What is the NIST Cybersecurity Framework? The Ultimate Guide

The National Institute of Standards and Technology (NIST) provides guidance and best practices for organisations to follow, in order to help businesses, non-profits, and other private-sector institutions to improve cyber security risk management. NIST is part of the U.S. Department of Commerce, and one of the nation's oldest (physical) science laboratories. 

Back in 2013, the President issued Executive Order 13636 that stated:

“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties."

This Executive Order established certain requirements that NIST applied to its cyber security framework, including:

• Identify security standards and guidelines applicable across sectors of critical infrastructure.

• Provide a prioritised, flexible, repeatable, performance-based, and cost-effective approach.

• Help owners and operators of critical infrastructure identify, assess, and manage cyber risk.

• Enable technical innovation and account for organisational differences.

• Provide guidance that is technology-neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services.

• Include guidance for measuring the performance of implementing the Cybersecurity Framework.

• Identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organisations.

Why has this become so important? 

Put simply, increasing cyber security threats affect businesses and other organisations daily. Without a single source of truth, it would be almost impossible for businesses to develop a thorough, effective framework to help them implement effective measures for mitigating security risks. That's why the NIST Cybersecurity Framework has become so crucial for businesses; it encourages efficient, innovative, and resilient solutions to maintain security.

Essentially, the NIST Cybersecurity Framework helps organisations of all types to better understand, manage, and reduce cyber security risks. The end result of following this guidance is better protection of networks and data. The NIST Cybersecurity Framework is broken down in such a way that any business or organisation could implement it to better understand where to focus time and resources for improved cyber security protection. It's all about empowering businesses to be more effective at protecting their data, their customers' data, their networks, and their employees.

Although the NIST Cybersecurity Framework was developed by an organisation within the United States, it was created with the idea of global adoption. To that end, it's been translated into many languages and adopted by governments, businesses, and organisations around the world.

Since NIST Cybersecurity Framework 1.1, many organisations and governments have successfully adopted the framework, including:

• Saudi Aramco

• Government of Bermuda

• Israel National Cyber Directorate

• Cimpress-FAIR

• Multi-State - Information Sharing and Analysis Center

• University of Kansas Medical Center

• University of Pittsburgh

• ISACA

• Japanese Cross-Sector Forum

• University of Chicago

• Lower Colorado River Authority

• Optic Cyber Solutions   

The latest version of the NIST Cybersecurity Framework (CSF) is aimed at audiences, industry sectors and organisations of all types and sizes, from small schools and non-profits to enterprise corporations. The framework was designed so that any organisation, regardless of its cyber security sophistication, can benefit from the information it presents.

According to NIST Director and Under Secretary of Commerce for Standards and Technology, Laurie E. Locascio: 

“The CSF has been a vital tool for many organisations, helping them anticipate and deal with cyber security threats… CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customised and used individually or in combination over time as an organisation’s cyber security needs change and its capabilities evolve.” 

The latest evolution of the NIST Cybersecurity Framework also goes beyond focusing on critical infrastructure and encompasses all organisations, of all sizes, within any sector.

When the NIST Cybersecurity Framework was created, the goal was to maintain ongoing engagement with stakeholders in government, industry and academia. To create this framework, NIST used outreach and workshops across the country, as well as a Request for Information (RFI) and a Request for Comment (RFC). Its initial goal was threefold:

• Identify existing cyber security standards, guidelines, frameworks and best practice.

• Specify high-priority gaps.

• Develop action plans to address those gaps.

The comment period for information gathering ended on 8 April 2013, and NIST received over 270 responses to the Request for Information. From those responses, NIST developed the agenda for its first Cybersecurity Framework workshop, which took place in Washington, DC, with the goal of gathering interest, raising awareness and providing insight into the collaborative development process. The topics of the workshop included the Executive Order, the goals for the development and reaffirming the process that would be used to develop the framework.

The second workshop took place between 29 and 31 May 2013 and was held at Carnegie Mellon University, with an agenda based on the analysis of the initial RFI. The goals were to further define and clarify the information it had received and encourage debate across several security-based topics. After this workshop concluded, NIST analysed the information it had gathered and created summaries that were shared with the industries and used to create the initial draft of the Cybersecurity Framework.

The first draft of the NIST Cybersecurity Framework was released on 2 July 2013.

NIST held several workshops following the release, aimed at discussing and refining the initial release. On 12 February 2014, version 1.0 of the NIST Cybersecurity Framework was released.

The NIST Cybersecurity Framework consists of several core functions, which give a general overview of best practice. These functions are not intended to be viewed as procedural steps but, rather, used to address the dynamic nature of cyber security risks.

Govern

This function provides outcomes that help inform what an organisation can do to prioritise the remaining functions in the context of its mission and stakeholder expectations.

Identify

The identify function calls for the need to develop an organisational understanding of cyber security risks to systems, assets, data and capabilities. This element focuses on the business, so it can prioritise its efforts in a way that is consistent with its risk management strategy.

