Security CXO

NIST Cybersecurity Framework: The smart person's guide

President Trump's cybersecurity order made the National Institute of Standards and Technology's framework federal policy. Here's what you need to know about the NIST's Cybersecurity Framework.

Image: iStock/monsitj

The tech world has a problem: security fragmentation. There's no standard set of rules--or even language--used to address the growing threats of hackers, ransomware, and stolen data, and the threat only continues to grow.

President Obama recognized the threat in 2013, which led to his cybersecurity executive order that attempts to standardize practices. President Trump's recent cybersecurity executive order went one step further and made the framework created by Obama's order into federal government policy.

The framework isn't just for government use, though: It can be adapted to businesses of any size.

TechRepublic's smart person's guide about the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF) is a quick introduction to this new government recommended best practice, as well as a "living" guide that will be updated periodically to reflect changes to the NIST's documentation.

SEE: All of TechRepublic's smart person's guides.

Executive summary

  • What is the NIST Cybersecurity Framework? The NIST CSF is a set of optional standards, best practices, and recommendations for improving cybersecurity at the organizational level. NIST wrote the CSF at the behest of President Obama in 2014.
  • Why does the NIST Cybersecurity Framework matter? As cyberattacks become more complex, repelling them becomes more difficult, especially without a single cohesive strategy. The CSF aims to standardize practices to ensure uniform protection of all US cyber assets.
  • Who does the NIST Cybersecurity Framework affect? The CSF affects anyone who makes decisions about cybersecurity in their organization, and those responsible for implementing new IT policies.
  • When is the NIST Cybersecurity Framework happening? President Obama called for the creation of the CSF in an executive order issued in 2013, and NIST released the guidelines a year later. President Trump's recent cybersecurity executive order further calls for the government to implement NIST CSF standards.
  • How can I implement the NIST Cybersecurity Framework? NIST has thorough documentation of the CSF on its website, along with links to FAQs, industry resources, and other information necessary to ease enterprise transition into a CSF world.

SEE: Governments and nation states are now officially training for cyberwarfare: An inside look (PDF download) (TechRepublic)

What is the NIST Cybersecurity Framework?

President Obama signed Executive Order 13636 in 2013, titled Improving Critical Infrastructure Cybersecurity, which set the stage for the NIST Cybersecurity Framework. The CSF's goal is to create a common language, set of standards, and easily executable series of goals for improving cybersecurity.

The CSF standards are completely optional--there's no penalty to organizations that don't wish to follow its standards. That doesn't mean it isn't an ideal jumping off point though--it was created with scalability and gradual implementation so any business can benefit.

The framework itself is divided into three components: core, implementation tiers, and profiles.

Framework core

The core is "a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes." It is further broken down into four elements: functions, categories, subcategories, and informative references.

  • Functions: There are five functions used to organize cybersecurity efforts at the most basic level: identify, protect, detect, respond, and recover. Together these five functions form a top-level approach to securing systems and responding to threats--think of them as your basic incident management tasks.
  • Categories: Each function contains categories used to identify specific tasks or challenges within it. For example, the protect function could include access control, regular software updates, and anti-malware programs.
  • Subcategories: These are further divisions of categories with specific objectives. The regular software updates category could be divided into tasks like making sure wake on LAN is active, that Windows updates are configured properly, and manually updating machines that are missed.
  • Informative references: Documentation, steps for execution, standards, and other guidelines would fall into this category. A prime example in the manual Windows update category would be a document outlining steps to manually update Windows PCs.

Implementation tiers

There are four tiers of implementation, and while CSF documents don't consider them maturity levels, the higher tiers are considered more complete implementation of CSF standards.

  • Tier 1: Called partial implementation, organizations at Tier 1 have an ad-hoc and reactive cybersecurity posture. They have little awareness of organizational risk and any plans implemented are often done inconsistently.
  • Tier 2: Risk informed organizations may be approving cybersecurity measures, but implementation is still piecemeal. They are aware of risks, have plans, and have the proper resources to protect themselves but haven't quite gotten to a proactive point.
  • Tier 3: The third tier is called repeatable, meaning that an organization has implemented CSF standards company-wide and are able to repeatedly respond to crises. Policy is consistently applied, and employees are informed of risks.
  • Tier 4: Called adaptive, this tier indicates total adoption of the CSF. Adaptive organizations aren't just prepared to respond to threats--they proactively detect threats and predict issues based on current trends and their IT architecture.

Profiles

Profiles are both outlines of an organization's current cybersecurity status and roadmaps toward CSF goals. NIST said having multiple profiles--both current and goal--can help an organization find weak spots in its cybersecurity implementations and make moving from lower to higher tiers easier.

Profiles also help connect the functions, categories, and subcategories to business requirements, risk tolerance, and resources of the larger organization it serves. Think of profiles as an executive summary of everything done with the previous three elements of the CSF.

Additional resources

Why does the NIST Cybersecurity Framework matter?

The cybersecurity world has a problem: It's incredibly fragmented despite its ever-growing importance to daily business operations. Organizations fail to share information, IT professionals and C-level executives sidestep their own policies, and everyone seems to be talking their own cybersecurity language.

NIST's goal with the creation of the CSF is to help eliminate the utterly fragmented cybersecurity landscape we find ourselves in, and it couldn't matter more at this point in the history of the digital world.

Cybersecurity threats continue to increase, and the latest disasters seemingly come out of nowhere and the reason why we're constantly caught off guard is simple: There's no cohesive framework tying the cybersecurity world together.

Additional resources

Who does the NIST Cybersecurity Framework affect?

The CSF affects literally everyone who touches a computer for business. IT teams and CXOs are responsible for implementing it; regular employees are responsible for following their organization's security standards; and business leaders are responsible for empowering their security teams to get the job done.

The degree to which the CSF will affect the average person won't lessen with time either, at least not until it sees widespread implementation and becomes the new standard in cybersecurity planning.

If it seems like a headache it's best to confront it now: Ignoring the NIST's recommendations will only lead to liability down the road that could have easily been avoided. Embrace the growing pains as a positive step in the future of your organization.

Additional resources

When is the NIST Cybersecurity Framework happening?

President Obama instructed the NIST to develop the CSF in 2013, and the CSF has been around since 2014. President Trump's cybersecurity executive order signed on May 11, 2017 formalized the CSF as the standard to which all government IT is held and gave agency heads 90 days to prepare implementation plans.

Private sector organizations still have the option to implement the CSF--the government hasn't made it a requirement for anyone operating outside the federal government.

Additional resources

How can I implement the NIST Cybersecurity Framework?

The NIST's Framework website is full of resources to help IT decision makers begin the implementation process. It contains the full text of the framework, FAQs, a reference tool, and even videos of cybersecurity professionals talking about how the CSF has affected them.

Of particular interest to IT decision makers and security professionals is the industry resources page, where you'll find case studies, implementation guidelines, and documents from various government and non-governmental organizations detailing how they've implemented or incorporated the CSF into their structure.

There's no better time than now to implement the CSF: It's still relatively new, and it could position you as a leader in forward-looking cybersecurity practices.

Additional resources

Visit TechRepublic