The NIST Cybersecurity Framework (CSF) from the National Institute of Standards and Technology (NIST) combines cybersecurity best practices, recommendations, and industry standards into a cohesive and understandable form.
What Is the NIST CSF Designed to Accomplish?
The NIST CSF provides guidance based on existing cybersecurity standards, guidelines, and practices to allow organizations to manage and reduce cybersecurity risk. A significant design feature within the framework is the easing of risk communication within organizations, and also between organizations that are working together.
The use of the framework is voluntary for most organizations. However, in 2017 Executive Order 13800 - Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure made the framework mandatory for federal government agencies.
While voluntary for non-federal agencies and organizations, the adoption of CSF as a guiding framework for a cybersecurity strategy provides many benefits for organizations. It is easy to understand and has assessments identifying the highest risks that need addressing. Plus, it can be customized to fit the needs of every organization rather than try to be a one size fits all procedure. Adopting CSF provides a framework to:
- Identify all the current cybersecurity risks
- Prioritize the risks so you can address the most critical ones first
- Create mitigation strategies for all risks over time
- Evaluate tools and processes that organizations can use to enhance cybersecurity
- Measure the return on investment from cybersecurity spending
- Allow for clear communication between all stakeholders inside and external to the organization
Components of the NIST CSF
The CSF comprises three top-level components: Core - Implementation Tiers - Profiles.
Core - the framework core lays out the cybersecurity activities that an organization should be undertaking. It does this using non-technical language over five functional areas. These five areas subdivide into 23 categories and then 108 subcategories. The functional areas and main categories in each are below (full details are available on the NIST CSF site):
Identify - highlight all assets on the network and in the overall operating environment, including staff, data policies, and interactions with supply chain and other external partners. The Identify functional area has six categories - Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy, and Supply Chain Risk Management. These categories have many subcategories, as detailed in the NIST CSF Core documentation.
Protect - assists in the deployment of protective measures to guard the most critical assets. The Protect functional area has six categories - Identity Management and Access Control (IAM), Awareness and Training, Data Security, Information Protection Processes & Procedures, Maintenance, and Protective Technology.
Detect - enables the detection of active cybersecurity attacks so organizations can mitigate them. The detect functional area has three categories - Anomalies & Events, Security Continuous Monitoring, and Detection Processes.
Respond - includes the actions to take when you know the organization is under attack or when threats that attackers could exploit get identified. Respond has five categories - Response Planning, Communications, Analysis, Mitigation, and Improvements.
Recover - when an attack has been detected and responded to, there will be a recovery period after the fact. This period provides the time for the organization to restore operations to normal. This functional area has three categories - Recovery Planning, Improvements, and Communications.
Implementation Tiers - there are four implementation tiers outlined within the CSF that describe the organization’s risk level. You should note that the tiers do not necessarily map directly to an organization’s cybersecurity and risk management maturity level. The implementation tiers help organizations measure their progress in reducing cybersecurity risk based on their available budget, the regulatory requirements they operate under, and the acceptable risk level.
Each organization should decide which of the four tiers is appropriate for them. This is a decision that requires experience in cybersecurity analysis and protection measures. Critical Insight is here to help you. See the final section of this article for more info on how we can help you.
The four implementation tiers are:
Tier 1: Partial - applies to organizations that deal with cybersecurity incidents and risk factors on an ad hoc basis. They do not have systematic, proactive measures in place but are constantly in reactive mode when cybersecurity events occur. Documented processes and procedures for reducing risk are mainly non-existent. Organizations that identify as on this tier have little understanding of their overall risk or the risk from the external organizations they interact with.
Tier 2: Risk Informed - most leadership teams in organizations are aware of the significant threats like ransomware, other malware, and cyberattacks in general. Organizations identifying as tier 2 will have partial or siloed protection measures to defend against specific threats. But there is no overall big-picture or unified approach to cybersecurity protection and risk management. Strong governance policies and procedures will not be in place.
Tier 3: Repeatable - organizations that have implemented strong protection measures and well-documented procedures and policies that are repeatable over time will identify as tier 3. Organizations operating at this level will update their protection measures and policies as new threats emerge. Plus, they will be able to respond rapidly to incidents and manage the risk both internally and on their supply chain. Tier 3 is the minimum CSF implementation tier that organizations should aim to reach.
Tier 4: Adaptive - organizations that have implemented policies and procedures that are recommended by CSF and who have overarching protection solutions (like 24x7 SOC monitoring, SIEM, and MDR) that deliver fully adaptive risk analysis, protection, response, and recovery will be able to identify as Tier 4. Government agencies or regulators may require some organizations in critical infrastructure sectors to aim for the tier 4 level of cybersecurity protection. Increasingly many public and private sector organizations are also being encouraged to adopt tier 4 security levels by insurance companies and business partners.
Profiles - provide snapshots of an organization’s current cybersecurity readiness status at a particular time or one the organization wants to achieve after implementing items from the Core framework categories and subcategories. Each profile represents a specific alignment with the Framework Core standards, guidelines, and practices in particular implementation scenarios.
Profiles get used to identify improvement opportunities by comparing a profile that outlines the current cybersecurity posture with a profile that documents the target an organization wants to achieve. Doing this helps build, document, and communicate a roadmap to improve cybersecurity protection and risk management. Profiles are not meant to be rigid documents but are rather ongoing planning tools that help all stakeholders identify risk, build and cost a plan to improve cybersecurity, and show the target status that is the goal. Profiles will change and be updated as goals get delivered and the threat landscape changes.
Critical Insight Services
The cybersecurity services that Critical Insight offers enable organizations to improve their security posture and closely align with the CSF recommendations. The Defense Services Wheel infographic below highlights the services we provide.
Our expert team can work with your organization to identify your current cybersecurity posture, make recommendations, help you create a plan to improve and move up the CSF tiers, and deliver cybersecurity advice, monitoring, and response services at the level you need to improve your cybersecurity posture.