Protect

This function supports an organisation’s ability to secure assets, and prevent or lower the likelihood of, and impact incurred by, a cyber security event.

Detect

This function enables the timely discovery and analysis of anomalies, indicators of compromise and other adverse events that indicate a cyber security event has occurred or will occur.

Respond

This function helps contain any effects of a cybersecurity incident, covering incident management, analysis, mitigation, reporting, and communication.

Recover

This function focuses on the timely restoration of normal business operations, in order to reduce the effects of a cybersecurity incident, as well as enable the necessary (and appropriate) communication during the recovery.

The ultimate goal of these functions is to offer a high-level, strategic view of how an organisation prepares for, reacts to, and recovers from cybersecurity events.

With a solid understanding of what the NIST Cybersecurity Framework does, and how it's evolved, you're probably wondering how best to implement it.

NIST recommends a seven-step approach for implementation, which looks like this:

1. Prioritise and scope - Prioritise your organisation’s objectives and assets that need to be protected.

2. Orient - Familiarise yourself and your team with the processes, systems, and components within the scope, as well as the key compliance regulations they must comply with.

3. Create a current profile - Indicate which control outcomes of the framework are already being achieved within your organisation, and then create a list of what still needs to be integrated.

4. Conduct a risk assessment - Analyse your operational environment to determine the likelihood of cybersecurity events, as well as the impact they could have.

5. Create a target profile - Focus on the Cybersecurity Framework Categories and Subcategories assessment to help you describe your desired cybersecurity outcomes.

6. Determine, analyse, and prioritise gaps - Determine any cybersecurity gaps that exist in your organisation. From this analysis, you can then create a prioritised plan to address those needs.

7. Implement your action plan - Take action and implement the plan you've created to address all issues discovered within the previous steps.

One thing to keep in mind is that the framework isn't rigid. In fact, the framework does offer enough flexibility to integrate with your existing security processes. You should see how that works within the seven steps listed above.

Because of how NIST sets out the seven steps for implementing the framework, organisations get a comprehensive overview of the risks they are susceptible to, how to plan according to those risks, how to improve organisation-wide communication, and how to strengthen compliance. Education around an organisation's weaknesses, and how to mitigate them, is one of the crucial benefits of the NIST Framework.

According to the Federal Trade Commission, the NIST Framework, "helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data."

NIST understands that every organisation is different, and even offers 3 tips to keep your passwords secure (which should be considered universal).

The NIST Cybersecurity Framework can be complex. It’s important to fully understand the core functions before you can move on to the seven steps listed above. In order to ensure lasting success, it is critical to encourage a cybersecurity culture within your organisation, otherwise, you'll run into resistance to what could be a dramatic change in processes and systems.

Other challenges include:

• Resource constraints - you might not currently have the staff capable of implementing these changes.

• You'll most likely have to spend time customising the Cybersecurity Framework to better fit your organisation.

• Threats are always evolving, which means your security practices will have to keep up.

• You'll want to integrate the Cybersecurity Framework with any existing processes you have in place.

• It may be challenging to encourage stakeholder engagement, which directly relates to fostering a cyber security culture capable of meeting these demands.

There are four NIST implementation tiers, which are:

• Tier 1Partial - Companies with ad hoc or no security procedures.

• Tier 2Risk-informed - Companies that are aware of the threats they face and have some policies in place, but lack a coordinated strategy.

• Tier 3Repeatable - Companies with risk management and cyber security best practices that have received executive approval. These businesses often measure themselves against competitors, and even work with other organisations to ensure their practices are aligned.

• Tier 4Adaptive - Companies in heavily regulated industries, such as banking and healthcare, that routinely contribute to broad risk awareness.

According to NIST, the Cybersecurity Framework Profile "is the alignment of the Functions, Categories, and Subcategories with the business requirements, risk tolerance, and resources of the organisation." These profiles help organisations establish a roadmap to reduce cyber security risks.

NIST offers a customisable Cybersecurity Framework Organisational Profile Template, as well as a list of community profiles that can be used.

Keep in mind, the NIST Cybersecurity Framework is designed to be a living document that depends on regular updates reflecting the ever-changing cyber security landscape and emerging threats. Because of this, it is crucial that organisations stay up to date on the latest threats, so the Cybersecurity Framework can evolve to meet current needs and continually improve.

To make sure your organisation is capable of evolving with the NIST Cybersecurity Framework, you might consider how to build the best cyber security tech stack for your business, as a way to ensure you can make the most of the best technology capable of evolving with the Cybersecurity Framework.

It should go without saying that security has become one of the single most important areas of focus for organisations. Without robust cyber security risk management practices, companies could fall victim to any number of threats in the wild. With the help of the NIST Cybersecurity Framework, along with careful planning and communication, your organisation's security could vastly improve. Approach the NIST Cybersecurity Framework thoroughly, follow the seven steps, and always be ready to update and evolve so your organisation will be better protected from cyber security risks.

Ready to get started today? Consider adopting a password management solution to start your organisation off on the right foot. Check out Bitwarden Business plans, contact sales, and compare plan prices.