, how it works, how you can put it to use within your organization, its history, and ways it works together with other existing controls you have in place now or want to add to your overall cybersecurity program in the future.

Understanding NIST Cybersecurity Framework Compliance

The National Institute of Standards and Technology (NIST) has developed its NIST Cybersecurity Framework (CSF) as a voluntary set of standards your organization can use to manage and mitigate cyber risks for your organization. The framework is made up of standards, guidelines, and other best practices. Because it is voluntary, compliance for your organization is not mandated, however, adopting the NIST CSF framework provides a great foundation to build, implement, manage, and mature your organization’s cybersecurity practices.

The first version of NIST CSF became public in 2014. It was the result of work NIST did with private-sector and government agencies in response to the 2013 Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” to develop a cybersecurity framework. Response to the framework was widely positive and that same year Congress formally ratified the framework as part of NIST requirements in its Cybersecurity Enhancement Act of 2014. This version remained in place through 2018 when, in April of that year, NIST released an update as version 1.1.

Among the many benefits of NIST CSF is that it not only helps your organization identify cyber risks, but it also helps you determine what you should do to address those risks as they relate specifically to your organization and business goals.

NIST CSF provides a common language so you can communicate your cyber risks both inside and outside of your organization to help establish and mature your cybersecurity posture. In its nature, the CSF framework is itself high-level, meaning your organization has a lot of flexibility when it comes to implementing CSF requirements. One set of controls may be applicable for your organization today, while another may be better for you in the future.

There are three main components of NIST CSF: its core, implementation tiers, and profiles. The NIST CSF core outlines activities and outcomes in a unified language that’s easy for internal and external stakeholders to understand. The implementation tiers provide a way that your organization can implement a cybersecurity framework and then mature it as your organization changes, and the profile helps align your organization’s specific requirements to your objectives, resources, and risk appetite.

One of the unique parts of this framework is how will it connects your cybersecurity risk activities with your business drivers and outcomes.

Building a Successful NIST CSF Engagement Strategy

The NIST Cybersecurity Framework aligns with the cybersecurity lifecycle: identify, protect, detect, respond, and recover. As such, this voluntary set of cybersecurity standards makes it easy for your organization to set a foundation for your cybersecurity program and mature it in phases.

In our NIST CSF compliance guide, we break down the big picture of the CSF framework to help you understand its origins and intent so you can “Build a Successful NIST CSF Engagement Strategy to Secure Your Business.”

The guide walks you through the three core framework components: core, implementation tiers, and profiles. Then take a deeper dive into the lifecycle alignment with a breakdown of security functions, and summarizes the key 23 framework requirements, which is managed within Apptega through categories related to the framework core.

The guide is also an invaluable tool in helping your organization prepare for a CSF assessment, including a walkthrough of five basic steps your organization can take to ensure a successful framework implementation and adoption. You’ll also find a detailed resource guide to help connect your organization with any additional CSF support you may need.

Does Your Organization Need to be NIST CSF Compliant?

All organizations, regardless of size or industry, can benefit from NIST CSF compliance. Although the framework consists of voluntary standards that are not legally bound to compliance, the framework serves as a solid foundation that any organization—even those with limited people, tools, resources, and financial support—can implement and then mature over time.

Because the NIST CSF framework has implementation tiers, it’s a great resource that can meet you where you are today in relation to your existing cybersecurity risks and business goals, and then provide a way to add additional layers of security to your program as your needs and objectives change, and the cyber risk landscape continues to evolve.

If you’re an organization that provides products and services to the federal government, there may be other NIST standards that your organization must comply with, for example, NIST 800-53 and NIST 800-171. If you’re already using those frameworks, you can crosswalk those controls and map them to the NIST CSF framework, simplifying control management and giving you a better picture of all the ways your organization is committed to reducing cyber risks. If you have not yet implemented those standards, but are expected to do so, the NIST CSF framework can be a great place to start.

Understanding the NIST CSF Framework: The Five Core Functions

The five core functions of the NIST Cybersecurity Framework directly align with the cybersecurity lifecycle:  identify, protect, detect, respond, recover.

These five functions represent the five core pillars of the CSF framework. At the highest level, they can help your organization build a holistic cybersecurity program, one that can be matured as your needs evolve. These five core functions also help your organization implement a common language for communicating your program maturity both internally and externally.

Each function has related categories. There are 23 total requirements representing those categories and there are additional sub-categories related to the 23 core categories.

Identify

This function helps your organization understand how you can manage your cyber risks as they relate to your people, assets, data, systems, and other capabilities. The identification process helps your team better understand your cyber risks in actual business context, for example, by identifying your organization’s most critical functions and related assets and then homing in on cyber risks that can affect your organizational resilience.

