You might have heard of the National Institute of Standards and Technology’s Cyber Security Framework (NIST CSF) in the news recently, as more and more public organizations are incorporating this framework into their security strategy. The most infamous organization that has adopted the framework, is the United States’ Department of Homeland Security (DHS) which was mandated by President Trump in May 2017.
What is NIST CSF?
The National Institute of Standards and Technology (NIST) has developed a security framework to organize privacy and risk management. NIST CSF (NIST Cyber Security Framework) is intended to facilitate, “the need for cybersecurity standards and best practices that address interoperability, usability and privacy, [which] continues to be critical for the nation. NIST’s cybersecurity programs seek to enable greater development and application of practical, innovative security technologies and methodologies that enhance the country’s ability to address current and future computer and information security challenges”.
NIST CSF allows companies to:
- Describe their current cybersecurity posture
- Describe their target state for cybersecurity
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
- Assess progress toward the target state
- Communicate among internal and external stakeholders about cybersecurity risk
What are the framework components?
- The Framework Core - a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core allows for communication about various cybersecurity policies/procedures at all levels of the organization. It is comprised of 5 key functions: Identify, Protect, Detect, Respond, Recover. When these functions are combined, they provide a high-level, strategic view of the lifecycle of an organization's management of security risk
- Framework Implementation Tiers - describes the degree that an organization practices the framework: risk and threat aware, repeatable, and adaptive. These tiers classify organizations' practices in a range of 4 Tiers, where 1=Partial and 4=Adaptive. The tiers reflect a progression from informal reactive responses to approaches that are agile and risk-informed. During the tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.
- Framework Profile - characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles are used to determine any gaps that are preventing the organization from reaching a desired state of a cybersecurity posture. A desired state (a target profile) can be used to prioritize specific measures/changes required to improve the current state, and include other determinants (i.e. cost, innovation, etc.). Profiles can be used to conduct self-assessments and communicate within an organization or between organizations.
What are the 5 stages of the Core?
You can find the following stages in the NIST CSF 1.0 guide.
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
The Identification section sets the foundation of the framework. It assesses various functions of the organization and sets requirements for each [function] to ensure that cybersecurity is incorporated in all facets of the organization. This section specifies requirements for internal factors (i.e. human resources, missions, goals, etc.) and external factors (i.e. governmental implications, stakeholders, legal, etc.). This category includes the following subcategories: Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management Strategy.
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
This section sets the ability to limit or contain the impact of a potential cybersecurity event. In doing so, it sets out parameters that organizations should follow for developing policies and processes for systems and personnel, to avoid or minimize impact. Its subcategories include: Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
The Detection section specifies that systems need to be set up to track and alert anomalies in a timely manner. This section also specifies what systems should be tracking and what would be considered an anomaly. It’s important to ensure that software is monitoring the activity for specific lines of business – which are outlined in the framework. Subcategories include:
Anomalies and Events, Security Continuous Monitoring, and Detection Processes.
- Response: Develop and implement the appropriate activities to action regarding a detected cybersecurity event.
The Response section sets up the organization with a plan on how to handle a breach; including, roles for personnel, communicating with stakeholders, etc. Subcategories include: Response Planning, Communications, Analysis, Mitigation, and Improvements.
- Recovery: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Once the response plan has been executed, the Recovery is critical. This section forces organizations to develop plans for actions, strategies, communications, etc. The subcategories include: Recovery Planning, Improvements, and Communications.