Here is a quick look at some of the things your organization might tackle as part of the identify phase:

• Inventorying all of your assets and systems as part of an asset management program
• Locating and understanding your existing cybersecurity policies and practices
• Determining which functions and assets are critical to operational resilience across your entire organization, including through your supply chain
• Discovering all of your vulnerabilities and other security weaknesses, including internal and external threats
• Conducting risk assessments
• Conducting business impact analyses
• Developing a risk management strategy

Protect

This function helps your organization identify necessary safeguards that ensure you’re able to deliver critical services, for example, during and after a cybersecurity event.

This may include steps such as:

• Creating Identity and Access Management (IAM) policies
• Developing data security policies and standards
• Managing assets, devices, and systems to ensure they meet existing standards and policies
• Educating staff and other stakeholders about cyber risks and how to avoid them

Detect

This function helps your organization develop activities to determine when you’re experiencing a cybersecurity incident so you can quickly respond.

This may include steps such as:

• Event and anomaly detection and response
• Understanding event impact and scope
• Identifying interconnectivity and opportunities for lateral movement within your network and systems
• Ensuring your organization utilizes continuous monitoring to discover vulnerabilities and weaknesses, as well as ongoing cybersecurity monitoring for any abnormalities

Respond

This function helps your organization understand steps required to respond to a cybersecurity event. Your goal is to respond in a way that contains and mitigates the impact of the event.

This may include steps such as:

• Routinely testing and exercising your response plans
• Ensure your response plans are effective and up to date for your current environment
• Managing how your organization responds internally and externally during and after an event
• Conducting forensic analysis and related steps to determine how the incident occurred and what its full impacts are
• Mitigation techniques to decrease the impact of the event
• Steps to resolve the incident

Recover

This function helps you determine which activities you need to take to recover from an incident and return to business as usual as quickly as possible, including restoration of your critical services and processes.

This may include steps such as:

• Ensuring the effectiveness of your recovery plans and making modifications as needed, including the ability to effectively restore your critical systems and functions in a timely manner
• Applying lessons learned from an event to decrease the likelihood of a similar or related event in the future
• Evaluating existing internal and external communication plans for effectiveness and making adjustments for better future response to protect the brand from reputational damage

How to Implement NIST CSF: Framework Tiers

There are four implementation tiers in the NIST Cybersecurity Framework. In simplest terms, the tiers determine how well your organization’s cybersecurity risk management practices meet requirements defined in the framework, not specifically your program’s maturity levels. The tiers range from partial all the way up to adaptive.

Tier 1: Partial

Cybersecurity activities aren’t directly informed by your risk objectives, business requirements, or threat landscape. Your activities are ad hoc and reactive.

Tier 2: Risk Informed

Cybersecurity activities are directly informed by your risk objectives, business requirements, or threat landscape. Your activities are piecemealed with some risk awareness, but they are not proactive.

Tier 3: Repeatable

Cybersecurity activities are updated as you apply your risk management processes to your changing business requirements and threat landscape. You’ve implemented these activities throughout your company and they are repeatable so you can respond to cyber events.

Tier 4: Adaptive

Cybersecurity activities are built into your overall organizational culture and represent complete adoption of the NIST CSF framework. You can respond to cyber events and take proactive steps to detect issues and respond to them based on trends and other relevant risk information.

How Framework Profiles Help You Improve Your Security Posture

In the NIST Cybersecurity Framework, framework profiles help you align your organization’s goals, objectives, risk appetite, and available resources to the CSF core. Where you are now is your current profile. Where you want to go with your cybersecurity maturity is your target profile. You can use the CSF framework to build an action plan to move you from your current profile to your target profile.

You can use the framework’s profiles to find areas of improvement so you can improve your cybersecurity posture by essentially evaluating your organization’s objectives against the current threat landscape and your existing controls and then determining the profile you want to get to next.

Organizations often use the target profile as a way to plan for future improvements and program investments. For example, your organization might be comfortable implementing a specific set of controls and sub-controls in your first year, and from there you can build a plan to prioritize and implement additional controls and sub-controls in the coming months and years.

Steps to Become NIST CSF Compliant

To become fully NIST CSF compliant at implementation tier 4, you’ll need to implement all of the framework’s controls and sub-controls, and demonstrate you can effectively respond to a cybersecurity event and are proactively and continuously seeking out risks and effectively remediating them even as your organization and threat landscape evolves and expands.

There are 23 total CSF requirements and each requirement grouping aligns with the cybersecurity lifecycle.

Identify

1. Asset management: Identify and consistently manage all data, personnel, devices, systems, and facilities that enable your organization to achieve business purposes as relevant to the importance of your business objectives and risk strategies.

2. Business environment: Understand and prioritize your mission, objectives, stakeholders, and activities to inform your cybersecurity roles, responsibilities and risk management decisions.

3. Governance: Understand your policies, procedures, and processes used to manage and monitor your regulatory, legal, risk, environmental, and operational requirements and use them to inform your cybersecurity risk management.

4. Risk assessment: Understand your cybersecurity risk related to your organization’s operations, such as your functions, mission, reputation, etc.), your assets, and individuals.

5. Risk management strategy: Establish and use your organization’s priorities, constraints, risk tolerances, and assumptions to support your operational risk decisions.

6. Supply chain risk management: Establish your organization’s priorities, constraints, risk tolerances, and assumptions and use them to support the risk decisions associated with supply chain management, including establishing and implementing processes to identify, assess, and manage your supply chain risks.

Protect

7. Identify management, authentication, and access controls: Limit access to physical and virtual assets and associated facilities to authorized users, processes, and devices, and consistently manage in the context of the assessed risk of unauthorized access.

8. Awareness and training: Ensure your personnel and partners are provided with cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.

9. Data security: Consistently manage your information and records (data) with your organization’s risk strategy to ensure protection of the confidentiality, integrity, and availability of information.

10. Information protection processes and procedures: Maintain and use security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures to manage protection of information systems and assets.

11. Maintenance: Perform maintenance and repairs of industrial control and information system components consistent with policies and procedures.

12. Protective technology: Manage technical security solutions to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

Detect

13. Anomalies and events: Detect anomalous activities in a timely manner and understand the potential impact of events.

14. Security and continuous monitoring: Monitor your information system and assets at discrete intervals to identify cybersecurity events and verify effectiveness of protective measures.

15. Detection processes: Maintain and test detection processes and procedures to ensure awareness of anomalous events.
Respond

16. Response planning: Execute and maintain response processes and procedures to ensure timely response to detected cybersecurity incidents.

17. Communications: Coordinate response activities with internal and external stakeholders as appropriate including external support from law enforcement agencies.

18. Analysis: Conduct analyses to ensure adequate response and support recovery activities.

19. Mitigation: Perform activities to prevent an event’s expansion, mitigate its effects, and resolve the incident.

20. Improvements: Improve organizational response activities by incorporating lessons learned from current and previous detection/response activities

Recover

21. Recovery planning: Execute and maintain recovery processes to ensure timely restoration of systems or assets affected by cybersecurity incidents

22. Improvements: Improve organizational response activities by incorporating lessons learned into future activities.

23. Communications: Coordinate restoration activities with internal and external stakeholders such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.

Preparing for a NIST CSF Assessment

Although the NIST Cybersecurity Framework is voluntary and there are no legal requirements for compliance, undergoing a NIST CSF compliance assessment can help you better understand your current security posture and help your organization make plans to move to your target profile.

Whether you’re conducting an internal audit or having an external assessment, here are a few tips that can help ensure you’re on the journey to CSF compliance, regardless of your current implementation tier.

And, remember, this is not a set-it-and-forget-it process. Your cybersecurity processes and evaluations should be continuous to keep up with your rapidly change threat landscape.

Steps to Prepare for an Assessment

Step 1: Set Goals

Develop a governance agreement for your organization that defines your organization’s risk appetite. Use this time to set goals for your cybersecurity program including a budget related to CSF implementation and management, your implementation priorities and objectives, and outlining roles and responsibilities.

Step 2: Select Your Implementation Tier

There are four tiers for NIST CSF implementation. Evaluate the current profile for your organization’s existing cybersecurity measures and then select the appropriate tier for implementation.

Step 3: Assess Risk

Conduct a risk assessment, possibly using an independent external party to solidify your current security posture and then develop goals related to your current security risks, including an inventory of your existing assets, vulnerabilities, and other security issues. Don’t forget to document.

Step 4: Identify Security Gaps

Use your risk assessment to compare your current security posture scores against your target profile scores. Develop an action plan to address areas where you have gaps, including steps to improve your scores and close your gaps.

Step 5: Implement the Action Plan

Next, implement your action plan, including documenting all of your processes. Consider developing training and education materials to help facilitate organizational-wide adoption as appropriate. Establish key metrics that will help you continue to assess the effectiveness of your cybersecurity program and help you meet expectations and requirements.

NIST CSF FAQs

Still have a question?

Get in touch with us and we would be happy to help.